Among the many types of hacks and frauds we warn about, or sadly have to post about (a report discussed by Reuters this week finds that “cyber security breaches erode companies’ share prices permanently”), one to be especially vigilant about is the “force sale” (sometimes called a “force capture” or “offline transaction.”)
Generally, these transactions let a merchant to bypass the authorization process by manually entering an authorization code. The transaction is then routed through clearing and settlement, eventually “force-posted” to the issuer.
Because the merchant manually enters an authorization code, these transactions, as you might guess, are particularly susceptible to exploitation by criminals. Sometimes previously used codes, or repeated use of a single code, show up in fraud cases. These all can expose merchants to excessive chargeback losses if unauthorized transactions enter the system.
Visa has recently released what they call “Characteristics of Force-Posted Fraud,” as well as ways to guard against them, which we’ll be discussing in this week’s blog post — and the next!
Among those traits to watch for:
- Criminals obtaining a merchant account using a fraudulent application or with the willing participation of a merchant
- Criminals deceiving existing merchants by presenting forged bank letters authorizing such transactions for large sales — which are essentially “laundered” through the merchant’s account, or using forged documents to “release funds” for suspended transactions.
- The attempt, via a small initial sale, to obtain a single valid authorization code for repeated use or simply manufacture fictitious codes.
- Criminals using offshore cards to process numerous transactions that exceed the merchant’s approved sales volume and average ticket amount.
- Such attacks may occur over weekends or holidays, when staff coverage is presumed to be minimal.
Any of these red flags, if ignored, could result in significant financial losses and the kind of “brand damage,” that Reuters was referring to.