By Ralph Dangelmaier
Global ecommerce is plagued by bands of armchair shoplifters who swindle merchants with the click of a button. The latest data from cybersecurity firm ThreatMetrix shows that ecommerce fraud is getting worse. In Q2 2015, the company identified 36 million attempts of fraud against ecommerce sites, worth $1 to $3 billion in potential losses. This was a disturbing 20 percent increase over Q1.
Although most ecommerce businesses use some fraud prevention strategies, they’re insufficient. In 2014, large ecommerce companies lost 0.85 percent of their revenue to fraud, according to LexisNexis. Online merchants paid a staggering $2.62 per dollar of online fraud and $3.34 per dollar of mobile fraud. The research firms Aite Group predicts that in the U.S. alone, Card Not Present (CNP) fraud losses will swell from $3.1 billion this year to $6.4 billion in 2018.
There’s a perception that if you can’t afford expensive cybersecurity technology and sophisticated fraud prevention systems, you’re screwed. That’s am myth. Software helps, but good security is really the product of concrete and repeatable processes that any business can implement. If you owned a physical store, you’d make a habit of locking the doors at night and securing new inventory with RF tags. If you run an ecommerce store, you can use the following seven habits to minimize fraud.
- Question big orders. If your average order value is $100 and a shopper drops $5,000, it’s probably too good to be true. You’re looking at chargeback fees and lost merchandise unless this buyer is a wholesaler. Don’t be a sucker for big sales.
- Verify suspicious orders. If an order is odd, look for inconsistencies. Does the shopper’s address and phone number match what you find on WhitePages.com or Spokeo.com? Can you find the email address on Google or even Facebook? If not, call the shopper to ask if he or she can confirm the billing address associated with the credit card. Then, ask for the names of the nearest cross streets (have GoogleMaps open and listen for a delayed response or typing).
- Run the “duck test.” If it looks like a shopper, buys like a shopper, and self-identifies like a shopper, then it probably is a shopper. However, when a buyer does something that is out of habit, that’s your cue to investigate. If Acme Corp. orders $7,000 worth of electronics from a residential address, something is screwy. If David Lee enters the email address LauraJL@blah.com, investigate. Most shoppers don’t try to use seven different credit cards before getting an order through. Most shoppers don’t use a billing address in Arizona and a shipping address in Germany. These behaviors are akin to shopping at the grocery store with a black ski mask on.
- Blacklist the bad eggs. Keep a blacklist of fraudulent credit cards, email addresses and shipping addresses so you decline them in the future. Remember, multiple swindlers might lay hands on the same stolen identities after a major security breach. Be careful not to put good customers on your blacklist.
- Create fraud rules. Any business can create rules for fraud prevention. While software does simplify this, it can be done manually, too. Rules are designed to flag suspicious order without interfering with genuine purchases. If, for instance, 98 percent of your orders are less than $600, require a manual review of orders over $600. Track the percentages of legitimate and illegitimate transactions that trigger a rule to see if it works.
- Study and respond to fraud patterns. Monitor declined transactions so you know how fraudsters attack your site. For instance, you might notice that a disproportionate number of fraudulent orders occur between 2 and 4 am when regular clientele are sleeping. You could choose to flag all orders between 2 and 4 am. Eventually, repeat offenders will crack your rules, so continue to search for patterns change up your defense.
- Determine which products fraudsters purchase. Fraudsters usually buy products that they can resell. They also target lower cost items and spread them across multiple credit cards because repeat offenders know that fraud prevention systems flag expensive purchases. If you sell outdoors gear, criminals won’t try to buy ten $500 tents – it’s too obvious. Instead, they may focus on pocket knives, sport watches, and other items that are easy to sell.
Expect the Worst
If you want to fight fraud, trust your instincts about suspicious behavior. It may seem inconvenient to research customers; you might worry that they will be annoyed. Don’t be self-conscious about this – you’re looking out for the best interest of shoppers and your business. 36 million attacks per quarter calls for vigilance.
Ralph Dangelmaier is the CEO of BlueSnap. Follow him on Twitter @Rdangelmaier.