Mitigate risk of payment fraud

When you start using HubSpot payments to process and collect digital payments from your customer, there are certain risks you may encounter. This could be payments made with stolen account information, insufficient funds to make payments, or theft. While HubSpot has numerous systems and processes in place to help mitigate these risks, you should also monitor for fraud to ensure a safe commerce process for your business. 

If you have more questions about using payments, review HubSpot's Payments Terms of Use. 

Payments made with stolen account information

There is a possibility that criminals could use stolen or fake credentials to purchase goods or services from you. Businesses that sell tangible goods to consumers that can easily be resold, like consumer electronics, tend to be targets for this type of fraud. Businesses that sell services to B2B customers tend to be less exposed but are not completely immune.

When the legitimate account holder notices a fraudulent transaction, they will report it to their bank. The charge is then reversed through a chargeback for card payments, or an ACH return for ACH payments. The proceeds that you received from the original transaction must then be transferred back to the legitimate account holder. HubSpot payments will handle this automatically through HubSpot's partner, Stripe. They will either withhold this amount from your future payouts or debit your bank account if those amounts are not sufficient. Learn more about chargebacks and ACH returns.

HubSpot payments is designed to reduce the risk of fraudulent transactions in a number of ways, including:

• Fraud scoring: HubSpot receives proprietary signals from Stripe to evaluate the probability that a card transaction is fraudulent. For your protection, HubSpot automatically blocks the transaction if these signals indicate a high fraud risk.
• Cardholder Verification Value (CVV) and Address Verification System (AVS): HubSpot payments require your buyer to enter the CVV and AVS information associated with their card account. Stripe checks this information with the card issuer, and if it does not match, HubSpot automatically blocks the transaction.

• Monitor your transaction activity by turning on payment notifications and/or reviewing your transaction history each day. Contact HubSpot Support immediately if you believe a transaction is suspicious.
• Before providing high-value goods to a first-time buyer, especially one you’ve never met or spoken to before, consider verifying their identity. For example, contact them over the phone or request a document that includes their address, such as a utility bill.
• Look for signs that suggest the buyer is not legitimate. For example, if you’re in a B2B industry, a buyer using a consumer email account, like a Gmail email address, may suggest an increased possibility of fraud.

Insufficient funds for ACH transactions

Transactions using credit and debit cards are known as guaranteed funds. This means the credit card network guarantees against the possibility of insufficient funds if the transaction is marked as approved. Since card payments are approved or declined within seconds of the transaction, you’ll know immediately if the funds are guaranteed.

However, it can take a few days to approve an ACH payment. During this waiting period, you won’t know whether there are sufficient funds in the buyer’s account to cover the purchase. This risk is similar to when you accept checks as payment.

If you are not confident that your buyer is creditworthy, consider waiting until the ACH transaction is marked as approved before you provide goods or services to the buyer. You can check the transaction status by navigating to the transaction dashboard in the payments tool. If it’s not possible to wait, consider requiring the buyer to pay with a card instead.

Theft of your transaction proceeds

If a criminal is able to access your payment account settings in HubSpot, they could change your bank account information and receive your payouts. The following actions can help protect against an unauthorized party accessing your payment account settings:

• Turn on payout notifications. The user in your organization who is responsible for payments should opt into payout notifications. Whenever you receive an email notification from HubSpot that a payout is on the way, check your bank account to confirm the payout was received. If you do not receive the payout, contact HubSpot Support immediately.
• Activate two-factor authentication (2FA). All users who have Super Admin permissions in HubSpot should turn on 2FA.
• Protect your HubSpot login credentials. Use strong passwords and never share an authorized user’s login credentials with another person.
• Minimize the number of users with super admin permissions. Only super admins can access the payment account settings, so limiting the number of super admins means fewer people in your company can access these settings.