Online credit card fraud against small businesses

Kate Charlton and Natalie Taylor
ISBN 0 642 53846 8 ; ISSN 1326-6004
Canberra: Australian Institute of Criminology: 2004
(Research and public policy series, no. 60)

Section 6 : Losses associated with online credit card fraud

Losses from fraud

Establishing the losses associated specifically with online credit card fraud is difficult. In the UK, losses associated with card-not-present frauds (remembering that these also include telephone, mail and fax orders and other situations in which a fraud may occur in the absence of a card) amounted to £116.4 million in 2003 (APACS 2004), an increase of six per cent on 2002's losses. Cybersource's Online Fraud Report (2002) stated that online credit card fraud amounted to approximately three per cent of overall revenue for businesses in the United States.

It is unclear exactly how much is lost to online credit card fraud each year in Australia (Kennedy 2000). In relation to previously released figures, a 2001 police article quoted the National Australia Bank as reporting its business customers lost $700,000 in the final quarter of 1999 as a result of this crime (Gibbons 2001). The South Australian police have estimated that online credit card fraud cost South Australian businesses as much as $250,000 in a two-month period (SA Police 2000). However, police figures (like that given for SA) include all businesses and not just small retailers, resulting in figures which are likely to be heavily influenced by the high turnover of larger businesses.

The AIC online fraud survey found that losses varied by business type, and that mean losses for victims who experienced a loss were considerable, particularly for booksellers, toy and game retailers, and computer retailers (see Figure 7). Mean losses per incident were also significant for particular retailers (see Figure 8). Since the annual turnover for these small retailers can be relatively small (approximately 60 per cent of online traders reported an annual turnover of less than $500,000), it is likely that these losses impacted considerably on those businesses affected.

Beliefs about financial liability

In recent times, proprietors have complained that they were not aware of their potential liability for online credit card fraud prior to receiving a chargeback from their financial institution and subsequently being expected to bear the costs associated with the incident (Levy 2002). In order to assess how common this lack of awareness might be among businesses in Australia, all retailers were asked who they believed bore the primary financial responsibility for online credit card fraud (see Figure 9). It can be seen that:

• 88 per cent of online credit card fraud victims were aware that a business bears the primary responsibility for financial costs for online fraud;
• 73 per cent of non-victim online retailers were aware of this liability; and
• only 53 per cent of proprietors who had never sold goods online were aware of this liability.

Although it is clear that the majority of online retailers in Australia (particularly those who have experienced fraud in the past) are aware of their potential liability, some still remain unaware. Also, given that almost half of the sample of non-online traders were unaware of a business's liability with respect to fraud, and given that a large number of these indicated that it is likely they will soon move to online trading, there is clearly a need to ensure that straightforward information about liability for online credit card fraud is disseminated widely and read by prospective traders.

How did businesses find out about the fraud?

Businesses who provided details of a specific incident of online credit card fraud were asked how they had discovered the fraud; were they advised by their financial institution or another party, or did they discover it themselves? It was found that:

• 91 per cent of businesses were advised of the fraud by their financial institution;
• 6 per cent had discovered the fraud themselves; and
• 3 per cent were advised by another party (for example, the cardholder).

How long did it take for businesses to be notified of the fraud?

The length of time taken to identify that fraud has occurred and, more importantly, the time that has lapsed before the retailer is informed of the chargeback can have important implications for business losses. When the delays are lengthy, the retailer may have processed additional orders on the same card, resulting in a greater number of fraudulent transactions. A recent newspaper article (Kennedy 2000) highlighted this by citing anecdotal accounts of traders who had experienced extensive delays in notification and in some cases had processed additional orders, resulting in multiple chargebacks. Wales (2003: 10) also indicated a problem with notification delays in the United States, stating 'sometimes chargebacks are not issued for weeks, if not months after the retailer has sent the goods out.'

In the AIC survey, delays in notification were found to be lengthy with:

• 10 per cent of online fraud victims notified within a month of the incident;
• 42 per cent notified between one and two months after the incident; and
• 48 per cent notified two months or more after the incident.

It is understandable that notification can take time, given that in most cases the cardholder is responsible for notifying their financial institution and (especially in the case where a card is not stolen) the cardholder may not become aware of the fraudulent transaction until they receive their monthly statement or check their account through other means. However, this delay can have significant implications for a business victim, given that retailers may continue processing transactions on a card number unless they are advised otherwise. It is not uncommon for retailers to be defrauded more than once using the same card number, which makes delays in notification crucial.