Online credit card fraud against small businesses

Kate Charlton and Natalie Taylor
ISBN 0 642 53846 8 ; ISSN 1326-6004
Canberra: Australian Institute of Criminology: 2004
(Research and public policy series, no. 60)

Executive summary

In 1999 the Australian Institute of Criminology (AIC) conducted a survey of crimes against small businesses in Australia which was funded by the National Crime Prevention program. The crimes that were covered included burglary, vandalism, shoplifting, cheque and credit card fraud, employee theft, employee fraud, assault, armed and unarmed robbery, and theft of and from vehicles. It did not cover online credit card fraud. The present study bridges this gap by examining the extent of online credit card fraud against small businesses in Australia.

The aims of the present study were to:

• provide a review of what is known about online credit card fraud;
• quantify the extent of online credit card fraud against small businesses in Australia within particular business types;
• identify factors that increase the risk of being a victim; and
• identify recommendations for improving online trading practices and reducing fraud.

Telephone interviews were conducted with 1,078 small businesses in five business types across Australia in April 2003. Small businesses were deemed as those that employed less than 20 full-time staff. The five business types chosen were those considered to be most likely to engage in online trading. These were:

• florists;
• booksellers;
• toy and game traders;
• computer hardware retailers; and
• recorded music retailers.

Trading online

Trading online varied across business type as follows. Eleven per cent of florists traded online, as did 17 per cent of booksellers, 15 per cent of recorded music retailers, 11 per cent of toy and game retailers and 13 per cent of computer hardware retailers.

Across the whole sample, 13 per cent of small businesses currently trade online and, of those not online, just over three-quarters (77%) believe that it is likely or very likely that they will commence online trading within the next two years. The vast majority of online traders are satisfied with the practice of online trading (89%) and intend to continue trading in this way (93%). Just over half (56%) indicated that online trading had significantly increased sales.

Different business types were influenced by different factors when it came to trading online. Computer hardware retailers and booksellers were more likely to trade online if they believed that the risks posed by online credit card fraud were outweighed by the benefits of trading online. Florists, recorded music retailers and booksellers were more likely to trade online if they employed more staff. Most business types were more likely to trade online if they believed that the costs/time involved in online trading were reasonable.

Use of online fraud prevention measures

Online traders can try to minimise online credit card fraud through electronic authorisation and/or manual screening of transactions. Electronic authorisation involves confirming through financial institution systems that the card being used to make the purchase is active and has sufficient funds available. This can be done automatically (through an automatic link on the retailer's web site to bank systems) or manually (involving either a phone call to the bank for authorisation or processing on an EFTPOS terminal).

Online traders most commonly processed electronic authorisations manually (67%), with 25 per cent utilising automatic electronic authorisation systems while their customers waited online. Eight per cent only occasionally or never confirmed transactions electronically.

For increased protection, online traders are advised to screen transactions manually. Manual screening involves checking details of transactions or taking other steps to try to confirm the identity of the cardholder. This study found that:

• 55 per cent of online traders always phoned or emailed the customer to confirm the order;
• 41 per cent kept a database of good and bad online customers;
• 30 per cent always rejected suspicious orders; and
• 12 per cent consistently confirmed customer addresses in the phone book.

Online credit card fraud

The lifetime prevalence of online credit card fraud among online traders was as follows:

• 28 per cent of florists;
• 43 per cent of booksellers;
• 26 per cent of recorded music retailers;
• 33 per cent of toy and game retailers; and
• 30 per cent of computer hardware retailers.

Overall, 32 per cent of online traders had been a victim of online fraud at some stage. The figures for lifetime prevalence were considerably higher than the proportion of online traders who had been victimised in the past 12 months; these figures ranged from between 12 per cent (florists) and 22 per cent (booksellers) of each business type. Online traders were significantly more likely to report experiencing fraud if the proprietor was male, if the business attributed a higher percentage of their overall turnover to online trading and if they believed that manually screening orders reduced business productivity.

Repeat victimisation

Repeat victimisation from online credit card fraud was identified as an issue, with 51 per cent of all online traders who had ever experienced fraud experiencing more than one incident over a two-year period (2001 and 2002). Overall, 18 per cent of online credit card fraud victims accounted for 38 per cent of all incidents.

Reporting to police

Consistent with previous research showing that credit card fraud is heavily under-reported, this study found that:

• 35 per cent of incidents were reported to police in Australia in 2001; and
• 21 per cent of incidents were reported in 2002.

Perceptions of online credit card fraud

A small number of online traders reported that their experience of fraud victimisation was higher than their initial expectations (6%). Just under one-third (32%) believed that it was about the level they had expected, while just over half (56%) reported that the level of online fraud they had experienced was lower than they had expected. Hence the experience of online fraud was less than most online retailers had expected prior to trading online.

Knowledge about liability for online fraud

In contrast to over-the-counter credit card transactions, where businesses are not liable for fraudulent purchases, online traders are responsible for recouping losses associated with online credit card fraud. Retailers who were currently trading or had previously traded online were more aware of their financial liability with respect to online credit card fraud (77%) than those who had never sold goods online (53%). However, knowledge of financial liability also increased with the actual experience of online credit card fraud. Eighty-eight per cent of victims were aware that the business would bear the primary responsibility in the event of fraud losses, compared to 73 per cent of past or current online traders who had never been victimised.

Finding out that fraud has occurred

Only six per cent of online traders had discovered the fraud themselves. The vast majority were advised of the fraud by their financial institution (91%). However, the amount of time that elapses before a trader is advised of a fraud can be lengthy. Half of the fraud victims were not notified for two months or more. Delays in notification of an incident of fraud can mean that a business may process several transactions on the same credit card, resulting in higher and continuing losses due to fraud.

Losses associated with online credit card fraud

Mean losses per victim (where the business was unable to recoup the loss) in Australia in 2002 varied across business type, starting from $100 for recorded music retailers up to $3,500 for booksellers. These losses can be considerable for an individual business, given that approximately 60 per cent of online fraud victims reported an annual turnover of less than $500,000.

Recommendations for better online trading practices

Fraud prevention measures were more likely to be put in place after an incident of fraud had occurred rather than before. Based on the findings from this survey, it is recommended that:

• online traders should be actively encouraged to implement fraud prevention measures before fraud occurs, as one incident of fraud may predispose a business to a repeat incident;
• online traders should be encouraged to utilise not only basic electronic authorisation, but also manual screening techniques, to minimise the risk of being a victim of online credit card fraud;
• financial institutions, where possible, should streamline their fraud notification procedures so that online traders are advised of a fraud as soon as financial institutions become aware of it;
• information about online fraud liability should be clearly articulated to potential online traders to ensure that they are aware of such liability; and
• online traders should be actively encouraged to report incidents of online credit card fraud to police. More regular reporting to police will allow for more accurate data to be collected about online fraud. Such information can assist police in identifying patterns of fraud being perpetrated against particular traders and will assist police to develop targeted policing strategies in relation to online fraud.