Mitigate risk of payment fraud

When using HubSpot payments to process and collect digital payments, there are certain risks you may encounter. For example, payments made with stolen account information, insufficient funds to make payments, or theft.

While HubSpot has systems and processes in place to help mitigate these risks, you should also monitor for fraud to ensure safe commerce for your business. In this article, learn steps to help mitigate the risk of payment fraud. Learn more about HubSpot Payments Terms of Use.

If you use Stripe as a payment processing option, review Stripe's documentation on managing fraud.

Payments made with stolen account information

Criminals could use stolen or fake credentials to purchase goods or services from you. Businesses that sell tangible goods to consumers that can easily be resold, like consumer electronics, tend to be targets for this type of fraud. Businesses that sell services to B2B customers tend to be less exposed but aren't completely immune.

Fraudulent transactions reversal

When the legitimate account holder notices a fraudulent transaction, they will report it to their bank. The charge is then reversed through a chargeback for card payments, or an ACH, PADs, BACS, or SEPA return for payments via bank debit. The proceeds you received from the original transaction must then be transferred back to the legitimate account holder. HubSpot payments will handle this automatically through HubSpot's partner, Stripe, by either withholding the amount from your future payouts or debiting your bank account if necessary. Learn more about chargebacks and returns.

Reduce risk

HubSpot payments reduces the risk of fraudulent transactions using:

• Fraud scoring: HubSpot receives proprietary signals from Stripe to evaluate the probability that a card transaction is fraudulent. For your protection, HubSpot automatically blocks transactions if these signals indicate a high fraud risk.
• Cardholder Verification Value (CVV) and Address Verification System (AVS): HubSpot payments requires your buyer to enter CVV and AVS information. Stripe checks this information with the card issuer. If it doesn't match, HubSpot automatically blocks the transaction.

Learn more about Stripe's role with HubSpot payments.

Recommended steps to reduce risk

Despite these protections, no payment service provider can prevent all fraudulent transactions without also blocking legitimate transactions. Consider the following to help protect your business:

• Monitor your transaction activity by turning on payment notifications and reviewing your transaction history each day. Contact HubSpot Support if you believe a transaction is suspicious.
• Before providing high-value goods to a first-time buyer, especially one you’ve never met or spoken to before, consider verifying their identity. For example, contact them over the phone or request a document that includes their address, such as a utility bill.
• Look for signs that suggest the buyer isn't legitimate. For example, if you’re a B2B company, a buyer using a consumer email account like a Gmail email address, may suggest an increased possibility of fraud.

Insufficient funds for ACH, PADs, BACS, or SEPA transactions

Transactions using credit and debit cards are known as guaranteed funds. This means the credit card network guarantees against the possibility of insufficient funds if the transaction is marked as approved. Since card payments are approved or declined within seconds of the transaction, you’ll know immediately if the funds are guaranteed.

ACH, PADs, BACS, or SEPA payments can take a few days to approve. During this waiting period, you won’t know whether there are enough funds in the buyer’s account to cover the purchase. This risk is similar to accepting checks as payment.

If you aren't confident that your buyer is creditworthy, consider waiting until the transaction is marked as approved before you provide goods or services to the buyer. You can check the transaction status by navigating to the payments index page. If it’s not possible to wait, consider requiring the buyer to pay by card instead.

Theft of transaction proceeds

If an unauthorized party is able to access your payments account settings in HubSpot, they could change your bank account information and receive your payouts. Consider the following to help protect against unauthorized parties accessing your payments account settings:

• Turn on payout notifications: the person responsible for payments in your organization should set up payout notifications. Whenever you receive an email notification from HubSpot that a payout is being made, check your bank account to confirm the payout was received. If you don't receive the payout, contact HubSpot Support immediately.
• Activate two-factor authentication (2FA): all users who have Super Admin permissions should turn on 2FA.
• Protect your HubSpot login credentials: use strong passwords or passkeys. Never share an authorized user’s login credentials with another person.
• Minimize the number of users with Super Admin permissions: only Super Admins can access payments account settings. Limit the number of Super Admins in your account so access to payments account settings is limited to those who need it.

If you have any reason to believe your bank account information has been changed by an unauthorized party, contact HubSpot Support immediately.