Protecting Your Merchant Account from Fraud
  • 02 Feb 2023
  • 4 Minutes to read

Protecting Your Merchant Account from Fraud

You should be protecting your merchant account login information and business details the same way you protect your online banking information and various online accounts.

Knowing the types of fraud you may encounter and what these fraudulent attempts often look like can help you identify fraudsters before they are able to gain access to your personal information. There has been an increase in fraudulent activity, including account takeover fraud (where fraudsters try to steal your login information so they can ‘take over' your account) as fraudsters take advantage of anxiety and stress surrounding the pandemic and individuals' concern for their health.

Types of Fraud - Phising, Vishing and Smishing

You have most likely encountered phishing attempts in the form of fraudulent emails posing as a reputable company or individual hoping to get access to your login information. These attempts are usually sent via email in an attempt to get your usernames, passwords, or credit card details.

Example: A fraudster pretending to be your financial institution emails you saying you need to change your password or update your account information. The email would provide a link to a website that might appear to be similar to your financial institution in the hopes that you do not notice it's fraud and enter your online banking login details.

Vishing attempts have the same goal as phishing emails, but are done over the phone.

Example: A fraudster poses as the CRA or IRS and calls you to say there is something wrong with your tax return and you need to remedy the issue immediately. Often they mention calling the police or jail time to scare you into overlooking any red flags about the call.

Attempts to gain access to your personal information using text or SMS messages are considered smishing campaigns.

Example: A fraudster sends you a text message posing as the local health authority alerting you that you've been exposed to COVID-19 and asking you to enter your personal information for contact tracing purposes.

The difference between these three types of fraud is the method used to contact you, however they all have the same goal which is to get access to your personal information for monetary gain.

Best Practices to Protect Your Information

Knowing what to look for and putting best practices in place are good preventative measures you should take to protect your information.

Educate your team - Share resources and updates with your team so they understand the types of fraud they could encounter and what to look for. Be suspicious of unknown senders, unexpected attachments and hyperlinks - Don't click on hyperlinks or open attachments found in emails or text messages from people you do not know, or from whom you aren't expecting an attachment. Hyperlinks can be disguised to look like a legitimate web address or email address when they in fact point somewhere else - hover your cursor over the hyperlink to see its true destination.

Check the sender's email - Fraudsters often closely replicate known senders emails so they are close but not quite accurate, checking for spelling or grammar mistakes along with altered logos and images can indicate an email is illegitimate. For emails from businesses, if the email domain (the portion of the email after the @ symbol) does not match the domain of the official website for the company, be weary.

Contact companies directly - If you receive a questionable email or text from a financial institution or business, search their official website for contact information, or in the case of your financial service provider - use the number on the back of your credit or debit card to call them instead of using contact information provided in the original communication.

Use available tools to help protect yourself - When accepting online payments, using layed validation tools including Card Verification Value 2 (CVV2) and Address Verification Service (AVS) to verify transactions. Use EMV capable devices (chip and PIN) to accept in person transactions, and be suspicious if an in-person customer asks you to key-in their card info for a transaction. As a Helcim merchant, CVV information is mandatory for online payments to help protect your business, you also have access to Helcim Defender to help further protect your business.

Protect sensitive information - Don't print out or write down sensitive information, such as credit card numbers, and ensure receipts don't include sensitive customer information.

Monitor your account - Keep an eye on incoming transactions and account activity, especially if you accept ecommerce transactions to spot card testing if it happens.

Use two-factor identification and unique passwords - Setup two-factor authentication where available and don't reuse the same password and email for multiple sites. Fraudsters know people use the same login name and simple password for most of their online services, if they manage to phish it from you - the next thing they will do is try it everywhere you might have a login. Along with two-factor authentication, we recommend using a password manager like Keepass to store unique and complex passwords that are hard to break. If a fraudster manages to get one of your passwords, they won't be able to use it for your other online services, and the 2 factor authentication means they still shouldn't be able to access your account.

Watch for suspicious behavior - Beware of customers or individuals trying to manipulate, deceive or persuade you to let your guard down and relax your security procedures or best practices. If you run or manage a business, a fraudster who has stolen information from a customer of yours might try to use that information to access their account, or commit other types of fraud. Be on the lookout for anyone trying to bypass your usual security procedure or get you to do something unusual, especially if they are using a sad story to make you feel sorry for them (eg. I'm in the hospital with COVID and don't have my computer, information, etc. with me). Remember that security best practices help to protect your business and your customers, so following them is in everyone's best interest.

Was this article helpful?

What's Next