Have you noticed small, unexplained card payments to your firm?
Fraudsters can use ‘pay online’ pages on law firm websites to test stolen credit and debit card information. If you allow anyone to make a card payment to your firm through your website, you may inadvertently be enabling card fraud.
What is card testing fraud?
Card testing fraud, also known as card cracking or account testing, is a type of fraudulent activity in which criminals test stolen or generated credit or debit card information to see if it is valid. This information can be obtained through phishing attacks, data breaches, or other malicious means.
Once the criminals have a list of card numbers, they will attempt to make small, unauthorised transactions through the payment pages of company websites - such as those of a law firm.
These transactions are typically for low amounts, such as £1 or £2, and are often made at different times and locations. If a transaction is approved, the criminal knows that the card is valid and can then use it to make larger purchases or sell it to other criminals.
Consequences of card testing fraud
Card testing results in remote purchase (card not present) fraud. According to the latest figures from UK Finance over 2 million cases were recorded in the last year alone (July 2022 - June 2023) with losses totaling more than £370m.
Card testing fraud can have a number of negative consequences for both the company taking the card payment, as well as their customers:
- The company may lose money on fraudulent transactions that are approved.
- Companies may also be charged fees by their payment processors for fraudulent transactions.
- Customers will face the inconvenience of cancelling their existing cards, as well as potentially having to identify and claim back money lost through their bank.
- Customers may also have their credit scores damaged as a result of fraudulent activity - especially if they cannot pay other bills because their balance is lower than it should be due to fraudulent activity.
How law firms can prevent card testing fraud
There are a number of things that law firms can do to prevent card testing fraud taking place through the payment services on their website today:
- Set a minimum card payment amount to prevent criminals testing low amounts (e.g. £100 minimum).
- Implement website traffic checks to limit the number of times a given IP address can access payment pages in a given period of time.
- Require additional authentication factors before the website payment page can be accessed (e.g. make it password protected).
In order to better prevent card testing fraud in the long term, firms should consider using a secure payment gateway, such as Safe Capital. In addition to helping to prevent card testing and other payment fraud, Safe Capital helps firms ensure that card and bank payments are only coming from known clients.
About Safe Capital
Safe Capital makes it simple for law firms to request, receive or return client money swiftly, safely and securely.
Share & Receive Bank Details Securely- Obtain verified bank account details for each client at the outset of the matter
- Share your client account bank details securely with your clients only when needed
- Return client money promptly at the end of a matter using the bank details on file
- Complete register of your residual balances, with detailed history of the steps taken to return funds to your clients
- Variety of workflows for contacting clients, depending on the size of the balance and contact information available
- Auto generation of forms and letters, including SRA withdrawal authorisation requests and charity indemnities
- Swift and secure client payments with one consistent payment workflow for your clients
- Clients can pay by open banking, credit/debit card or manual bank transfer
- Keep client account details away from money launderers and protect clients from payment fraud
