The 5 Stages of CNP Fraud

By Karisse Hendrick, Editor-at-Large, CardNotPresent.com

Editor’s Note: In 1969, Swiss psychiatrist Elisabeth Kübler-Ross proposed to great acclaim that humans go through five separate stages when dealing emotionally with the loss of a loved one: denial, anger, bargaining, depression and acceptance. While the stakes aren’t nearly as high, in her former role advising merchants on their fraud issues, CardNotPresent.com’s Karisse Hendrick noticed a comparable pattern. When CNP merchants identify for the first time that their company has become a target for fraudsters, it can be the start of an arduous process. By recognizing the pattern, companies hopefully will move through the process faster, reaching acceptance—and preventing future fraud losses—as efficiently as possible.

Stage 1: Denial

Usually, the first sentence a fraud consultant hears goes something like this: “We don’t have fraud, but we have been getting a lot of chargebacks recently,” or “my bank says we have fraud, but I think we just have customers who don’t want to pay their bills.”

While legitimate customers may file chargebacks out of remorse every once in a while, merchants that suddenly experience a high volume of fraud chargebacks within a few months probably are facing fraud. A large number of good customers do not feel remorse simultaneously. More likely, an opportunistic fraudster found a way to get past processes in place (if any) and hammered the vulnerability, knowing that it may not last long.

Denial is not always rational, but it does need to be acknowledged in order to move on. One of the first companies I ever worked with was in the most denial about fraud on their systems. To be fair, this was before many companies were open about this type of loss, so they didn’t have any experience or knowledge that CNP fraud was common. The CFO of the start-up said very matter-of-factly that no one would commit fraud on this Website because her husband was a detective with the police department in her city. Was he investigating fraud claims and working to prosecute the bad guys and was there a notice to that effect the site? No. But in her mind, her company was safe because her husband was in law enforcement. I explained that no CNP company is immune to fraud, especially as it grows. A CNP company is much more likely to experience fraud at some point in its life, than not and, eventually, she was convinced. The sooner merchants can work through their denial, the sooner they can attack the root causes and prevent future financial losses.

Stage 2: Anger

Once a company acknowledges that fraud has affected its network, it almost always moves quickly to anger. Interestingly, the most common target of their anger is not the people stealing from them, but the card brands and payment networks that made the rules for CNP commerce. If a stolen credit card is used in a card-present environment (and the merchant is able to accept and process EMV transactions), the bank is liable to repay the cardholder. However, when the credit card is absent in the transaction, the merchant is liable. It can be difficult for merchants not previously familiar with these rules to accept that it is their responsibility to verify the identities of customers making online or mobile purchases. It can also be hard to understand that an authorized transaction is not guaranteed to be legitimate.

The payment networks are used to dealing with merchant vitriol over the phone, via e-mail or even in person at conferences and meetings. A veteran merchant once observed that, at a conference, they can always tell when a company has been exposed to fraudulent transactions for the first time. “The new people yell at the card brands, as if they are the first ones to discover an injustice and will be the ones to change the rules,” he said. “While those of us that have been around a while are sitting in the corner checking our e-mail.” The confusion and frustration behind the anger are valid and understandable. But, the rules likely aren’t changing, even though the largest retailers in the world have tried to change the system in various ways.

While it doesn’t usually assuage the anger merchants feel, there are many more tools available to verify a cardholder’s identity in online and mobile environments than in person. Matching a signature or verifying a government ID in person is not as reliable as verifying identities through device ID, geo-location, social network triangulation, biometrics, consumer authentication or one of the many other tools and resources available to online companies. Once a merchant accepts that the rules, while perhaps not fair, are necessary to accept the 99 percent of online sales that are legitimate, they can move to the next step.

Step 3 & 4: Bargaining and Depression

Bargaining and Depression typically occur around the same time. Being victimized by criminals and learning that your company is solely responsible for preventing it can create a sense of helplessness and loss of control. Being overwhelmed and unsure of how to fix the problem can lead to regret and unproductive thoughts that start with “If only….”

“If only we had reviewed orders that are abnormally high for our business model.” “If only we hadn’t run that promotion that seemed to attract fraudulent behavior.” “If only someone thought of fraud when building the business model, this would be so much easier to solve.”

One symptom of depression is the inability to commit to action. A large monthly loss to the company, the pressure from leadership to “just fix the problem” and the numerous options all promising to stop fraud, can be overwhelming. This can lead to making no decision or a premature one. Looking at the problem as a whole is too daunting and can lead to inaction. Instead, begin by looking at commonalities in the fraudulent orders and make a list of priorities. Looking for patterns such as products being stolen, the time of day the orders are placed, similarities in passwords or e-mail and the overall behavior of an order will help create a list of issues to solve. The best way to get past the paralyzing bargaining and depression phase is to take action in tiny steps. Eventually, these steps add up and become easier, eventually leading to acceptance.

Step 5: Acceptance

Eventually, companies that are successful in preventing fraud find acceptance. They accept the fact that the rules aren’t fair, that verifying the legitimacy of an order is their responsibility and that this will not be solved overnight, or even at all. Fraud is not something that will completely go away once a person is hired to focus on it or a solution is adopted. However, continual learning and improving will always lead to more success than doing nothing. Once acceptance is achieved, the following steps can be helpful in creating the right fraud prevention strategy for your business:

  • Learn from past losses. Find the commonalities in orders that caused fraud chargebacks and prioritize which behaviors result in the highest loss rates.
  • Implement ways to identify the risky behaviors, either by adding someone to manually review orders or implementing a fraud case management tool to assist in deciding which orders to cancel
  • Consider hiring an industry consultant or experienced fraud manager to select the right tools and processes for your business
  • Follow the steps that a fellow merchant recently offered , to select the right fraud provider for your business.
  • Create standard metrics to continually report losses—and more importantly, prevented losses—to leadership and cross-functional departments to help them understand and support your decisions.

Most importantly, be aware of the phases. Even though you may be at the “acceptance” phase now, the sudden appearance of a new fraud tactic could send you all the way back to square one. Network and communicate with other fraud teams—even your competitors. In this small industry, you will begin to recognize the “symptoms” of these phases in merchants attending industry events for the first time. Be patient with these people as they express denial and anger or begin to bargain or show signs of depression or inaction. Eventually, they will get to the acceptance phase and will join the rest of us in “checking our e-mail” and making productive decisions about attacking fraud in our businesses.