CNP Fraud: Protecting Your Credit Card When Shopping Online

Estimated read time: 6 minutes

Crooks aren't looking to steal your credit card. They don't need to. The crooks have gone digital. If you do a lot of online shopping you need to know exactly what CNP fraud is and how to keep your information safe.

What is CNP Fraud?

CNP stands for card-not-present and is a type of credit card fraud committed when a physical credit card is not there during the transaction. CNP transactions make up 60-70% of all credit card fraud in developed countries.

This type of fraud happens online and over the phone. It's easier to get away with because the person perpetrating the fraud doesn't have to steal an actual card through a mugging or a robbery or a theft.

And because there is no merchant physically present at the time of the transaction to match the signature on the receipt to the signature on the back of the card or to ask for identification to make sure the name of the card matches the name on the ID (not that most places actually do that).

How CNP Fraud Occurs

There are a few ways CNP fraud is committed, but the most common way is via phishing scams that usually happen via email or telephone. Scammers send an email that looks like it's from an official entity like your bank, credit card company, or the IRS.

The email tells you the entity needs personal information like your name, address, bank or credit card account number, PIN, and CCV code (the three digit code on the back of debit and credit cards).

The phone call works the same way, the person on the other ends convinces you that they're from one of these official entities and needs this information. Now, this might sound ridiculous to us, how could anyone fall for that?! But sometimes the emails look and the caller sounds very convincing.

Employees of a business can steal this sensitive customer information, and sometimes a merchant has their database hacked.

Phishing is easy to avoid. There is no reason, ZERO, that any legitimate entity would request credit or debit card information via email or over the phone. If you don't want to take my word for it but you have a bad vibe, you can easily call up the entity the email is from and ask if a representative sent that email. In the case of a call, ask the person for a call back number, look up the number of whatever entity they claim to be calling from and see if they match. They won't.

The second, employee fraud, there isn't much you can do to avoid unless you have some innate ability to sniff out a credit card number thief. The third one though, a database hack at a merchant, we can take steps to mitigate that one.

Protecting Yourself

Almost 70% of Americans shop online, which means there are millions of credit and debit numbers floating around the ether for digital thieves to steal, so protecting your credit card when shopping online is essential.

Use a credit card. A credit card is much more secure than a debit card. I'll explain this in greater detail a bit later, but basically, if your credit card information is compromised, your credit card company has a problem. If your debit card gets hacked, you have a problem. Potentially a big one.

You know that when you use your debit card the money comes straight out of your checking account instantly. If a hacker has your debit card number, they are stealing your cash. That can mean you'll bounce checks and be late paying your bills, possibly even your rent or mortgage.

Even if you catch the fraud right away, the bank is going to shut down your account, and while the mess can be straightened out, it's not a certainty and can take time.

Check your accounts regularly, not just once a month when you get a statement in the mail or when you go online to pay the bill. We're going to see later in the article why noticing fraud right away is important. You can go online or call the number on the back of your card anytime to get a list of recent transactions.

Set up alerts. Most credit and debit cards allow you to set various alerts like when your bill is due, if there is a transaction over a certain dollar amount, and if there is a CNP transaction. These transaction and CNP alerts happen almost the second the transaction is made, so this is your best weapon in stopping CNP fraud fast.

Check your credit report a couple of times a year. It's all well and good to check the credit card statements for the cards you know you have but what if someone has taken out credit cards in your name through identity theft and sell those credit card numbers on the dark web? Unless you check your credit report, you won't know that these accounts have been opened in your name.

You can get a free copy of your credit report at the FTC site. This is an official government site and the only place to get a genuinely free credit report. Those other sites claiming to offer a free report will require a credit card because they're trying to sell you something like credit monitoring. Which you can do yourself for free by going to the FTC site!

The Fair Credit Reporting Act (FCRA) requires each of the three big credit reporting bureaus, Equifax, Experian, and TransUnion, to give you a free copy of your credit report every 12 months. Each report can have slightly different information, and 12 months is a long time. Because of that, the best strategy to protect yourself from CNP fraud (and plenty of other kinds of fraud) is to request a report from a different bureau every four months.

Don't be dumb. I don't know a nicer way to say it. This is the example that prompted me to write that. A woman got a Sephora gift card for a present and was so excited she posted a photo of it on one of her social media pages, complete with visible numbers. When she went to Sephora to use the gift card, there was no money left on it. Yep, you guessed it. One of her online "friends" saw the post, wrote down the card number, and used it. You have got to be careful about what you post on social media.

Look for the lock. When you shop online, only use sites that have a little padlock before the "http" in the address bar (it should say "https" as well). The padlock means traffic to and from the website is encrypted (no one else but that website can read credit card numbers and passwords entered there).

I shop online a lot, and I won't buy something from a merchant who doesn't use encryption to protect my personal information. You shouldn't either. Look for the lock!

The Good News

You will not be on the hook for most CNP fraud or any other kind of fraud on your credit card. The Fair Credit Billing Act (FCBA) is a federal law that protects consumers. If your credit card is stolen and you report it to the credit card company before any charges are made, you can't be held liable for any charges made after you report it.

You can be held liable for up to $50 if your card is used before you report the theft. This is why it's really critical to call in your card as stolen as soon as you notice. In the case of CNP fraud, you won't be held responsible for any fraudulent charges.

Remember earlier when I told you the best way to protect yourself from fraudulent transactions was to use a credit card rather than a debit card, especially when shopping online? Here's why.

The FCBA rules are different for debit cards. If you report the theft within two days, the most you can be liable for is $50. If two or more days pass, you could be liable for up to $500. And if you wait 60 days, you could be responsible for all of the fraudulent charges. Seriously. Use a credit card!

If you shop online enough, eventually you'll probably be a victim of CNP fraud. It's just too lucrative for the criminals. Not only is there money to be made by buying stuff with stolen cards, but there is money in selling stolen credit card numbers on the dark web.

Credit card companies and banks are always improving credit card security, and so are merchants since they get stuck with the fraud bill now. But as smart as the people working to fight this kind of crime are, the criminals are just a little smarter, and that little bit is enough to keep them one step ahead of the good guys.

Take the precautions we recommended, but don't sweat it too much. As long as you report your card stolen the second you notice it, most credit card companies won't even hold your feet to the fire for the $50 they legally could. Happy shopping!