How Do Banks Investigate Unauthorized Transactions?

A customer finds out they have an unauthorized transaction on their credit card.

Their first reaction: Shock. 😯

Most consumers know fraud happens, but no one thinks they’ll be the victim.

The next emotion: Anger. 😡

They may jump to the conclusion that the seller is at fault and contact the card issuer or payment processor to dispute the charge. And that initiates a complex process that often leads to a costly chargeback for the seller, even if ecommerce fraud is the real villain. 

But how does this impact your online business, and what can you do to prevent unauthorized transactions from happening in the first place?

The worst thing an ecommerce business can do about unauthorized transactions is assume they’re not your problem.

Why?

Today’s consumers have high expectations of online retailers.

Even if a fraudster uses stolen credit card information and looks like a valid customer, consumers will turn on brands that allow fraudsters to use their payment credentials.

What Businesses Should Know About Unauthorized Transactions

1. Ecommerce Fraud Is Never-ending
2. Investigations of Unauthorized Transactions Often Favor Consumers
3. Who Is Liable for Ecommerce Fraud
4. Fraud Impacts Businesses Differently
5. Why businesses should focus on the customer experience
6. Fraud Prevention Is The Best Defense Against Unauthorized Transactions

1. Ecommerce Fraud Is Never-ending

Unauthorized transactions can happen through a wide array of avenues. The creativity of criminals never ceases to evolve.

Account takeover (ATO) fraud continues to be a problem. Fraudsters use stolen data from data breaches and phishing to triangulation and card-not-present (CNP) fraud to more sophisticated schemes, fraudsters continue to find new ways to attack ecommerce businesses and innocent customers.

“We are seeing a general increase in ATO fraud, where online businesses are experiencing three times more fraud than in the past. This is especially common with older consumers who are susceptible to phishing and pharming schemes.”

Bruno Farinelli, Senior Director - Customer Success & Risk, ClearSale

It seems that data breaches have become commonplace, impacting major banking institutions and social media giants like Facebook, now Meta. With each of those breaches, hackers download sensitive and personal customer data and sell it on the dark web.

Fraudsters can easily purchase thousands of data files and use sophisticated software to test each credit card on file until they find their prey. And then they’re off to the races, making one unauthorized transaction after another, posing as legitimate customers and making it difficult for companies or the victims to detect that anything is wrong until the damage is done.

Once a customer finds an unauthorized transaction, they’ll likely contact their bank and initiate the chargeback process.

2. Investigations of Unauthorized Transactions Often Favor Consumers

When a customer sees an unauthorized transaction on their statement, they’ll report a disputed charge, which initiates a fraud investigation. From there, the steps are fairly straightforward:

Customer proof

The customer is asked to provide details pertaining to the unauthorized charge, including any supporting documentation that proves the purchase was fraudulent. In situations that involve ATO fraud, that can mean a frustrating level of paperwork and legwork.

Bank/card issuer notification

At the same time, ecommerce business is notified that a charge has been disputed and they’re given a set timeframe to respond, depending on the payment processor:

• Visa gives companies 30 days to respond.
• PayPal’s timeframe is only 10 days to respond.
• MasterCard gives businesses 45 days to respond.
• American Express has a 20-day window.
• Discover gives companies 20 days to respond.

Ecommerce business due diligence

During this timeframe, businesses must gather as much evidence as they can to prove the transaction was valid and submit it to the payment processor. This is referred to as compelling evidence and can include a list of information, including:

• Emailed invoices

• Transcripts/screenshots of all customer service communications
• Proof the customer logged in, downloaded, viewed, and used a digital order (using IP address)
• AVS and CVV match from the customer’s credit card
• Screenshots of a customer’s public social media account that shows the disputed goods being used

Without the right documentation and policies in place, ecommerce businesses find themselves fighting an uphill battle.

Bank/card issuer evaluation

When the bank or card issuer receives all the required documentation, they will have between 30 and 90 days to evaluate the case, formulate a response and resolve the issue. Depending upon the nature and scope of the fraud, the bank may decide to notify law enforcement. If the credit card fraud is accompanied by identity theft, the FBI may also be brought in to further investigate.

In most cases, however, the matter will be handled by internal credit fraud investigators who are experienced in combing through electronic transaction trails to determine where fraudulent purchases originated.

If, for example, the investigator can determine that the fraudulent purchase was made from an IP address in Australia, but the consumer has proof of being in Boise, Idaho, at the time, that’s strong evidence that the charge was indeed fraudulent.

Bank/card issuer response

The bank will advise the consumer to contact the three major credit reporting agencies (Equifax, Experian and TransUnion) and ask for a fraud alert to be placed on file. This will ensure that any attempts to open new credit accounts are declined unless the creditor speaks with the consumer directly and takes extra steps to verify their identity.

The question of who is liable for the fraudulent purchase depends on timing and type of credit card.

3. Who Is Liable for Ecommerce Fraud

In many cases, the consumer won’t be on the hook for much. The Federal Fair Credit Billing Act protects consumers, stating that a card issuer can only hold a cardholder liable for up to $50 in fraudulent charges if the physical card is lost or stolen. If the card number is used but the cardholder is still in possession of the actual card, their liability is $0.

The bank will require the business to refund payment, and the bank will subsequently charge a fee or chargeback to the business.

It’s important to note that the rules are different for debit cards. The Electronic Fund Transfer Act states that if fraud is reported within two days of the statement date, consumer liability is limited to $50. If the fraud is reported after two days but within 60 days, their liability is limited to $500. After 60 days, the consumer is responsible for any and all fraudulent transactions.

It’s interesting to note that in some countries, such as China, the responsibility for unauthorized transactions falls on the consumer. This is one of the reasons that credit card payment penetration in China is lower than in other regions.

