Now more than ever, protecting your customer from payment fraud is crucial for maintaining trust and safeguarding your brand. As merchants, it's vital to take seriously—not just to comply with regulations, but to prevent financial losses and protect your reputation. With increasing cyber threats, robust security measures and proactive fraud detection are essential for securing your customers' financial information.
Investing in strong security practices and educating both your team and customers can help mitigate fraud risks and enhance customer trust. In this article we explore some of the more basic and simple ways you can help your customers avoid risk when paying you.
Download this article as a PDF for sharing and later review
Use Secure Payment Gateways
By using a secure online payment gateway that is PCI DSS compliant, you offload a great deal of concern immediately.
By doing your research and selecting a payment processing company that has a good reputation you can be sure that you are putting you and your customers online payment experience in safe hands.
When deciding which company to use it is important to consider not just their overall reputation but their reputation when dealing with businesses like yours. The payment experience and associated risks can differ greatly from one business to another and some payment companies are better suited to handling your business than others will be.
Enable Multi-Factor Authentication On Everything
If you ever watched Mr. Robot you would have learned that most “hacking” is done using social engineering. Passwords can be uncovered easily from even the most savvy people, and the larger your organisation the more points of risk you have. Multi-factor authentication adds an extra layer of security to your systems beyond a simple password.
MFA (aka 2FA) might make your daily BAU slightly more frustrating, but it is worth it. In fact research shows that it can prevent up to 80% of all data breaches.
One of the most common forms of online payment fraud is EFT fraud. All a fraudster needs to be able to do to achieve this is to email someone with a false BSB and account number at the right time, and ask for them to make the right payment.
Really all they need is access to your emails and away they can go.
Use MFA, it is 2024.
Educate Your Staff
It is not your systems that are your biggest risk, it is your people. By ensuring that you have educated your team members about risks surrounding payments, and the benefits of taking the time to use proper password vaults and MFA you can go a long way to avoiding negative outcomes.
All it takes for you to vulnerable is one staff member being lax with their own password protection. Consider what might happen to your customers if one of your field technicians loses their phone and it ends up in the wrong hands?
If you do not take the time to let your team members know that combatting payment fraudsters is a team game, you can hardly blame them when they make an error that is well outside their school of knowledge.
Minimise the Ways You Accept Payments
Decide now what forms of payment you are happy to accept and stick to it. Ensure your customers are fully aware of exactly how to make payments to you and encourage them to ignore all requests to make payment using other means.
If you only accept payment through a secure online portal, tell your customers this. That way if someone emails them asking them to transfer money to a BSB and account number, they should be able to tell it is a scam.
Of course, you can only lead a horse to water, you cannot make it drink. But everything is about risk minimisation, and this is just another way of going about it.
Stop Accepting EFT Payments
EFT (electronic funds transfer) fraud is not only one of the most common types, it also has one of the largest single transaction risks, with some reporting losses in the hundreds of thousands of dollars in a single transaction.
In Australia we are seeing more and more customers falling prey to this type of fraud. Fraudsters gain access to a merchant’s emails and then use keywords search to find pending sales. They then monitor the inbox, and send a well timed email with their own BSB and account number to the payer with an accurate amount that looks very real.
Using invoice payment solutions such as Pinch Payments completely offsets this risk. When invoicing your customers, use a connected online payment system instead of normalising them paying you by BSB and account number. You will find you get paid faster with these systems enabled anyway.
Hire Penetration Testing Consultants
Penetration testing consultants, often known as ethical hackers, play a crucial role in identifying and addressing security vulnerabilities in systems, applications, and networks.
Most business owners are not experts in online payment risk, and nor usually are your IT managers, web developers or operations managers.
Just because someone can program a VCR, does not mean they are a coder.
If you have a complex organisation, handle a lot of customer payments, or just really care about protecting yourself and your customer, consider hiring a penetration testing consultant to audit your business.
Offboard Your Staff Properly
If a staff member who has access to your customer data leaves your company they are instantly your biggest single point of vulnerability.
Ensure that you revoke access to any systems such as ERPs, CRMs, websites, accounting software and especially emails, as soon as they are no longer an employee. Retrieve company owned devices and ensure that they do not have any copies of customer information saved on their own personal devices.
Unmanned inboxes of former employees are a perfect target for fraudsters to gain access to when attempting to commit EFT fraud, because there is nobody actually operating it so if a customer actually replies with concerns, only the fraudster is there to respond.
Use Best Practice When it Comes to E-Commerce
are using an esoteric solution it pays to check.
Ensuring your website enforces HTTPS (with a minimum of TLS 1.2) is the most basic form of online security. By implementing HTTPS, all in-transit data such as login credentials, payment information and personal data is encrypted and protected from eavesdroppers and interception. It also gives the customer the confidence that the website they are interacting with is legitimate.
3D Secure (or 3DS) is an additional layer of security for online debit
and credit card transactions. 3DS adds an extra step to the online
payment process, where the cardholder must authenticate their
identity before the transaction is completed.
Provide Clear Reporting Channels, and Act On Feedback
Make it easy and encourage your customers to report suspicious activity to you. Take these matters seriously, no matter what and respond proactively and quickly.
Never underestimate fraudsters. Take every matter seriously and deal with it on its own terms. Your least savvy customers are not just your easiest targets, they are often your best reporters for that very reason.
Maintaining open and responsive communication lines with your customers is not just good for protecting you and them from fraudsters, it’s just good business anyway.
Review Your Processes Regularly
Nobody could have predicted the technology we would have available to us to collect payments even a few years ago, therefore nobody could have possibly predicted how hackers would respond to it.
Ensuring you have documented processes creates an internal backbone for how you manage and handle payments risk, and it gives customers the confidence you take it seriously.
Reviewing your processes regularly, especially when you introduce new systems of collecting payment data and keeping them to date with the latest techniques fraudsters use, is the only way to truly protect yourself. It is a continual battle.
In Summary
Consumers are at risk now more than ever, but you can play a part in helping prevent bad actors from achieving success.
Don’t leave it entirely in the hands of your payment company or the banks to help. Gain a better understanding in what bad actors are doing and take steps to ensure you are not assisting them in the process.
Business is stressful and it can be tempting to operate hoping the worst case scenario won’t happen, but unfortunately online fraudsters are now utilising automation technology such as AI and bots to scour for opportunities, so don’t wait until the worst case scenario. Take proactive steps to protect both your own business and your customers.
I hope that these few tips take some of the guesswork out of what to do about it.
Ready to automate your payments?
Posted by Joe McCord on 23 September 2024