The pandemic has caused many challenges and concerns for business owners, including a dramatic rise in credit card fraud. It's more important than ever to know what to watch for and how you can prevent it.
Posted in Credit Card Processing on Wednesday, October 27, 2021
Recent Fraud Examples
Fraud can happen to any type of business, online or in person. Here are a just few examples that we’ve recently seen and heard about. They may not all apply to chiropractic practices, but it’s good to be aware of all potential threats.
Attacks on Sites Without CAPTCHA
CAPTCHA is the Completely Automated Public Turing test to tell Computers and Humans Apart. You’ve probably taken it before completing a transaction. You may have been asked to key specific curved letters or identify items in a photo, such as a bus.
Fraudsters find sites without the protection of CAPTCHA and try to run multiple transactions to see which stolen credit card numbers go through. It’s always a good idea to have CAPTCHA activated on your site.
A credit card skimmer is a device that criminals attach to a card reader at ATMs, fuel pumps or other unmanned terminals. Undetected by customers, it reads the stripe on the card and captures the information. (One reason gas pumps are a common target is because many still do not require an EMV chip card.)
Charities and Foundations
Fraudsters often target charities and foundations because they don’t have to buy anything on their sites; they can donate only $1 with stolen cards to test them to see if they are valid.
These attacks are getting very advanced. In one instance, the fraudster was completing CAPTCHA manually. An automated system would load the credit card number and amount. They had the CVV2 (or card security code) as well as the cardholder’s address verification, and were changing the IP address for every transaction. Luckily, more advanced fraud filters were in place to identify stolen credit card numbers and decline them.
Fraud becomes even more personal when criminals use social engineering to manipulate people into providing personal and financial information. We’ve all heard of phone scams where people are convinced to give up their bank account information to supposedly help a relative in trouble or to avoid a lawsuit. These criminals prey on people’s emotions to get the information they want.
Sometimes, they will work for weeks to gain a victim’s trust. As it becomes harder for fraudsters to get quick, easy money, they are willing to put in more time to make it pay off. They may become your friend on social media, win you over and then commit fraud against you a month later.
We recently talked with one doctor who was scammed by someone after several weeks of communicating. This criminal claimed to have been referred to the doctor by someone, and said he would visit the doctor for treatment. Over time, the two talked about his health condition and even became friends on social media. The doctor felt that he really knew this future patient.
Unfortunately, it was all a ruse. The doctor eventually agreed to run a credit card sale for the fraudster and was scammed out of hundreds of dollars.
Don’t underestimate the lengths these criminals will go through to earn your trust. You may think you know someone, but at the end of the day, if they are asking you to complete a financial transaction or divulge personal information, that should be a red flag.
Steps You Can Take
As fraud methods become more sophisticated, it’s imperative to monitor activity in your merchant account. You can’t rely solely on technology. These are the financials for your business. Like your personal bank account, you need to be on top of it. There are several things you can watch for or do to decrease the chances of fraud in your practice.
1. Use Your Fraud Modules
Payment gateways have fraud modules, which are tools to help prevent someone from hacking into your site. These tools can be effective, but only if they are turned on.
Which tools should you activate and why? Review our recommendations to learn about effective tools, how to identify fraud and when you should check your fraud modules.
- Watch for Email Notifications — We can’t stress the importance of email notifications enough. Make sure you have these turned on. Some doctors set up a subfolder for these to go to, which is fine, but make sure you monitor the folder. The emails can be an easy way to spot fraud attempts.
- Check Your Velocity Filter — The article linked above also explains velocity filters, and that you can set the following limits to deter fraud:
Time period in which a certain number of cards can be processed
Number of cards processed during that timeframe
Number of declined transactions allowed for a certain card during that time period
Blocking options for certain IPs, orders numbers and more
If any of these limits are reached, don’t ignore it. Fraud is the likely culprit.
2. Avoid Fallback Transactions
You’ve probably had instances when a patient’s chip card cannot be read. In that case, you may offer to run the card’s magnetic stripe. Just because you can run it as a fallback transaction doesn’t mean you should. There are a couple reasons for this.
- This is a common ploy for fraudsters. He or she may claim the card’s chip is broken and even have a story (maybe it went through the washing machine). At NCMIC, we’ve actually seen stolen credit cards with random chips glued on or glued over the original chip. When it cannot be read, they request it to be run with the stripe, which was their intent all along.
- You are 100% liable for any fraud that occurs through a non-EMV (chip) transaction. An example of this is at a grocery store. People will buy steak, lobster, wine and other expensive items with a stolen credit card. They have the cashier run it with the stripe, citing chip problems. The merchant is out of luck because if there’s a chargeback, they are liable.
You may feel awkward asking for a different card. Don’t. You’re just trying to protect your practice from fraud. Ask for a different card. You could blame your “finicky” card terminal if you need an excuse.
3. Hire a Local Web Developer
Internal fraud happens too often. It can be a staff member, or someone you’ve hired temporarily like a web developer. If you need a web developer to create or update your website, try and find a local one. You can find one far away who is willing to do the work for much less, but it’s not worth it. They can easily create access to your site that allows them to skim credit cards without your knowledge.
Choose someone you can meet with face to face. The chances of fraud are lower, but if they do try and scam you, you can get local law enforcement involved.
4. Set Up a Customer Database
Many practices create a customer database so customers have to login to purchase something from their site. It may cost a little more to set up, but it’s worth it to protect your practice. Plus, you can track purchases and see when customers log in. Overall, it’s a better customer experience, as well.
Call NCMIC for Help
We want to help you and your practice thrive. Part of that is helping you prevent credit card fraud. As you know, it’s not something you can check off a to-do list; it’s an ongoing process. This article included just a few fraud examples and tips. We’ll continue to update you on the latest trends and ways to reduce your risk.
As always, if you have any questions or suspect credit card fraud, call us immediately at 800-437-0712.
Credit card processing is offered by NCMIC Finance Corporation.