What Is Payment Fraud?

What Is Payment Fraud?

Attackers are continuously coming up with new and creative ways to steal sensitive business information, assets, goods, and payment data.

Users, business owners, IT organizations, and security specialists are struggling to keep up. More than ever, it is important to be aware of internet fraud, how it works and which types of online fraud exist.

This article defines internet fraud and explains critical online fraud types that organizations and individuals should be aware of, including some practical prevention practices.

Payment fraud is the criminal act of illegally obtaining sensitive business, financial, or PI (personally identifiable) information for monetary or personal gain. The fraudster’s goal is to break into other people’s online accounts and use someone else’s payment or personal information to blackmail account owners or make illegal purchases without the account owner’s knowledge.

Online fraud has a devastating effect on revenue and reputation, so every business needs to take all necessary precautions to protect customer information.

Payment Fraud Types

12 online payment fraud examples

To fight payment fraud, businesses must first get familiar with the most common online payment fraud types.

1. Account Takeover

Account takeover fraud

Account takeover fraud (ATO) happens when a fraudster gains access to a legitimate user’s account, using it to gather personal and payment data, alter account information, or make non-authorized payments.

An account takeover is considered identity theft if the fraudster opens new accounts, get bank loans, or request credit cards.

It is difficult to detect ATO because fraudsters do not perform any out of the ordinary activities that alert the victims. Customers typically notice their account has been taken over once they can’t access it anymore or they spot suspicious charges on their merchant statements.

2. Advanced Account Takeover

In an advanced account takeover, the fraudster steals the user’s account credentials to pay for goods and services and sells this account data to third parties. 

Moreover, Experian predicts that cybercriminals will apply stolen information from one breach to control other accounts owned by the victim (credential stuffing). They will also use fraudulent information to automatically open accounts (script creation). To deter this activity, merchants need to implement first-rate password policy practices.

New fraud types emerge all the time as fraudsters try to think of new ways to trick unsuspecting online shoppers. To be up to date, check out our article on Ecommerce Fraud Trends to Beware of in 2021.

3. Identity Theft

Identity theft is when fraudsters steal customers’ personal information and use it to initiate other types of fraud. For instance, the fraudster may take another person’s identity, open a fake company, and use it to conduct other illegal activities, like money laundering.

Identity theft does not refer only to payment data but also includes stealing email addresses and accounts, IP addresses, and users’ devices. More and more people use mobile payment and shopping apps with stored credit card and identity data. When fraudsters gain access to such a personal device, they make purchases pretending to be the owner in question.

Note: Synthetic identity theft is the act of creating synthetic, fictitious identities from personal information that has been stolen from one or more individuals, and sometimes slightly altered.

4. Synthetic Identity Fraud

Cybercriminals commit synthetic identity fraud by combining real and fake information to generate new virtual identities. This fraud type utilizes AI tools to make new personas from several people’s facial elements.

For instance, merchants relying on facial recognition for identity verification can expect substantial damage if they become victims of such fraud. The good news is that cutting-edge identification software recognizes synthetic identities.

Note: Learn more about Virtual Account Numbers, one of the ways shoppers can use to prevent fraud.

5. Voice Deepfakes

Voice deepfakes used for payment fraud

As voice commerce will surpass $80 billion in 2023, digital criminals embrace deepfake audio fraud to imitate buyers’ voices. Hackers can avoid identity verification procedures and tools to buy goods online by acting as someone else.

Merchants need to keep adding voice shopping to the omnichannel customer experience while applying fraud prevention systems that detect voice deepfakes.

Note: Learn more about Voice Commerce.

6. Card Testing Fraud

Credit card testing or card cracking happens when a fraudster steals or purchases several credit card numbers. They visit an e-store to carry out low-value test purchases, implementing bots or scripts to swiftly test several credit card numbers. At this stage, fraudsters check whether they can use any of the obtained credit cards.

Once (and if) they come across a credit card number that works, they start buying more expensive items or services. However, even though they know which credit card number works, they still can’t detect the limit on the credit card in question. Hence, limiting daily expenditure on a single credit card is a good idea, preventing substantial losses if a cardholder becomes a victim of this type of online fraud.

7. Triangulation Fraud

Triangulation fraud includes three participants: a buyer, the fraudster, and an online store. The fraudster opens a storefront on an ecommerce platform offering discounted popular items.

The buyer looking for a bargain comes to the storefront, eager to purchase the items at a discount. When the buyer purchases on the fraudster’s website, the credit card data is used to buy the same items on the merchant’s website and ship them to the buyer.

Even though the buyer obtains actual items at too-good-to-be-true prices, their credit card number has been stolen, and the website has been scammed. Now that that perpetrator has the stolen credit card data, they can change the account information and order goods to be shipped to their address.

