Digital goods top the list, but e-retailers selling internationally and enabling in-store pickup are also at risk.

Omnichannel retailing has ushered in a plethora of ways for consumers to purchase and receive goods. Between e-commerce, m-commerce, click and collect in-store and international orders, the various modes of getting product to the customer have unfortunately also led to new channels whereby merchants can be scammed.

It’s easy for retailers to lose sight of the many ways fraud can be committed, given the close attention they have had to pay to fine-tuning the omnichannel experience.  But loss rates are high. For every $1,000 of merchandise that “walks out the door,” 27 percent of it occurs through click-and-collect.  On card-related scams, charge back rates can run 50 to 60 basis points.  Merchants can definitely plug many of these holes, so this is a topic worth following.

LexisNexis Risk Solutions annually undertakes a study called “The True Cost of Fraud,” in which we assess, among other things, which types of merchants are the most at risk of fraud, and catalog how the fraud takes place. We looked at eight different categories of retailers: large, medium-sized, multichannel, large e-commerce, international, m-commerce, digital goods, and merchants with no physical presence—i.e., e-commerce pure plays. Here is a rundown of the top three most vulnerable categories of retailers, and some of the ways scams play out.

Most Vulnerable Merchant Category

Retailers selling digital goods are at the top of our list. The category ‘digital goods’ can take many forms, but for our purposes, we’re referring to anything that changes hands by instant delivery. The challenge around instant delivery is that it significantly reduces the time window for fraud checks. If these merchants were selling a physical good, they might otherwise have time between when the order was placed and when it was shipped.  There might be secondary fraud checks, even manual reviews, to determine if the recipient was a legitimate entity to whom to deliver that product. But in the case of digital goods, there’s a consumer expectation of receiving that good immediately.


Probably the most vulnerable type of product within this class is digital gift cards. From the standpoint of a merchant who’s selling a digital good—whether it’s in the form of media such as music, songs, movies; in the form of software, such as apps or anything that can be downloaded; or tickets to events—these are things that have instant delivery, which is why they are such a challenge. Digital gift cards are even more problematic, because if someone uses stolen credentials to make a credit card purchase of digital gift cards, they are actually illegally buying money.

When you buy gift cards, which some companies refer to as “branded cash,” they are easy to liquidate—you can either resell them or use them. There’s a significant secondary market for digital gift cards—a number of websites exist with the sole purpose of fencing them. For the e-commerce retailer, if someone buys a gift card using a stolen credit card number, they are not only out that money, as they are often liable for it, and when that gift card is redeemed for merchandise, they get hit again—so they lose both the money and the goods.

International Merchants Are Second in Line of Fraud Vulnerability

While we’ve primarily been following U.S. domiciled e-commerce businesses that sell overseas, ‘international e-commerce’ encompasses everything that could be classified as cross-border.  The main reason that this category gets second and not first ranking is that fraud only hits a portion of the business, whereas with digital goods, the entire business structure is at risk.


In international retailing, the challenges are different—the biggest being identity validation, verification and authentication. It’s hard enough knowing who your customers are when they walk into your store, but when it comes to shipping goods across borders (or receiving them), the basic questions become exponentially more difficult to answer. Is the purchaser who they say they are, and where they say they are? Is that a valid address? Is there risk associated with that address? Whenever retailers have to ship product, they have to check both billing and shipping addresses.

When you go overseas, the availability of that data becomes very spotty. It can become a challenge to authenticate or validate an address in some overseas markets. It’s not always easy to get an answer to the seemingly simple question: Is this a real address? Tying a person to an address adds an additional layer of difficulty.

Then there’s the challenge of accessing that information when it is available, as there are different privacy and access laws (as well as time zones) around the world. Adding to the complexity of international authentication and verification is the variation in payment forms. In some emerging markets, invoicing and C.O.D. are still in widespread use—so retail security is further compromised by the risks associated with different methods of payment that are used and accepted.

Third Most Vulnerable: Omnichannel Merchants


The category we’re describing here is where the order and pickup channels are different—for example, the customer can buy a product online and pick it up in store, also known as click-and-collect. In this category, the fraud loophole is pretty straightforward, but an astonishing amount of it happens anyway. For a retailer with, let’s say $1,000 worth of product stolen a week, more than a quarter of it is being brazenly picked up by individuals claiming to have legitimately purchased it online.

For these merchants, the first line of defense is a consistent best practice: choose a protocol that you’re comfortable with, and stick to it. Anyone who’s ever exercised the click-and-collect option more than once at the same store will tell you that the pickup experience is almost always different any two times in a row, in terms of what they ask for. So, first things first for the retailer—consistency and following a protocol are crucial to any fraud defense strategy.

As part of this protocol, after the retailer has completed the identity verification, look at the credit card itself: Is the owner of that card who they say they are? It would take a fraudster an extra step to manufacture a counterfeit card with the correct number on it. There are several ways to look at identity verification at purchase time. Is there any risk associated with this person? Did they get all the identity information correct? Are they buying it from a place that makes sense—in other words, is the IP address for the purchase within a reasonable distance from the store where they’re going to pick it up within eight hours? Should the retailer ask them to produce a photo ID? Look at the picture on that; do you want to validate the photo ID?

The deeper the layers of protection the retailer explores, the less vulnerable they become. The alternative for retailers is receiving chargebacks for fraudulently acquired goods, or, as we noted above in the case of digital gift cards, actually getting hit twice. Not pretty.  While typical chargeback rates are between 50 and 60 basis points, the actual hit to the merchant’s bottom line adds up to 132 basis points. We estimate that, with watchfulness and taking a risk-based approach to limiting fraud, merchants can get back 30-80 basis points, which then gets multiplied due to ancillary costs associated with it. When you look at what’s recoverable, it becomes clear that it’s well worth stopping up the gaps. 


LexisNexis Risk Solutions provides risk management and fraud prevention services.