Thieves like to play e-retailers for fools. Some play a shell game, selling products they don't own and leaving e-retailers holding the bag after a con slips through undetected. Others hide behind stolen credit cards to make themselves look like legitimate buyers, and the retailer only catches on when a chargeback arrives. Thieves' tactics are many, but retailers' defenses are growing too.
55% of merchants say emphasizing and improving automated fraud detection capabilities is a top priority, according to a recent survey of 325 U.S. and Canadian merchants conducted by fraud management vendor CyberSource. A similar amount, 56%, say they already use an automated security tool to screen orders for fraud, but they are looking to add further tools that'll help them keep the 1% of total revenue they lose annually to fraud in their own bank accounts. 57% of merchants say they plan to add at least one more fraud detection tool in the next year.
Online retailers are arming themselves with a variety of tools to automate fraud screening, cut the time and money spent on manual reviews and the amount of money they lose to fraud. Anti-fraud tools help retailers evaluate transactions and let them set the rules for what they will let pass. Although not perfect, retailers using these systems are increasingly able to keep thieves at bay.
One retailer, who asked for anonymity for fear of provoking more attacks, fell victim to a scheme that cost her business close to $500 a day in chargebacks from credit card companies taking back the funds they paid her after customers said they did not make the purchases. The owner, referred to as Ilene and her business Stuffspot for the purposes of this article, tried to quell the activity by manually reviewing 30% of her orders. That was a burden in time, money and effort for the 22-employee retailer that brings in more than $14 million in sales annually.
"It was effective at stopping fraud," Ilene says. "But the issue was that it was also stopping good customers as well." That's because her staff couldn't always reach them by phone or e-mail to verify orders.
But since implementing in June an automated system from vendor Kount Inc. that screens for payment fraud, Stuffspot has been able to limit its fraud exposure, Ilene says. The retailer still manually reviews 8% of its orders, but both the number of manual reviews and the time to process them have declined by at least one-third, she says, and that continues to lessen as she refines the system's rules for identifying fraud.
In another example, e-retailer DiscountWatchStore.com used to spend roughly an hour and a half each day checking for fraud manually, says founder Zai Zhu. But implementing a tool called FraudWatch from e-commerce platform provider 3dcart Shopping Carts a few months ago cut that time by 40-50%. He says he chose the tool because his store operates on the 3dcart e-commerce platform and the cost was lower than that of competing systems. It costs him less than $100 per month. He declined to say how much DiscountWatchStore.com has saved by using the service, but says it has helped save him enough "to pay for the service many times over" because he gets fewer chargebacks. The tool assigns a risk score to transactions based on a dozen criteria, such as IP address, mailing address and bank verification, and posts that score within the order management system where Zhu can see it. He can then decide to let an order through, cancel it or investigate it further.
FraudWatch costs $9.99 per month for up to 500 fraud checks, $29.99 for up to 2,500 and $49.99 for up to 5,000, 3dcart says.
ThreatMetrix, another automated fraud detection technology provider that assigns a fraud score based on a variety of cues, lets merchants set rules that can immediately pass, block or hold transactions from going through. Merchants can also elect to automatically blacklist anyone from buying from their sites if they've been tied to previous fraudulent activity detected from across ThreatMetrix's network. ThreatMetrix monitors close to 114 million transactions a week, says Alisdair Faulkner, chief product officer.
Digital games, software and gift card retailer PC Game Supply blacklisted the 300 people for whom it received chargebacks during the first week of September, says owner Chris Letendre, bringing the list to more than 100,000 in two years since beginning with ThreatMetrix. The retailer reviews all credit card chargebacks on a weekly basis and uses the information to create new, stricter rules for the platform, he says. So far he's added 200 rules, including one that automatically blocks customers who try to pay over a virtual private network, or VPN. VPNs can make an IP address look like it is coming from another location, a common practice among criminals overseas who want to make orders look as if they come from U.S. buyers.
Stuffspot received four chargebacks between June and October using Kount's system, Ilene says, and all were prior to Stuffspot adding extra layers of defense. A LexisNexis integration available through Kount for an additional fee verifies consumer addresses and identities at checkout by instantly checking billions of public records and non-credit databases. If questions still remain about an order, Ilene says she then uses a tertiary tool called Targusinfo that verifies information, as LexisNexis does, but from different sources.
Those extra verifications save Stuffspot roughly $400 per month, Ilene says, because they snag criminals who repeatedly spam Stuffspot's checkout with random names, orders and fake address information in attempts to figure out which stolen card data will make it through. The credit card processor used to charge Stuffspot a fee for each attempt even though it declined the cards. Now that spam gets caught before it gets to the processor.