Online payment fraud

Online payment fraud

Share on:

Payment fraud has always been a large threat to any company that deals with any sort of online monetary transaction. With advanced payment technologies settling into the market, the standards for security are also rising fast. But while fintechs are developing more advanced payment options, fraudsters are not falling behind.

According to Juniper Research, between 2020 and 2025, e-commerce fraud losses in the world will see 18% growth. In 2021 alone, global e-commerce businesses lost $20 billion to fraud.

The pandemic is one of the reasons for growing online payment fraud losses. Many merchants quickly moved their businesses online without taking proper security measures. But today, having a sophisticated security system is no longer considered an advantage. It’s something that clients expect every merchant to have in place.

Choosing a reliable payment infrastructure should be a top priority for every business. Only payment gateway providers with sophisticated security features can ensure a secure payment flow for merchants and their customers.

What is online payment fraud?

The exact definition of payment fraud depends on the fraud type. In a general sense, online payment fraud is the action of stealing someone’s payment information and using it for unauthorised purchases or transactions.

The most common type is credit card fraud. Criminals steal a credit card or acquire its details without a physical card and take out the money or make fraudulent payments with the card. All the transactions made without the cardholder’s approval fall under the credit card fraud category and are part of online payment fraud.

Another form of payment fraud is fraudulent chargebacks. Criminals place an order and later initiate a false chargeback, claiming they never received the ordered items or got faulty goods.

How does online payment fraud happen?

Payment fraud happens when a criminal steals the payment card details or other personal information from someone and tries to use it for a fraudulent purchase or a transaction.

Most anti-fraud systems can catch fraudsters trying to commit a crime, but some criminals use advanced techniques and manage to proceed with the crime. Criminals try to trick the anti-fraud systems by using an IP address from a location similar to the cardholder’s, setting up their browsers to mimic the settings of the victim’s browser, etc.

If fraudsters succeed, it may affect both the cardholder who loses their money and the business that confirmed a fraudulent purchase. Merchants become liable for the chargeback amount if the actual cardholder files a claim with their bank.

Types of online payment fraud

Online payment fraud comes in different forms. These are the main types of fraud:


Phishing fraud happens when a criminal sends a message to the victim, tricking them into giving out personal information. Phishing attacks can happen via email, text messages, or phone calls. The criminal can try to impersonate a familiar person or a brand and trick someone into revealing their sensitive information.

Bank transfer scam

The definition of a bank transfer scam can cover various fraudulent activities where the victim is tricked into making a direct transfer for goods or services.

An example of such a scam is when a fraudster pretends to be interested in buying goods or services and asks the seller what account to transfer the payment to. The criminal then finds a person willing to buy something and asks them to transfer money to the same bank account. The goods are sent to the fraudster, and the person who transferred the money is left without the goods or the money.

Friendly fraud

The so-called “friendly fraud” has nothing to do with friendliness. Fraudsters may initiate a payment with their personal card or via bank and later ask for a refund, claiming they never received the item or got a faulty product. In this case, the fraudster keeps the product they purchased and receives their money back.

Clean fraud

Clean fraud is one of the hardest to detect. That’s why it’s called “clean.” Criminals closely analyse companies’ fraud-detection mechanisms and use stolen payment information to navigate around the anti-fraud systems.

How to prevent online payment fraud?

Merchants can take measures to protect their businesses from online payment fraud:

  • Choose a reliable payment gateway with robust security features in place.
  • Use online payment fraud detection mechanisms to identify fraudulent payments.
  • Carefully check payment and shipping information to identify if there are any suspicious discrepancies.
  • Focus on carefully analysing suspicious orders, such as very large purchases made at random times (at night or early in the morning).

In general, merchants should stay alert and inspect any suspicious transactions by either contacting the consumer directly or speaking to the payment gateway provider.

How does kevin. tackle security risks?

