LinkedIn, it turns out, can be used for a lot more than networking. And Facebook isn’t just a platform to connect with old acquaintances. Retailers are using both social networks to help determine if online purchases are legitimate, says Daniel Serres, information technology director at backpack e-retailer Backpacks.com.
The approach has helped Backpacks.com, which launched in August 2016 and generates between $3 million and $5 million in annual sales, avoid encountering a single chargeback, Serres says. Chargebacks occur when a retailer refunds fraudulent transactions charged to consumers’ credit cards.
Fraud is just a fact of life in retail. We’ve had to mitigate it from the beginning
Serres attributes the retailer’s perfect fraud prevention score in part to putting solutions in place to stop fraud starting from day one. “Fraud is just a fact of life in retail,” he says. “We’ve had to mitigate it from the beginning.” As a startup with around 15 employees, Backpacks.com didn’t have the time to manage fraud internally so it outsourced that work to fraud prevention technology provider NoFraud. The system flags about 0.5% of orders for further review, which NoFraud staff investigates as part of its service, a time-saving benefit for the retailer, Serres says.
In those manual reviews, NoFraud staff frequently turns to social networks like LinkedIn and Facebook to investigate orders, Serres says. For example, if the shipping address a consumer enters doesn’t match the one on file with his credit card, a NoFraud employee might check LinkedIn to see where the individual works. If the package is being shipped to an office address that LinkedIn shows is the consumer’s employer, NoFraud might send the order through, Serres says. Similarly, NoFraud might turn to Facebook to see if the person ordering is, for example, the spouse of the person tied to a payment card used for a purchase.
With an average order value of $100, fraudulent purchases that lead to chargebacks could easily add up for Backpacks.com. What’s more, chargebacks not only involve the merchant’s direct loss, they also come with interchange fees that merchants pay to credit card issuers. Those fees can rise for merchants with frequent chargebacks as payment card companies deem such businesses more of a risk and may increase their interchange fees.
It’s increasingly important to alleviate those risks because fraud costs are rising as e-commerce sales grow, says Tom Byrnes, chief marketing officer of fraud and payment provider Vesta Corp. And online sales are growing quickly. Internet Retailer estimates U.S. online sales grew 15.7% in the third quarter. Meanwhile, merchants lost $462,355 on average to unauthorized transactions from June 2016 to June 2017, a 33% year-over-year increase. Merchants also lost an average of $322,602 to friendly fraud, which is when criminals aren’t using stolen information but commit the fraud in another way, for example, by falsely claiming that their package was never delivered. The data is from a new study from research consulting firm Javelin Strategy and Research LLC and Vesta Corp., which surveyed 497 e-commerce merchants that generated at least $1 million in annual sales within the past 12 months.
In addition to rising e-commerce sales, other factors are spurring the growth in online fraud including the growth of buy online, pick up in store and the shift to chip cards that follow EMV standards in the United States. Chip cards and the EMV (short for EuroPay, MasterCard, Visa) standard are designed to make it more difficult for criminals to commit fraud in stores.
As online fraud losses grow, it’s increasingly important for retailers to take steps to mitigate fraud and stay one step ahead of criminals. It’s a constant balancing act of reducing false positives—rejecting good orders by falsely identifying them as fraudulent—and letting too many bad orders slip through the cracks.
Online retailers are taking steps—and spending more—to stop fraud. Retailers are spending 8.0% of their annual revenue to prevent and manage fraud, up from 6.0% on average this year according to the Javelin/Vesta study. Nearly 74% of those costs stem from the employees, software and technology retailers are investing in to manage fraud prevention. That spending is on the rise. In dollars, the study finds that, on average, merchants—whose average annual revenue was $136.1 million—spent $12.3 million on fraud management in the past 12 months, up from $10.5 million in the year-ago period.
To stop fraud retailers must keep a careful eye on the ever-evolving ways criminals try to exploit them and adjust. For example, Serres says one common way he’s seen criminals try to game the system is to enter a shipping address that matched the address on file with the payment card company and then call the shipping carrier to have the order rerouted to a different address where the criminal could retrieve it. Backpacks.com has told its carriers to prohibit consumers from changing the original shipping address.
Meanwhile, Micro Electronics Inc., parent company of multichannel electronics retailer Micro Center, found criminals targeting Micro Center in the past often opted to have online purchases shipped to a store, says Skip Myers, the retailer’s director of loss prevention and risk strategy.
Buy online, pick up in store services are particularly vulnerable to fraud because they don’t require a residential delivery address. That means criminals can fraudulently pay for an online order and then pick it up in person. That’s increasingly a concern as more merchants offer the service. In 2016, 47.7% of Top 1000 retailers that operate stores offered buy online, pick up in store, up from 42.1% a year earlier, according to data on Internet Retailer’s Top500Guide.com.
Micro Center used to offer buy online with a guarantee that a store would have the order available for pick up in 18 minutes, but discontinued the offering as it found the feature attracted too many criminals. For example, Myers says one woman came to the same Micro Center location each Tuesday for multiple weeks to pick up orders she had placed online. After store authorities noticed that she was using IDs with different names each time, they alerted authorities. Micro Center soon discovered she was working with a South African criminal she had met on Craigslist and was getting paid to purchase the goods ordered online with stolen information and then ship the products to South Africa. Micro Center has since stopped offering buy online, pick up in store, but offers consumers the option to reserve products online that they can then purchase in its stores.
