The growth in internet trading also increases the potential growth of online credit card fraud. The Australian Institute of Criminology (AIC) recently conducted a survey looking into Online Credit Card Fraud Against Small Business. Here’s what they found…
In their survey, the AIC conducted telephone interviews with 1,078 businesses across Australia, randomly selected from a variety of business types. Overall, 32% of online retailers experienced at least one incident of online credit card fraud with many victims experiencing more than one incident. The survey found that there are considerable gaps in knowledge about who bears the costs of online credit card fraud and that knowledge of business liability increases with experience of victimisation. Online trading is one of the fastest growing retail sectors in the world. Overall, 39% of retailers said it was very likely that they would being online trading in the next two years, with a further 38% saying it was somewhat likely they would begin online trading. This shows that online trading in Australia is here to stay and is growing at an incredible rate. However, with the increased benefits of online trading also comes the risk of e-crime.
E-Crime and Small Business
Online fraudsters can obtain goods or services illegally in a number of ways including:
- using a fake identity to apply for a credit card and make purchases
- using a stolen identity to apply for a credit card and make purchases
- using a counterfeit or stolen credit card to purchase goods
- ordering goods using a credit card and then falsely claiming they never received the goods in order to claim a refund or replacement goods, or
- claiming they did not place the order.The AIC survey found that the rate of online fraud varied depending on the type of business targeted. Online transactions are particularly susceptible to online fraud, as you never actually see the customer or the credit card. You are therefore at a disadvantage when it comes to identifying whether the card is legitimate, stolen or fake, or whether the customer may be using a stolen identity. Information transmitted over the internet can be intercepted at any point. E-security technology reduces the risk that personal information will be taken.
You can take practical steps to prevent e-crime occurring by:
- Securing your business computer or network. Install password authentication software to protect sensitive business information and update the password regularly. The best password is a combination of letters, numbers and symbols.
- Anti-virus software, regularly updated – viruses can allow an online fraudster to gain access to information files or can send sensitive information to other email addresses.
- Install encryption software that converts transaction information into unreadable code, and a firewall. This is important if you have a high speed internet connection that is connected 24 hours a day.
- Be vigilant about how, where and to whom, business and customer information is passed and how documents containing business information are disposed of.
- Set minimum identification requirements for credit card orders received over the internet. Ask for customer’s name, credit card number and expiry date, credit card security number, street address, phone number, fax number and email address.
- Screen orders coming in over the internet to ensure that they are legitimate.
- Ensuring that you authorise transactions with your financial institution. This is commonly done either over the phone or online.
- Maintain a list or database of lost or stolen credit cards and fraudulent orders.
- Allow only trusted staff members to have access to computer files containing customer information. They should be trained in the methods of preventing e-crime. When staff leave your business, make sure passwords protecting customer information are changed.
- Be wary of unsolicited emails – delete them without opening any attached files
- Wipe the hard drive before you dispose of your computer.Manual screening measures are the actions that you and your staff take to confirm that orders submitted over the internet are legitimate. The screening may confirm that the customer is indeed the cardholder (by checking details such as addresses) or ensure that particular card numbers which are considered fraudulent are not used repeatedly against your business (by keeping records and rejecting suspicious orders).
Common Manual Screening Practices
- Phone or email the customer to confirm the order. This increases the likelihood of determining that the person whose credit card number was used is the person who placed the order.
- Ask for the credit card security number. This ensures that the customer holds the card when the order is made.
- Check the address provided against the name of the cardholder by checking in the local phone directory or on the White Pages website.
- Maintain a database of good customers who have previously ordered from you with no trouble.
- Maintain a database of bad customers who have defrauded you in the past.
- Ask for more identification details if you suspect that the order may be fraudulent.
- You can always reject an order if it has one or more factors that lead you to suspect that it is fraudulent.Who Pays For Online Fraud?
When an individual’s credit card is used without their knowledge or consent, financial institutions generally do not hold the cardholder liable for any losses. However, when a retailer does not see the customer’s credit card or signature and does not swipe the card through an EFTPOS terminal, as in internet trading, financial institutions are unwilling to accept the heightened risks associated with online trading. This means that you, the retailer will usually bear the costs of online credit card fraud. This can include:
- the chargeback (the amount your financial institution takes back to cover the cost of the fraudulent purchase)
- the chargeback fee
- any shipping or delivery costs.The AIC survey found that many retailers did not know that they were likely to be held liable for the costs of online fraud.
Many small businesses rely heavily on computers to conduct transactions, record information and communicate. This reliance on computers brings potential risks in terms of maintaining proper records in the event of legal action. Should you be a victim of e-crime, your computer records will need to be in the correct format to be used as evidence. Computer systems need to be programmed to store records properly and should have the capacity to produce the records when required. You will probably need to seek specialist legal and computing advice. If you are a victim of e-crime, always check with the police before further handling any potential evidence, including on either your personal computer or business IT system.
For more information visit. www.ncp.gov.au or the Australian Institute of Criminology www.aic.gov.au