We consulted with our in-house security experts and discussed the most relevant threats that pose the highest risk for merchants and their clients. We picked each of the risks and explained how kevin. tackles these issues to ensure maximum security.

1. MitM attacks

A man-in-the-middle attack (MitM attack) is a type of cyberattack when an attacker impersonates someone else in order to commit fraud. For example, the criminal steals credit card details and makes a purchase in someone else’s name. Once the goods arrive, they request a chargeback. These attacks are a threat to both merchants and their clients. Merchants may send out goods to fraudsters without knowing that they’ve been involved in a MitM attack and never receive the payment.

Fraudsters may also fake notifications that merchants receive about a completed payment. Once the merchant receives such notification from their payment infrastructure provider, they send out the goods. Unfortunately, if the notification is fake, the payment will never reach the merchant and result in a revenue loss.

How can kevin. help?

With kevin.’s infrastructure, the client’s payment instantly reaches the merchant’s account. As a result, the merchant can promptly ship products or deliver services while remaining certain that money has been received. kevin. only sends payment confirmation notifications to merchants after the payment has been made and cannot be reversed.

Additionally, all the notifications that kevin. sends out to the merchants are signed with hash-based message authentication code (HMAC). HMAC signatures add an extra security layer that ensures kevin.’s communication to the merchants cannot be hacked or faked in any way. kevin.’s communication to the merchants aligns with all the industry security standards.

2. Card detail leaks

According to UK Finance, in 2020, 45% of all frauds in the UK involved credit or debit cards, which led to losses of more than £570 million. While the losses are 7% lower than in 2019 (mainly due to the pandemic), credit card fraud remains a massive issue, and companies are taking large measures to prevent it.

How can kevin. help?

kevin. offers a solution that completely eliminates the risk of card fraud. Account to Account (A2A) payments allow customers to pay directly from their bank account to the merchant’s account. A2A payments not only help against card fraud but also significantly reduce the transaction costs because they eliminate the unnecessary middlemen.

Whether your customers choose to pay by a card or bank, their details are secure with kevin.’s payment infrastructure. kevin. uses an advanced token management system that enables merchants to offer clients the possibility to save their payment details in a secure manner.

We have developed our own token system that resembles those used by the banks. Our system ensures the highest level of digital security. We issue merchants with our own tokens. Therefore, if tokens ever get in the hands of fraudsters, they will have no value to them.

3. Dealing with sensitive information

Merchants and their customers need to be sure that their data is stored securely. To ensure that, merchants should only choose to work with organisations that are secure or Payment Card Industry Data Security Standard (PCI DSS) compliant.

Partnering with a PCI DSS compliant payment infrastructure provider is beneficial for small and medium-sized businesses since they don’t need a Record of Compliance or an onsite audit by a Qualified Security Assessor (QSA). These merchants are usually not required to fill out an Attestation of Compliance.

How can kevin. help?

All the sensitive data is secure with kevin. and is stored in the Amazon Web Service (AWS) cloud, which is also used by the largest industry players such as Stripe, Barclays, Monzo, and others.

All the data that goes through kevin. is encrypted and is kept highly secure. kevin. uses a tokenization process that swaps sensitive data with non-sensitive data. This way, a card’s PAN is replaced with a unique set of numbers that, without access to kevin.’s system, will be useless to anyone if they could ever get their hands on it.

We also have a 24/7 system monitoring in place. In the event of any security breach, we’ll be alerted in real-time so we can stop any fraudulent activity before it causes any harm.


Payment fraud is and has always been a large threat to merchants. There are different ways for fraudsters to attack merchants, but a secure payment infrastructure can help reduce or even eliminate these risks.

Security is a top priority for kevin. We have installed various security measures to create the safest payment infrastructure. We also offer payment features such as account linking to ensure merchants can offer fraud-proof payment solutions to their customers.

kevin. uses advanced security features and tokens to protect sensitive data. If you’d like to learn more about any of our features, get in touch with us, and we’ll make sure to offer a secure payment infrastructure solution for your business.