Preventing consumer fraud with carrier billing

Here we would like to give an overview on how Fortumo prevents fraud with carrier billing and what additional steps merchants can take to avoid it. In general, fraud with carrier billing is significantly lower than with credit cards for two primary reasons:

  1. Paying with carrier billing is safe for consumers: in order to confirm an online payment, there needs to be physical access to the device (SIM card) to which the payment is being charged; this means card-not-present fraud is extremely complicated with carrier billing and such fraud rates are much lower with credit cards

  2. Friendly fraud (chargeback fraud) is not widespread with carrier billing due to the fact that carrier billing is primarily used for the sale of virtual and digital goods; such digital goods can be withdrawn from consumers; in case of refund requests users who request refunds can be blocked from making future payments, making chargeback fraud an unpopular approach with carrier billing

We recommend all merchants to take specific steps in order to prevent fraudulent payments being conducted through carrier billing. By bringing fraud to a minimum, merchants can ensure that they receive the payments from mobile operators. Without focusing on prevention, consumers who have conducted fraud or whose payment details have been used for fraud dispute the payments or refuse to pay the phone bill. This means the carriers do not receive the revenue and as a result, neither will the merchants.

Below we have listed 6 practical steps merchants can take to mitigate and prevent carrier billing fraud on their services.

1 Limit users to making payments from a single phone number to a single account

How is this related to fraud?

Most users have only one mobile phone and SIM card and create a single account with every digital service provider with whom they want to make payments. A notable exception here is emerging markets where users often own several SIM cards in order to use the cheapest offerings available for individual telco services from each carrier. It does not make sense for a person to be subscribed to a music streaming service from 8 different accounts. Conversely, using 8 different phone numbers to buy services within a single account does not make sense either. The logic of allowing users to pay from a limited number of payment accounts is also a standard practice for card-based billing. In cases that deviate from the logic, it is most likely that fraud is being committed and either fraudulently acquired accounts or SIM cards are used to make payments.

How does Fortumo prevent such fraud?

Each mobile phone number (MSISDN) has a unique identifier attached to it on Fortumo’s platform. We pass this information along to merchants during each transaction, which makes it possible to link individual phone numbers to user accounts in your system.

What can you do to prevent fraud?

Configure your payment services in a way so that during each transaction information about the user (their MSISDN and their account with you) is compared to their past payment behavior. If the MSISDN has been used with another account or an account is using several MSISDNs for a payment, refuse the payment. All Fortumo products support such logic by default, for example in case of our Cross-Platform Payment product, MSISDN, CUID and operation_reference parameters can be combined to track unique customers and accounts.

2 Set up your own internal spending limits for carrier billing

How is this related to fraud?

Users in different countries have significantly different income, which also reflects in their spending on digital content. For example, while the average user in the UK spends roughly $9 per month through carrier billing, in India that number is only around $3. In case of fraudulent payments, fraudsters usually try to run the bill as high as possible, which can eventually result in thousands in lost revenue. While spending limits do not rule out fraudulent activity, they mitigate the damage done.

How does Fortumo prevent such fraud?

Fortumo enforces spending limits on a per-country basis but our goal as a payment aggregator is not to limit end-user behavior as our merchants have different revenue per user. While a subscription service has a flat revenue per user each month, gaming services on the other hand have no limit on how much users can spend. These limits have been worked out based on average user spending behavior in the market, but also account for legitimate “heavy user” purchasing behavior. We also have an automated fraud detection solution in place which reveals abnormal behavior; this solution is used by our dedicated risk management team who blocks abnormal users from making future transactions.

What can you do to prevent fraud?

In addition to Fortumo-enforced spending limits on carrier billing, merchants should set up additional spend limits to consumers based on the nature of the service and the location of the consumer. It is important to note that these limits should be enforced across all payment methods, as no individual payment service provider is able to see how much the consumer is spending in total for the digital service. Only the merchant has available full information about their users, based on which final spending limits can be implemented.