The shift to chip cards that follow EMV standards in the United States is also fueling online fraud, experts say. Chip cards and the EMV standard for debit and credit card payments in stores uses cards with microprocessor chips rather than the decades-old magnetic stripe technology, making it more difficult for criminals to commit fraud in stores.
“When the card-present space is better protected using EMV cards, online channels often represent a path of least resistance,” says Steffen Sorrell, principal analyst at Juniper Research. A card-present transaction means the purchaser is buying in person and has the card in her possession. Card-not-present defines online purchases or other cases where it’s unclear if the buyer has the payment card or just a number and the necessary data to make a purchase.
However, many criminals know that if a chip card isn’t read correctly by the store payment terminals, the register typically defaults to using the magnetic stripe reader so many criminals make cards with fake chips and bet on the terminal prompting them to use the magnetic stripe as a backup, Myers says.
Despite such savvy schemes by criminals, only about 24% of merchants that participated in the Javelin/Vesta survey outsource some or all of their fraud protection efforts to experts.
Serres is firmly in the outsourcing camp. He deems NoFraud’s fee of “pennies per transaction” as worth it. NoFraud’s fees depend on if the retailer sells physical or digital goods, its monthly payment card processing volume and its average order value. For example, a merchant of physical goods with $750,000 in monthly credit card processing volume and a $75 average ticket would pay $1,944.59 a month to NoFraud, according to the vendor’s site.
Serres says it only took about an hour to implement NoFraud’s service. NoFraud acts as a middleman between a merchant’s payment gateway and a retail site. To set up NoFraud, Backpacks.com swapped the URL of its payment gateway, which is Authorize.net, with NoFraud’s URL. When a consumer checks out, the transaction is routed to NoFraud, which does its fraud checks, typically in less than one second, and then reroutes to Authorize.net if the order is deemed legitimate, Serres says.
Micro Center also outsources fraud prevention. The retailer began working with vendor Kount to mitigate fraud in 2012 after it found it increasingly difficult to manage fraud prevention internally, Myers says. Before using Kount, the retailer had four employees who were tasked with manually reviewing suspicious orders. Those reviews took about eight minutes, on average. “Prior to Kount we did manual review of risky orders internally, but that system wasn’t sustainable with our sales growth,” he says.
Kount helped Micro Center decrease its card-not-present chargeback rate by about 90% to about 0.21% from more than 1.0%, Myers says.
One way that Kount helped Micro Center lower fraud was by unmasking hidden IP addresses. Criminals from other countries often hide their true IP address by using what is called a proxy address that shows up as domestic, Myers says. Now Micro Center automatically declines any order from a device using an IP proxy address, he says.
The criminal might change his email address, move to a different location and be using new stolen credit card data but still be ordering from the same iPad or iPhone, and now we can detect that.
Kount also uses device fingerprinting to detect devices coming to MicroCenter.com that have previously been used for purchases that turned out to be fraudulent. A device fingerprint is a unique, long alphanumeric code specific to each device. “The criminal might change his email address, move to a different location and be using new stolen credit card data but still be ordering from the same iPad or iPhone, and now we can detect that,” Myers says. Kount helps Micro Center keep up with changing fraud patterns. For instance, Kount uses up to 10 data points to help Micro Center avoid rejecting valid orders, he says.
Kount assigned Micro Center a technical advisor that help it set parameters about what was acceptable for each order, in part based on past behavior of known fraudulent orders that had been tied to chargebacks at the retailer, Myers says. Before using Kount, between 0.5% and 0.8%
of Micro Centers online orders needed to be reviewed manually. Now Kount takes care of any additional checks, which has allowed the retailer to reallocate the staff who used to conduct those investigations to call centers.
Both Serres and Myers are intrigued by new offerings that may lessen fraud at their companies. Myers, for example, says he’s keeping a close eye on how new biometric capabilities such as Apple Inc’s facial recognition feature FaceID for the new iPhone X and Facebook’s DeepFace, a facial recognition system, can help make online payments more secure.
However, research suggests many consumers are not yet comfortable using that technology. For instance, only 32% trust facial recognition for securing payments, according to Juniper Research.
Serres, meanwhile, is considering offering Amazon Pay, which allows shoppers to check out on other merchant websites using the payment information stored in their Amazon account. Amazon Pay may be more secure because it offers the same fraud protections as purchases on Amazon.com.
Still, even the largest online players can’t completely eradicate fraud. When Serres began looking more closely at adding Amazon Pay he uncovered the $20 fee levied to merchants who encounter chargebacks as a result of criminals using the payment option for online purchases. “That shows even a company the size of Amazon can’t fully stop it.” And so, the battle continues.
[email protected] @katieevansir
FEATURED FRAUD PROTECTION PROVIDERS
Vesta Corporation (www.trustvesta.com)
Vesta Corporation is the only global provider of integrated fraud and payment solutions for enterprise partners in the e-commerce, telecom, media and financial industries. The company’s guaranteed ecommerce payment solutions and innovative, patented fraud technology are proven to increase conversion and acceptance while eliminating fraudulent transactions and merchant liability.