Nick D’Ugo, Director of Risk, ISOs & ISVs at Paysafe.
The New York Times reported in 1898 that “one of the oldest and most attractive and probably most successful swindles known to the police authorities has again come to the surface… It is known as the ‘Spanish Prisoner’ game, and it has been in operation for more than thirty years.”
The paper was referring to a confidence trick, in which an individual is duped into giving up money to secure the release of a wealthy prisoner, in return for a reward. Today we would call this imposter or third-party fraud, and over 120 years later, it continues to dupe consumers across the globe. At last count contributing significantly (£145m) to the £500m lost by UK banking customers in 2018.
Historic fraud, new approach
When it comes to third-party fraud, criminals have traditionally followed a similar modus operandi; they impersonate someone, gain their confidence, create a problem or make a promise of riches, and then ask for money. However, with the rapid growth of eCommerce, a new avenue has emerged for confidence tricksters, namely third-party payments.
In this version of the scam the imposter approaches a business portraying themselves as a prospective new customer with the desire to spend lots of money. Contact with the business is usually established via email, sometimes telephone, but rarely in person. The fraudster will enquire about the goods or services on offer, place a large order, and provide a credit card number.
Then, just before they agree to the sale, they will ask for a favour. Often this favour involves helping them pay a third party, which for some extreme reason they cannot do themselves. Under this pretext they will ask the business to charge their credit card a little extra to cover those third-party fees, and then transfer that amount to that third party via Wire or bank transfer. Some generous fraudsters even throw in a tip to the business owner to thank them for their help; while other ‘thoughtful’ con men go above and beyond to assure businesses that may question their motives, when faced with such a request, to not initiate any transfer to the third party until the credit card sale has cleared and posted in their bank account.
Realising you’ve been duped
So, nothing can go wrong, right? In the short term that is what the business believes, they may even feel great about the large sale, that is until a few weeks later when chargebacks start posting to their merchant account and they realise they have been deceived. Unfortunately, by that time the fraudster has usually disappeared along with the money sent to the ‘third party’.
There are a few reasons that businesses may fall for such a scam. Some may be motivated by the large financial incentives that are dangled in front of them; some feel the pressure to go above and beyond for their clients; and others simply do not see the risk that they are exposing themselves to by making this type of transaction.
Working out it’s a fraudster
All merchants must be on the lookout for this type of scam as it does not discriminate when it comes to potential targets, but one business sector that should remain particularly vigilant is the gym and sports platforms industry.
In this scenario, the imposter contacts the gym and attempts to pay for membership or classes totalling a much larger than usual value before introducing the third-party transfer as a condition of the sale.
Under no circumstances should these requests be granted, and a credit card payment taken. Platforms should contact their local authority immediately if they have any suspicions that they are being targeted by this type of scam.
Reducing your exposure
To limit your exposure to fraud, such as that mentioned above, and maintain best practice there are several steps you should take. These include:
1) Businesses that accept credit cards must understand that they are liable for chargebacks and that processing charges outside of those that have been approved are against Card Scheme rules.
2) Unless the proper Payment Card Industry (PCI) controls are in place, businesses should not accept credit card numbers by email, as this further exposes organisations to potential fraud and additional compliance requirements
3) Businesses must maintain vigilance at all times. There are certain red flags that should be looked out for, including:
- The consumer using multiple credit cards
- Decline error codes for lost/stolen or pick up
- The consumer only communicates by email and uses poor grammar or spelling
- Any request to send money to a third party
Additionally, businesses should work with their payment service provider (PSP) to run basic checks such as Address Verification Service (AVS), or Card Verification Data (CVD). In addition to these procedures, some businesses have dedicated risk teams that can also implement customised risk rules, or work with businesses to provide guidance if they are faced with a situation that just seems too good to be true.