3 Implement a blacklisting/whitelisting tool and block users who have requested refunds

How is this related to fraud?

As mentioned in the introduction, in case of credit cards chargeback fraud is one of the most common cases of fraud that merchants selling services online have to deal with. Consumers who realize they can purchase items and later request money back for them are inclined to attempt such payments again in the future. The industry standard approach to preventing such issues recurring is to automatically block users who have asked for a chargeback or refund.

How does Fortumo prevent such fraud?

When a consumer requests for a refund through Fortumo or one of our carrier partners, our standard policy is to block the user from making future payments through our platform. However, should the consumer directly contact merchants for the refund, information about the refund is automatically not visible to Fortumo - this means merchants should notify us of any consumers for whom a refund has been issues so we can block them on our platform as well. For merchants using several carrier billing providers, information should be shared with all the providers since otherwise the user (or account) might attempt to make a transaction simply through another provider.

What can you do to prevent fraud?

Set up your internal processes in a way that user accounts and MSISDNs for which refunds have been requested are blocked from making future transactions. We recommend to block such user accounts from using any payment methods, as chargebacks or refunds attempted via other payments methods are highly likely to happen in the future. Highlight your refund policy clearly in your Terms of Service so that users understand what occurs when they change their mind about a payment.

4 Validate user background before accepting their payments

How is this related to fraud?

While payment conversion should be a key priority for all digital content merchants, this should not come at the cost of security. Even though it is possible (regardless of the payment method) to also process payments from users who do not have an account with you, this significantly raises the risk level. Without a user account, it is not possible for merchants to also have a history on the purchasing behavior of the user. In case of users without accounts (or those who just recently signed up) rapidly starting to make payments that are outside of the normal behaviour patterns, the likelihood of fraud taking place is high.

How does Fortumo prevent such fraud?

Fortumo mitigates such activities through country-based spending limits and blacklisting users whose behavior is suspicious.

What can you do to prevent fraud?

Require users to create an account and identify themselves before they are able to make payments for any premium content. Based on data about your users, you should be able to know how much time it takes for an average paying user to make their first payment (e.g. how much time they spend playing the game, how long have they stayed on your site or how many songs they have listened to).

5 Educate your customers about social engineering and phishing

How is this related to fraud?

With credit cards, phishing is one of the most common methods of stealing a legitimate user’s information and then using their payment data to make fraudulent transactions. In case of carrier billing, such attempts are much more complicated: it would assume the user sends a specific text message to a specific number provided by the fraudster or provides the fraudster directly with a PIN code they have already received on their device. Educating your customers about how phishing is conducted helps keep their mobile accounts safe.

How does Fortumo prevent such fraud?

Payment notifications sent to users from Fortumo (PIN code information, subscription renewal notification etc.) always include information on the service purchased, its cost, the merchant involved as well as a support contact for any issues. This information is localized for all markets which means users can easily understand what they are being charged for.

What can you do to prevent fraud? Add a page or section to your service that describes how users can protect their payment methods. This should include specific details about each payment method that you support: for credit cards, ask them not to share their credit card data with anyone else; for carrier billing, describe to them the exact content of payment verification messages and what numbers they are coming from.

6 Make sure to integrate carrier billing correctly

How is this related to fraud?

One of the easiest ways to commit fraud with carrier billing is to find a loophole or incorrect configuration in the way merchants have set up their carrier billing services. For example, if you transfer items to users before you have received a payment confirmation from Fortumo, fraudulent users might notice this and start making payments on a prepaid SIM card with no account balance.

How does Fortumo prevent such fraud?

Fortumo has made available to merchants guidelines on correct integration of our products through Fortumo’s Merchants Portal. Our integration managers help merchants properly integrate our products before the launch of services.

What can you do to prevent fraud?

Consult with Fortumo’s integration managers and have them review your technical setup before launching your carrier billing services.

Help us improve our Merchants Portal. Was this article helpful?