Note: Learn about other types of fraud, such as APP fraud, address fraud, and return fraud.

8. Interception Fraud

In interception fraud, the fraudster orders goods from an ecommerce website using a stolen credit card and intercepts the package.

Often the fraudster contacts a sales representative at the merchant’s company to change the address on the package before shipping. In this case, the fraudster receives the ordered products, and the cardholder (the victim) makes the payment.

Some fraudsters may call the shipping company to deliver the package to another address, while others physically intercept it upon delivery.

9. Pharming Fraud

Fake website fraud

Pharming happens when hackers develop fake copies of websites and redirect users to them. Users usually do not realize they are providing personal or payment information on a fake website.

Website owners need to work with developers to improve antimalware protection on their websites and protect their landing pages from such harmful activity.

10. Unauthorized Use of Inactive Accounts

Some merchants launch promotional campaigns and discounts for repeat customers, recurring customers, and one-time buyers. The latter groups often include shoppers with inactive accounts on ecommerce websites.

Inactive customer accounts are perfect targets for fraudsters planning to take over users’ accounts and steal personal data or assets. Website owners need to apply additional tracking of inactive accounts to curb suspicious activity from otherwise passive customers. To deter potential scammers, merchants must require that returning customers update their personal data and use two-factor authentication.

11. Chargeback Fraud (Friendly Fraud)

Chargeback fraud, also known as friendly fraud, happens when legitimate shoppers buy a product with their credit and debit cards, only to dispute the transaction and request a chargeback from their card issuer.

It is called friendly fraud because the cardholder intentionally uses their verified credit card data to trick the merchant. Friendly fraud and actual fraud differ in that with the former, the cardholder’s identity is legitimate, while with the latter, the cardholder’s identity is stolen.

Learn more about chargebacks and refunds from our article Chargeback vs. Refund: Differences and How to Handle Them.

12. Refund Fraud

Refund fraud happens when the fraudster uses a stolen credit card to buy something on a website but then asks for a refund, claiming accidental overpayment. They request that the excess amount be refunded, but with a little twist: the fraudster claims that the credit card has been blocked and the money should be returned via an alternative payment method.

In this case, the fraudster seems to be making a legitimate purchase and refund request, but in reality, they are trying to trick the merchant.

Note: Learn also about BIN attacks, a common payment fraud type.

How to Prevent Payment Fraud?

Businesses selling services and products online reduce and prevent fraud by applying the following practices:

  • Apply address verification service (AVS). Implement the Address Verification Service (AVS) to detect potentially risky card transactions. The AVS system automatically compares the cardholder’s billing address provided at the issuing bank with the billing address added by the payer. The system blocks the transaction or requests additional data/actions when the addresses differ.
  • Insist on CVV. Every credit and debit card issued by Mastercard, Visa, American Express, and Discover comes with a three-digit (four-digit for AmEx cards) card verification value (CVV) on the back of the card. Require that all buyers enter this code for every card-not-present transaction. It prevents payment fraud by ensuring that all payers physically possess the card they are paying with, which is not the case when fraudsters have only credit card data but not the card itself. 
  • Find a reliable payment processor. Working with a dedicated and experienced payment processor ensures high protection against fraud. When shopping around for the perfect processor, ask about their protection measures, such as PCI compliance and PSD2. Also, inquire about their fraud-prevention tools and fraud detection systems. Payment processors must provide top-notch tools and strictly follow current regulations to provide round-the-clock protection.

CCBill offers Smart Checkout, an effective anti-fraud system that thoroughly scans every transaction before the payment data is sent to credit card associations and banks. It reduces fraud risk and lowers the chargeback rate.

  • Use an SSL certificate. Hypertext Transfer Protocol Secure (HTTPS) encrypts all personal data, meaning that sensitive information, such as customer names and addresses, as well as credit card numbers, are protected during the transit. Even if hackers intercept the data protected and encrypted by HTTPS, they will not be able to decipher it.

Learn more details about HTTP and HTTPS from our article HTTP vs. HTTPS: What Are the Differences.

  • Rely on AI. Artificial intelligence will be more prominent in internet fraud detection and prevention. AI assists in predicting and identifying fraudulent activities in real-time by collecting information and interpreting data from previous cases. These solutions are now widely used to accept and monitor orders, saving time and improving overall business efficiency.

For more information on ecommerce fraud prevention, read our article Ecommerce Fraud Prevention: Best Practices.


As online commerce keeps growing, fraudsters will develop innovative methods for stealing payment information, customers’ data, and tangible goods. Organizations must take all possible measures to protect their business assets and customer information from internet fraud.

This guide helps businesses and customers identify the most significant threats and act on time to build a secure online environment.