e-commerce fraud

payment fraud definitionsThe payment fraud definitions used by EAST are shown below.  These have been prepared by the EAST Payments Task Force (EPTF).

The aim is for these payment fraud definitions to be adopted globally when describing or reporting payment and transaction fraud.

These definitions are based on the Payment Fraud Terminology published by EAST.  EAST also publishes Terminal Fraud and Crime Definitions  and Terminology for the Location of Fraudulent Devices

SOCIAL ENGINEERINGIn the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access
PhishingTechnique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate.
Spear PhishingAlthough similar to "phishing", spear phishing is a technique that fraudulently obtains private information by sending highly customized emails to few end users. It is the main difference between phishing attacks because phishing campaigns focus on sending out high volumes of generalized emails with the expectation that only a few people will respond. On the other hand, spear phishing emails require the attacker to perform additional research on their targets in order to "trick" end users into performing requested activities.
VishingAlso known as "voice phishing", is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is also employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organisation.
SmishingAlso known as "SMS Phishing", is a form of criminal activity using social engineering techniques. SMS phishing uses cell phone text messages to deliver information and/or requests to induce people to divulge or to take action that will compromise their personal or confidential information.
Shoulder SurfingTechnique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder
DATA COMPROMISEA data compromise is an incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used for illicit means
Data BreachA data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used from a PC or Computer Network by an entity unauthorised to do so.
CPP – Common Point of PurchaseCPP analysis identifies the likely merchant, POS or ATM location from where card numbers were stolen so that banks can mitigate fraud on other compromised cards
Fake WebsiteA website that is not a legitimate venue, the site is designed to entice the visitor into revealing sensitive information, to download some form of malware or to purchase products that never arrive
Fake AppApps in mobile devices that trick users into downloading them. They may also pose as quirky and attractive apps, providing interesting services. Once installed on a mobile device, fake apps can perform a variety of malicious routines.
AUTHENTICATION FRAUD The process of using a false, stolen or fake form of identification, based on a username and password, biometric elements or physical credentials.
Account Takeover FraudAccount takeover fraud is a form of identity theft in which the fraudster gets access to a victim's bank or credit card accounts -- through a data breach, malware or phishing -- and uses them to make unauthorised transaction
First Party (Friendly) FraudFraud committed against a financial institution by one of its own customers
Identity Spoofing (or hacking)Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials. Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity
TECHNOLOGICAL FRAUDAny type of scheme that uses one or more components of the internet to distribute software, exploit systems, publish fraudulent solicitations, conduct fraudulent transactions, or transmit proceeds obtained through fraud
MalwareSoftware which is specifically designed to disrupt, damage, or gain authorised access to a computer system
RansomwareA type of malicious software designed to block access to a computer system until a sum of money is paid
Man-in-the-Middle AttackIn cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other
Denial of Service AttackIn computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet
BIN AttackCredit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers
Transaction Manipulation Where there is a deliberate attempt to interfere with the legitimate payment message exchange between the designated entities and the creation of artificial, false or misleading fields within the message for the purpose of deceiving the authorization and/or validations of the transaction
PAYMENT FRAUDA type of fraud that takes place when fraudulent transactions are performed under a payment system
CNP – Card Not PresentA card not present transaction (CNP, MO/TO, Mail Order / Telephone Order, MOTOEC) is a payment card transaction made where the cardholder does not or cannot physically present the card for a merchant's visual examination at the time that an order is given and payment effected
CP – Card PresentA card present transaction occurs when a cardholder physically presents a card to request and authorise a financial transaction
Merchant FraudFraud that occurs when a merchant account is used without the intention of operating a legitimate business transaction.
Virtual Currency FraudFraud that involves virtual currency, or virtual money, which is a type of unregulated, digital money, issued and usually controlled by its developers and used and accepted among the members of a specific virtual community.