The payments industry continues to make advancements in fraud prevention and protection, leaving fraudsters to find more creative ways to cheat the system. One of the fastest growing fraud schemes today is bust-out merchants, fraudulent merchants that rack up transactions, steal money, and then close down shop before being caught. By the time the acquiring bank receives a chargeback notification, the merchant is already gone, leaving the acquiring bank responsible for chargebacks and any additional fees they incur as a result.
One notable example of bust-out merchant fraud occurred in February 2013, when U.S. federal agents busted an 18-person fraud ring that allegedly committed $200 million in credit card fraud. This fraud scheme involved both bust-out merchants and bust-out cardholders, spanning 8 countries, and provided a testament to just how much of a negative impact bust-out fraud can make on the payment system.
What is a bust-out merchant scheme?
Bust-out merchant schemes can range in complexity, but the idea remains the same – generate a high volume of transactions within a short amount of time before the merchant disappears from the scene, stealing large sums of money in the process. Fraudsters will go to great lengths to execute a scheme, usually by creating a company that looks legitimate to an acquirer. Once the merchant is approved by an acquirer, they start processing transactions with fraudulent credit cards or stolen data. Here are a few different ways this is done:
- Using stolen card data to process transactions online
- Creating false identities to open up lines of credit, using those credit cards to run through transactions
- Partnering with consumers who agree to give their credit card information in turn for a profit, but will insist to their issuing bank that their card was used fraudulently
- Setting up online stores “selling” goods, only to accept consumers’ payments but never fulfilling the order
- Leasing a storefront for a short period of time, getting a terminal from an acquirer, running transactions and then disappearing
Who is liable for bust-out merchant fraud?
The first entity to detect any foul play is usually the card holder or the issuing bank that flags the purchase as fraudulent, initiating a chargeback. However, the life cycle of a chargeback before it reaches the merchant, who is responsible for the chargeback, can be upwards of 8 weeks – plenty of time for the merchant to have already shut down business and moved on to their next target. This leaves the acquiring bank responsible for the chargebacks and any additional fees that may ensue. The acquirer is left with the financial repercussions of the fraudulent merchant, while the merchant is setting up shop with another acquirer to repeat their scheme.
How can acquirers protect against bust-out merchant fraud?
Here are some steps acquirers can take to prevent boarding a fraudulent merchant or spot a bust-out merchant within their merchant portfolio:
1. Due Diligence
The first line of defense against bust-out merchant fraud is conducting thorough due diligence on all prospective merchants, especially checking for any previous fraud or compliance violations connected to directors or any other information supplied on the merchant application. For example, the G2 Merchant Map® allows G2 Web Services clients to check their prospective merchants against a broad database of merchant risk and fraud history, possibly alerting the acquirer of potential risk that merchant may pose.
2. Look for unusual transaction details and patterns
Are the transactions mostly occurring at 3 AM, even though the brick and mortar merchant has listed business hours from 8 AM – 5 PM? Do the declined transactions all have the same reason code? Are the items being sold not in line with the business plan? These are just a few signs that indicate you might be dealing with a bust-out merchant.
3. Recognize risky goods
Some goods more than others may pose a higher risk of bust-out merchant fraud for the acquirer, including ticketing reselling. These schemes commonly occur around times of major sporting events and popular music festivals. Fraudsters will set up sites that look like official retailers for tickets, and then collect payment from unsuspecting consumers, only to disappear and never deliver the purchased tickets.
4. Industry prevention tools
Using payment processors that require a CSV code, address verification or 3D Secure is an added line of defense, making it more difficult for fraudsters to successfully run card-not-present transactions.
5. Report fraud data to a centralized, mapped fraud database
By reporting merchant fraud to a secure, neutral, global repository, such as G2 FraudFile, acquirers can work together as a community to reduce fraud and benefit from sharing anonymized fraud data. Unlocking fraud data that is siloed in limited databases is key in stopping bust-out merchants from targeting multiple acquirers.
Industry action against bust-outs
G2 recently launched G2 FraudFile, which enables payment providers to quickly check the fraud history of prospective merchants and provides persistent fraud protection by notifying users any time new fraud is reported that has a connection to their merchants. All fraud data is secured in a global and neutral fraud database, allowing participants to post and access the latest information, and conduct fraud due diligence prior to boarding prospective merchants.
Follow the G2 Blog