Here’s How Fraudsters Can “Phish” For Chargebacks

Ask someone to envision a cybercriminal, and they might first think of a savvy hacker typing away on a keyboard in a dark room, lines of code filling up the screen. These hackers exist, but in practice, a fisher enjoying a day on the lake is just as apt a mental image. That’s because many fraudsters use “phishing” to steal confidential data, break into sensitive systems, and make illicit purchases.

For businesses big and small, cybersecurity is crucial. Lax security practices not only create vulnerabilities but can also result in fines from authorities and potentially even lawsuits. Phishing can lead to fraudulent transactions, which can lead to chargebacks. Data breaches and the like can also do tremendous damage to brands, destroying trust and driving away customers.

We’re going to take a closer look at how phishing can lead to chargebacks, and we’ll consider other risks as well. First, let’s take a deeper look at phishing, and how fraudsters can use it to target both consumers and companies.

How Phishing Works

Phishing is a social engineering technique that tricks people into handing over sensitive data. “Social engineering” means the focus is on influencing people rather than writing code and software. In practice, social engineering is a grave threat both online and “IRL” (in real life).

Phishing occurs when a fraudster pretends to be a legitimate authority, such as a retail website. Like an angler at the lake, a fraudster will cast out bait to see if anyone will bite. For example, a hacker might:

Call, text, or email a consumer, claiming to be a merchant’s customer service department.
Then claim that there was a problem with a payment.
The customer “must” supply their credit card number so the order can be processed

Ultimately, many criminals are adept social engineers, and the right presentation and a few questions can even dupe the cyber-savvy. Some also use threats, like taking legal action if the victim doesn’t comply. The consumer, believing that the fraudsters are legitimate, can be pressured into handing data over.

Further, criminals will use email addresses and even entire websites, known as honey pots, that look legitimate. Besides email, they may also send text messages and messages via social media networks. In some cases, criminals have even used fax machines to conduct phishing attacks.

Merchants Bear the Burden Even if They Didn’t Take the Bait

Unfortunately, merchants must often bear the burden of damage caused by phishing. This can be true even if the cardholder, rather than the merchant, was the one who compromised sensitive information. That’s because cardholders will often simply apply for a chargeback, which works like an unauthorized refund.

If a criminal uses someone’s credit or debit card information to make a purchase, the cardholder is entitled to get their money back. The United States has enshrined chargebacks into federal law. The costs snowball onto merchants and it’s all nice and legal.

Let’s say during a phishing attack a customer gives their information to a fraudster, who then makes a purchase on your website. If the customer notices the fraudulent charge, they can file for a chargeback. Since the charge was fraudulent, the merchant is now liable and the card-issuing bank will reverse the payment.

The costs of chargebacks can add up quickly. Chargeback fees typically range from $20 to $100, and the retailer will also lose revenue from the sale. They may also lose inventory. If the retailer gets hit with too many chargebacks, they might also end up paying higher payment processing fees.

Phishing can also impact businesses more directly, and this too can lead to various issues, including fines, lawsuits, and chargebacks.

How Merchants Are Targeted by Phishing

Fraudsters can also target businesses directly. Here’s what that might look like:

A hacker sends an email, pretending to be the service provider for your Point-of-Sales system.
Next, they claim that there was a security breach.
The employee must provide their login credentials to secure the system.
Once the credentials are handed over, the criminal may now be able to access your platforms and internal systems.

If an employee hands over credentials, a data breach is immanent. The hackers might be able to gain access to customer credit numbers or other pieces of sensitive data, and unauthorized transactions rack up. If passwords are exposed, criminals may be able to take over a customer’s account. If the fraudster then uses this information to make unauthorized purchases, the customer will almost certainly get their money back if and when they file a chargeback.

Of course, if a business notices that its systems have been breached, they need to take steps immediately to control the damage. However, a breach can go unnoticed for a long time.

How to Reduce the Risks Associated With Phishing

Fortunately, there are steps companies can take to reduce the risk of phishing attacks and related issues, like chargebacks. It’s wise to educate both your staff and employees on what phishing attacks look like. Simple awareness can greatly mitigate risks.

Steps to prepare employees include:

Providing real-world training and examples of phishing emails.
Highlighting tell-tale signs, like asking for sensitive information and poor spelling.
Phishers often use deceptive URLs and subdomains in their links and email addresses, like “online.amazon.com” or “inquiry.ups.com”.
Require employees to contact management or IT before divulging any potentially-sensitive information to outside parties.

You should also explain the stakes. Cyber Magazine reports that over half of businesses fold within six months after a major data breach or cybersecurity attack.

As for customers, a business may not be in a strong position to raise awareness. However, a proactive approach can still yield results.

Steps to raise awareness among customers include:

Sending out newsletters with news stories related to phishing.
Warning customers if authorities are reporting an uptick in attacks.
Promising to never ask for confidential information — like a credit card number — over email.

Regarding the last point, a customer may need to update a payment method or otherwise pass over sensitive data. In these cases, it’s smart to have them do so through your website or app. You might also ask them to call your customer service department at the number listed on your website.

The Steps to Reduce Chargebacks Stemming from Phishing

It’s wise to reduce chargebacks, including those stemming from phishing campaigns. Ultimately, a well-rounded chargeback mitigation strategy can reduce risks, including those stemming from other criminal activities.

Crucially, when a customer makes a payment, you should always ask for the Card Security Code/Verification Value, which is printed directly on the back of card. Any merchant who fails to get the CSC/CVV in a card-not-present transaction will lose the dispute.

It’s also wise to set up chargeback alerts to mitigate a phishing breach. If a customer has fallen victim to a phishing attack, they’re likely one of many that could file a chargeback, and in such cases, the merchant is unlikely to win. Chargeback alerts can let merchants know about any upcoming chargebacks. Then, the merchant can offer a refund before the chargeback is filed. Refunding money hurts, but chargebacks hurt more; you’ll lose the revenue anyway and will have to pay fees and penalties on top.

You can also use tools that monitor for red flags, like strange IP addresses or shipping addresses. If a hacker used a phishing attack to take over someone’s account, they may use saved payment information to make a purchase. To get the goods, however, they’ll need to change the shipping address.

Various other steps can be taken to reduce the risk of chargebacks and fraud, phishing, and cybersecurity threats in general. What’s crucial is adopting a proactive approach.