Depending on the size of the company, how online businesses handle fraud attempts and unauthorized transactions can vary. 

4. Fraud Impacts Businesses Differently

You’d think unauthorized transactions impact all companies the same way, but it really does vary.

Enterprise ecommerce businesses tend to overlook chargebacks

Enterprise ecommerce businesses may not be as dependent on each individual transaction for revenue since they process countless orders every week. But that doesn’t make them immune to fraud and its impacts. The fact that so many transactions are processed by enterprise businesses gives fraudsters an opportunity to potentially test out new tactics under the radar, unless the business has a solid fraud prevention and protection strategy in place.

And the most common fraud prevention tactic we hear about from large online retailers involves fraud filters, which creates an even bigger problem. Strict fraud filters automatically decline orders that seem even a little bit suspicious. Remember what we said about new customers behaving like fraudsters? A fraud filter will block those orders, turning good, potentially loyal customers away.

As a result, the impact of unauthorized transactions on enterprise businesses is often seen in their approval rates and customer experience, or lack thereof. We’ll address this more in a later section.

Midsized businesses walk a fine line

For midsized online businesses, unauthorized transactions present a mix of impacts – in some ways, the worst of both worlds. Not only do they struggle with revenue issues from too many chargebacks, if the business doesn’t pay attention to chargebacks, their chargeback rate may rise above the industry’s 1% threshold and they may find themselves in a credit card monitoring program.

“When payment processors have to handle too many chargebacks related to an ecommerce business, they can subject that business to a chargeback monitoring program, where the processor levies more fees and may even stop working with the online business.”

Elma Ocampo, International Marketing Director, ClearSale

From there, the fees get higher and the midsized ecommerce business runs the risk of being dropped by the card issuer altogether. Not to mention the impact on how they’re perceived by the customer.

Ecommerce fraud can hit small businesses hard

Small businesses are like “mom-and-pop” shops. They’re often run by an owner and one or two employees. Although they may have busy seasons, small ecommerce businesses tend to process fewer transactions. That means every sale is crucial for revenue.

So, when a fraudster finds a weakness in a small business’s ecommerce site, it can wreak havoc on that business’s reputation (we’ll talk about that in a later section) and eat away at their bottom line. Chargeback fees account for a significant expense and eat away at their bottom line quickly – and they add up fast.

Small businesses tend to focus on preventing chargebacks for that reason. But they have to make sure they have a comprehensive solution. Too many processors and solution providers make promises about seller protections when they really don’t have a rock-solid solution.

5. Why Businesses Should Focus on the Customer Experience

As we highlighted in the previous section, unauthorized transactions can impact ecommerce businesses in ways beyond chargeback fees and monitoring programs. When the companies opt for a generic approach to reduce fraud by simply using the fraud filters that come standard on one or more of their platforms, they can create a customer experience problem.

The problem with fraud filters

Fraud filters are a familiar option and seem like a reasonable approach to fraud. They involve setting strict thresholds pertaining to AVS matching, purchase attempts and other static measurements that govern which transactions will be automatically declined.

But what about novice customers who accidentally enter their credit card date incorrectly three times? How do fraud filters handle grandparents who buy all their grandchildren’s holiday gifts and ship them to their vacation home in advance of the season? What will fraud filters do about the woman who sends the same gift to all six of her former college roommates?

A fraud filter will almost certainly deny every one of those transactions. And that has dire consequences for online businesses because each situation will result in a false decline.

These false declines lead to angry customers. In fact, 40% of customers will find another place to shop after one false decline, and 34% will complain on social media. Neither are good news for any business.

Customer experience pertains to the chargeback process

It’s important to note that ecommerce businesses are notified when a customer is disputing a transaction. How you communicate with those customers as they are trying to resolve the issue can make a huge difference in how they view your business. Even if you’re skeptical about the validity of the dispute, showing empathy and kindness is the right approach.

A customer with a legitimate dispute might be irritated. A customer with a legitimate dispute who’s treated like a fraudster by the business? You’re looking at negative reviews and even boycotts if word of their experience goes viral.

The best way to prevent all these headaches in the first place? A smart fraud protection strategy.

6. Fraud Prevention Is the Best Defense Against Unauthorized Transactions 

Protecting consumers from credit card fraud requires an approach that involves all stakeholders: Online businesses, banks, credit card companies, credit reporting agencies, law enforcement and consumers.

But ecommerce retailers of any size need to understand that customers see fraud prevention as a business responsibility. Our research revealed that 82% of consumers would be reluctant to shop on a site that allowed a fraudster to use their credit card information to make an unauthorized transaction. The lesson? Prevent fraud from happening in the first place.

At ClearSale, our hybrid solution includes multiple strategies to offer one of the most comprehensive fraud and chargeback prevention solutions on the market.

ClearSale’s hybrid approach to fraud prevention

It starts with an AI-enabled algorithm that leverages trends, intelligence and data gathered from decades of fighting fraud in the most high-risk regions of the world. Using this technology, we can automatically approve most orders quickly.

Suspicious orders are flagged for secondary reviews performed by our more than 1,500 fraud analysts who can recognize some of the hardest-to-recognize fraud patterns. That secondary review usually impacts only 2%-3% of orders at the most.

Using the data gleaned from those secondary reviews, we train our system to become better at distinguishing valid transactions from fraud. That means our system gets better at recognizing “good” transactions as we process more for the client, which increases their approval rates and revenue.

This comprehensive approach gives online businesses the peace of mind that they’re protected and their consumers will be alerted if any unauthorized transactions are detected long before a statement arrives in their inbox.

Contact us today to find out why companies around the world trust the ClearSale solution.