How to protect your business from first-party fraud

First-party fraud, or chargeback fraud, is an expensive cost of doing business. Merchants estimate that credit card chargebacks will cost them $100 billion in 2023—an expected outcome after the average cost of a dispute rose to $192.53 last year, up 16% from 2021. Compounding the problem is growing economic pressure and the increasing democratization of fraud; a recent Sift survey revealed an increased willingness to defraud merchants, with 16% of consumers admitting to having committed payment fraud or knowing someone who has.

These numbers illustrate the enormous burden businesses face when dealing with what’s often called “friendly fraud,” and which is rarely friendly at all. Read on to explore what merchants need to know about first-party fraud, how Visa Compelling Evidence 3.0 (CE 3.0) is enabling merchants to refute fraudulent chargebacks, and what merchants can do to detect suspicious chargeback activity before it negatively impacts their bottom line.

What is the difference between first-party fraud, chargeback fraud, and friendly fraud?

Fraud comes in a variety of shapes, and the language around chargebacks and related abuse has shifted over time. At their core, chargeback fraud, dispute fraud, first-party fraud, first-party misuse, and friendly fraud all describe when an authorized cardholder makes a purchase with their credit card and later claims that the purchase was fraudulent or unauthorized. However, first-party fraud doesn’t necessarily mean chargeback fraud was committed, as it can occur through a merchant’s refund (rather than dispute) process.

It’s like a square and a rectangle. Squares are rectangles; that is, chargeback fraud is friendly fraud. But, not all rectangles are squares—friendly fraud is more than just chargeback fraud. Chargebacks made using stolen credit cards are true, valid disputes, and that’s not chargeback fraud. Instead, that’s the chargeback process working the way it’s intended to in order to provide consumer protection. The payment details being stolen is likely the result of account takeover and is a type of payment fraud, unrelated to any disputes of purchases made with the compromised card information.

This flavor of fraud is particularly difficult to detect because the initial transactions appear to be legitimate, and might look that way for good reason. Consumers can forget that they’ve authorized a transaction, or their payment information might be used by another member of the household without their knowledge.

Common types of first-party fraud and friendly fraud include:

  • Cyber Shoplifting—A cardholder makes a purchase, but disputes the charge on their statement by falsely claiming that they did not make the purchase.
  • Goods Lost in Transit (GLIT)—A cardholder makes a purchase, receives the goods or services, and then files a chargeback claiming that the item was not received.
  • Refund/Return Confusion—A cardholder makes a purchase, but wants to refund or return the item. A cardholder may file a chargeback because they are concerned that the refund process is taking too long or they may not understand that the refund/return process should be conducted through the merchant instead of their credit card.
  • Unrecognized Charge—A cardholder makes a purchase, but the merchant uses an unfamiliar name on their statement or a subscription service renews that the cardholder doesn’t recognize. Another source of unrecognized charges is when a family member makes a purchase (often through in-app purchases) that the cardholder doesn’t know they made.

Regardless of the specifics, merchants assume the burden of proving legitimacy whenever a cardholder files a chargeback—and will eat the cost of any dispute cases they can’t win. That’s where Visa’s recently revised Compelling Evidence policy comes in.

What is Visa Compelling Evidence 3.0?

CE 3.0 is a policy that enables merchants to more effectively prove a chargeback was fraudulent by submitting evidence to build a case for themselves. These guidelines include demonstrating a pattern of previous, non-disputed purchases by the cardholder to prove it isn’t third-party fraud (i.e., identity theft).

Specifically, merchants must provide evidence of previous legitimate transactions at least 120 days old, using the same payment method, that have not been disputed or flagged as fraudulent. These transactions must include two of the following details:

  • IP address
  • Device ID or device fingerprint
  • Shipping address
  • User account

Furthermore, at least one of those two details must be either the IP address or the device ID/fingerprint. Practically speaking, fraud prevention tools, such as Sift’s Digital Trust and Safety Platform, are the most efficient way to maintain a transaction history and obtain visibility into IP address and device IDs, while also flagging suspicious behavior patterns that could indicate abuse.

How to detect chargeback fraud

It’s vital for merchants to detect chargeback fraud to avoid financial losses. Sift’s Digital Trust and Safety Platform enables organizations to leverage machine learning and signals from its global network to detect suspicious behavior, such as:

  • Patterns of abuse, such as frequent chargebacks or abnormally large purchases
  • Repeat purchases and returns of the same item
  • Multiple aliases and mailing addresses

Sift also ensures that all transactions are properly documented, so that merchants can easily provide evidence to respond to chargeback fraud (e.g., transactions that use the same payment card, are more than 120 days old, and have never been disputed or flagged as fraudulent).

A machine learning approach to fraud detection saves merchants time and money when responding to chargeback fraud, as well as detecting other fraudulent activity, such as account takeover. By taking these steps, businesses can reduce their risk of falling victim to first-party fraud and protect themselves and their customers from financial losses.

The post How to protect your business from first-party fraud appeared first on Sift Blog.

*** This is a Security Bloggers Network syndicated blog from Sift Blog authored by Sift Trust and Safety Team. Read the original post at: