The Day I Learned the Hard Way About Payment Fraud

And, honestly, one of the biggest payment failures of my life.

It was just another day. Back in the era before PSD, not even PSD2, but the original PSD (Payment Service Directive).

I got to the office and started reviewing forms from potential merchants we were going to onboard to our payment gateway.

I wasn’t directly responsible for customer onboarding, but I always liked to have a high-level overview of who we’d be processing payments for.

Nothing seemed out of the ordinary. There were some e-commerce businesses, SaaS companies, the usual mix. Just another day.

One of the applications was from a small hosting business. Seemed normal enough - we had processed transactions for a few similar companies before.

I didn’t give it much thought.

A small hosting startup claiming they wanted to take on the world with services already available in abundance.

The application went to our onboarding team, got reviewed, and eventually landed on my desk for a signature.

I signed it.

The merchant received their credentials and started setting things up.

Two, maybe three days later, they were live.

The first day was standard... a few hundred euros processed. Nothing unusual, probably friends and family.

The next day, a couple thousand euros.

The day after that, about 50,000 euros.

I was thrilled - it looked like we were supporting a rapidly growing business.

No red flags went off.

The next day... over 100k EUR.

Wow! This company was scaling fast.

Then came the first chargeback. It happens, no big deal.

Then another.

And another.

And another.

Fifty chargebacks.

We disconnected them. Way too late.

Over 100 more chargebacks followed.

We froze their funds. But some of the money had already been transferred.

We started digging deeper. And with every passing hour, it became clear how many mistakes we’d made and how recklessly we'd handled the situation.

We didn't thoroughly vet the real beneficiaries or the board members. Later, we discovered the company was registered under the name of a 60+ year-old man who, when we finally reached him, had no idea the company even existed.

The customer support number provided never worked. Nobody ever answered.

The website looked fine at first glance, but once you created an account, there was no way to order any hosting service.

The site was in Polish, targeting Polish customers, but the prices were in euros, and the people "buying" services were from all over the world.

The company was brand new, yet it grew at a ridiculously fast pace overnight.

Instead of investigating, we were just happy that the client was doing so well.

Between successful transactions, there were tons of failed payment attempts.

What actually happened?

Neither we nor the police could ever fully figure it out.

If I had to guess, I'd say someone set up the company under an unsuspecting person's name, then used a bunch of stolen cards to funnel money through fake hosting services and transfer it to themselves.

This whole ordeal cost us tens of thousands of euros.

Our processing partner lost about the same.

Plus, there were sleepless nights, massive stress, and serious financial trouble (we were still a young company, just starting to grow).

What did I learn from all this?

Online payments are no joke.

Compliance teams need to be solid, and systems for analyzing and monitoring merchants need to be top-notch. Both before and after they go live.

You can't fully protect yourself from bad actors.

But you have to minimize the risk.

And you have to get better at it every single day.