The online fraud handbook


The online fraud handbook

Online fraud comes in a wide variety of forms, one more mischievous and costly than the other. As a business leader operating in the online space, you need to be aware of what dangers are out there and how to protect yourself against them.

Consumers are increasingly making digital payments. The ease and convenience of online business also brings with it an increasing risk of fraud. To make the experience of online shopping more convenient, customers are willing to share (and store) more sensitive data on the websites and apps they interact with. This very pursuit of convenience also makes customers vulnerable to attacks and increases the consequences of a hack. 

In this handbook, we’re focusing on the types of online fraud that pose the greatest danger to merchants in the online space.

Shortcut menu | Click to navigate:

What is online fraud?

Online fraud is a form of Card Not Present (CNP) fraud. As the name implies, this is fraud that occurs without the card being physically present. Usually, the fraudulent activity takes place over the internet or over the phone. 

Globally, online fraud is on the rise. A report by TransUnion found that suspected online fraud attempts rose by 16.5% year-on-year between Q2 2020 and Q2 2021. The largest increases were identified in the gaming, travel, leisure and gambling industries. 

Fraud is a complex phenomenon, and the fraudster modus operandi will vary wildly at any given time. While it is true that at some point, a fraudulent payment transaction takes place, there are usually many unfortunate events that precede the illicit moving of funds. These events are meticulously orchestrated by fraudsters who seemingly have all the time and patience in the world. 

How fraudsters go to work

Online fraud often follows a pattern that centres on theft and impersonation. There’s the initial theft of data, followed by the misuse of the data, as fraudsters impersonate a customer or a business (or even create a synthetic identity based on real data) as a means to steal data or money. In the end, the fraudster gets richer, and the consumer is left holding the bag.

Fraudsters generally get their hands on the credit card data either through phishing attacks, successful hacks of a merchant’s database, or in some cases, dishonest employees at credit card companies. They are also able to piece together a customer’s financial information by combining multiple bits of user data from various sources, such as data breaches at popular websites and apps.

Common types of online fraud

For e-commerce merchants, telecommunication companies and financial institutions, the major types of fraud to watch out for are identity theft, friendly fraud, clean fraud, triangulation fraud, affiliate fraud and SIM Swap fraud.


False credentials

A fraudster uses fabricated credentials to access your product or service. Without proper KYC, customer scoring or other checks in place, it is hard to trace or verify this person. 

Identity theft

A fraudster uses someone else’s personal and financial information to take out a loan or apply for a credit card with the intention of spending as much as possible before the fraud is detected.  

ATO (account takeover)

This is when fraudsters use someone’s existing log-in credentials (username/password) to purchase goods, rent services, or get access to accounts to gain more information on the customer, or change these credentials in any way. 

Friendly fraud (chargebacks)

A user makes a purchase but then demands a refund by rejecting the payment. This can be for any host of reasons, both legitimate and illegitimate. The user may claim that the product was never delivered, or that it arrived damaged, and therefore request the funds be returned. Because a chargeback isn’t always with fraudulent intent, this type of fraud is often referred to as ‘friendly fraud’. Chargebacks are very costly, not just because of the missed revenue of the sale, but also due to penalties, the loss of goods, fees and the time spent on processing the ‘error’. 

Clean fraud (stolen payment details)

A fraudster makes a purchase, with stolen – though unreported – credit card details. Since banks aren’t yet aware that the credit card in question has been compromised, the payment is allowed without any red flags being raised. By the time the card has been blacklisted, the fraudster, has already had ample time and opportunity to completely max out the credit card. 

Triangulation fraud

The fraudster first gains access to user’s credit card details. This is usually either through phishing or by gaining access to their account on a shopping platform where payment details have previously been stored for ease of use (one-click payment etc). 

Next, the fraudster offers a highly sought after product on an online marketplace for a price that is too good to be true. For example, the latest high-end smartphone. The product listing, however, is fake. After an unsuspecting customer buys the product, the fraudster uses the previously stolen payment details to purchase the real product and send it to the address of the buyer. Sounds complicated, doesn’t it? This is actually how fraudsters cover their tracks. By sending the product to the buyer, it may seem like a legitimate transaction on the marketplace. 

However, the defrauded user, whose credit card was used, may at some point notice the suspicious transaction and demand a chargeback from the credit card company. When this happens, an investigation is started by the parties involved, and the one who gets the blame is often the unsuspecting buyer. The buyer, if unable to prove otherwise, is blacklisted. The ecommerce retailer who shipped the product to the buyer suffers a chargeback and loses the item for good. The fraudster walks off into the sunset with the money paid by the buyer.

SIM Swap fraud

An up and coming trend with the potential to cause hundreds of millions in damages, wreck livelihoods and irreversibly tarnish brand reputations is SIM Swap fraud. Though on the rise, this is a type of fraud that customers simply do not see coming. 

SIM Swap fraudsters follow the typical fraudster play book: data theft followed by successful impersonation, and consequently the reaping of financial gain at the expense of innocent customers. However, they do so in a more sophisticated and patient manner. 

In order to commit SIM Swap fraud, fraudsters needs to gain access to a person’s SIM card. This is done by convincing the telco to pass the number on to a new SIM that they control. Once the telco activates the compromised SIM card, all SMS verifications that are sent as part of two-factor authentication are now sent to the fraudster’s device. 

This means they can log into a person’s banking environment and plunder all the funds. All the while, the consumer might not realize what is going on. For many users, a drop in cellphone connectivity, though highly inconvenient, might be seen as a temporary issue. They may choose to wait for a while and see if the error resolves itself, or perhaps restart their device a couple of times. Even if they wanted to call their telco, many may not have access to a second phone with which to place a call. By the time the user contacts the telco to ask what’s wrong, the fraudster has already cleaned house and made off with the money. 

How to protect your customers and your business

Online fraud has been around since the dawn of the internet and will persist until its end. In other words, fraud isn’t going anywhere. In fact, the more we move our lives online, the more fraud risks there are. 

Businesses must remain vigilant and do all they can to lower the risk of fraud. It’s not just a matter of preventing theft, it’s also critical to preserve their brand reputation. It takes years, maybe even decades, to build a solid reputation, but it only takes one bad incident to tear it all down. 

With its Fraud API and related services, Mi-Pay is able to protect businesses and their customers from most types of online fraud, including payment fraud and SIM swap fraud. Mi-Pay’s Fraud API ensures you’re not vulnerable to costly chargebacks that may occur as a result of fraudulent transactions. 

Contact Mi-Pay today

As a business leader, it is important to find a scalable solution that grows with your business and adapts to any new threats as they arise. It is also important to see if the fraud protection platforms are willing to put their money where their mouths are, to put it bluntly. For example. Mi-Pay offers a 100% guarantee on chargebacks. 

Online fraud is a complex topic. If you’re looking to mitigate fraud risks for your business and protect your revenues, it definitely helps to discuss the challenges with an expert. 

At Mi-Pay, we don’t just offer solutions, we also offer advice. As Revenue Ambassador at Mi-Pay, Patrick de Winter is always standing by to listen and understand your business needs. Feel free to get in touch with Patrick anytime.