Ready to learn more?
A Guest Post by Fraud Expert Alexander Hall
Summer is here. What does this mean for merchants?
The data from our friends over at NoFraud paints a clear picture: during Summertime, fraudsters kick into gear rerouting, intercepting, or hijacking packages of products relevant to summer activities. This concept is nothing new, as the needs of fraudsters are the same as ours. Fraudsters are constantly evolving their tactics to target hot items, and this changes with the emergence of new trends, seasons, releases, and technology upgrades.
This specific shift in fraudulent directives affects merchants of many industries as the seasonal products range from pool equipment to clothing and apparel, to BBQ accessories, and more.
Below I have outlined four methods employed by fraudsters and what merchants can do to reduce their exposure and mitigate losses.
During my time spent on the other side of the fence, I observed four primary methods used by bad actors to obtain goods illegally.
The first method is most familiar. Legitimate customers place orders using legitimate payment methods, but the items are stolen after delivery. Criminals will go as far as to follow the routes of delivery trucks and brazenly pull up to houses and steal the package. Criminals operating in this way are known as porch pirates. The porch pirates have no idea of the contents of the package but are willing to risk jail time to find out. Due to the increase in purchasing of summer-related items, this lends to the uptick in losses identified by NoFraud.
The theft of legitimate packages isn’t so much fraud as it is blatant theft. However, the result is the same for the merchant. Chargebacks for these events are received and coded for unfulfilled or item not received.
The remaining methods are actual fraud. Each of these methods employs different tactics and therefore produces different flags for the merchant to identify. But all of these methods involve the following steps:
Obtain payment information.
There are two primary ways for a fraudster to obtain payment information. They can obtain stolen information or establish new payment information and leverage that data. For this article, we will stick to stolen payment information, which is the most common.
When a fraudster establishes new cards or accounts, they have likely put in the effort to manipulate the necessary information so that they don’t need to redirect successful transactions. When effective fraudsters establish new lines of credit, they tend to use additional techniques in order to associate new addresses with the identity that they are targeting. This results in matching billing and shipping information that the fraudster dictates.
Fraudsters obtain stolen payment information in many ways, the most prominent channel being Dark Web exchanges. Fraudsters will search various Dark Web forums and purchase stolen information. The information obtained on the Dark Web can include card numbers, account holder names, CVVs, billing addresses, and more. Alongside the payment information are step-by-step instructions for how to complete orders. The information in the instructions may include information that can increase the chances of circumventing fraud filters.
Place the order.
By following the instructions found on the dark web and plugging in the stolen payment information, the fraudster places the order. Fraudsters will often filter through billing addresses on the Dark Web forums to purchase card information local to their operation. This is where the first and least reliable method comes into play.
Shipping Items to a Non-Billing Address
In this method, the fraudster follows the instructions found online. They enter accurate and complete payment information but use a different shipping address. The instructions found online indicate that the shipping address can be within a threshold of “X km” from the billing address before an escalation is triggered. Then, the fraudster places the order, taking advantage of merchants that employ rules-based fraud prevention, and the order is shipped.
Adjusting Shipping Information After Checkout, Before Shipment
The third method involves social engineering against the merchant’s customer service team. When placing the order, the fraudster plugs in the correct payment information as well as the shipping address to match the billing. If this satisfies merchants’ fraud prevention guidelines, the order is usually confirmed. Then, expecting the fulfillment to take a few days, the fraudster calls customer service or submits an urgent ticket, requesting that the shipping address be adjusted.
This tactic can effectively bypass the fraud prevention analysis employed during checkout and takes advantage of a company’s desire to satisfy the needs and requests of its customers. The shipping address is changed, the order is processed, the shipping label (with the new, unrelated address) is printed, and the package is shipped.
Adjusting Shipping Information with the Courier Service
The fourth and final method takes place after the package has been shipped and leverages social engineering against the courier service. As with the third method, the fraudster inputs all of the correct and matching billing and shipping information during checkout. Once the tracking information has been received, the fraudster contacts the courier service and uses any number of justified reasons to ask them to hold the package at the post office. For instance, they may say that an emergency came up and their cousin will pick up the package. After providing the postal worker with the information for the “Pickup Person,” the conversation ends.
The Systems of Manipulation
Before we talk about the steps you can take to prevent fraud, let’s pull back from the granular view of the methods and identify how the fraudster is manipulating existing systems to achieve their goals.
For the first and simplest method, the criminal drives around and watches for unattended packages. The “system” that is being manipulated is on the level of the general public, people who don’t collect their packages immediately upon delivery.
In the second method, the fraudsters take advantage of e-commerce systems that haven’t yet employed even the most basic fraud prevention measures. Not all orders with mismatching billing and shipping information will be fraudulent. However, if left unchecked, this can wreak havoc, resulting in enormous losses for the merchant.
Alternatively, in the third method, the fraudsters identify that an effective fraud prevention system is in place. Instead, they attack the merchant based on its customer satisfaction policies. The needle on the gauge indicating merchant security and customer satisfaction is stuck at 90 degrees, allowing fraudsters to assume the guise of legitimate customers to adjust orders.
Using the fourth method, which is the most reliable method, the fraudsters understand that the merchant is well-equipped and knowledgeable regarding the processes in their system. The checkout form has additional verifications in place behind the scenes, and the customer service team cannot be duped into making changes during the fulfillment process.
Because the merchant’s systems are robust, the fraudster engages with the next system down the line and associates a new identity with the order for pickup. The value of assigning a supposed brother-in-law, sister-in-law, or cousin is that the name can be anything. Historically speaking, the postal service does not employ investigational services to challenge this information.
This is an escalation process employed by effective fraudsters. By moving the exploit further and further down the line and finally moving the exploit out of the merchant’s hands entirely, effective fraudsters can maintain a high success rate. This is but one example of many forms of fraud that are becoming more and more evident with each shift or passing cycle.
What can be done?
There are four critical elements to an effective fraud prevention strategy: knowledge, data, monitoring, and more data.
Knowledge of the internal processes and hand-offs within your company is an essential part of your fraud-prevention strategy. It is helpful not to think of instances as “transactions” but as “transfers of value.” The reason for this is simple: Fraudsters are not limited to exploits centered around cash, checks, and cards. Therefore, your fraud prevention strategy shouldn’t be either. By identifying your transfers of value, you have a great starting point for envisioning your fraud prevention policies and processes. All that is left is to fill in the blanks.
Data is shared at lightning speed among service providers and publications. Stay up to date with the information that identifies emerging trends. As your company grows outward into new territories, new systems, and new processes, become aware of emerging threats so you can arm yourself against them.
Monitoring the performance of your company will give you insight worth its weight in gold. Monitor where attempts have been identified in your own operations and report them so that you can raise awareness within your organization.
This can seem like a truckload of effort, trial and error, and man-hours…and it is. This is where service providers step in to the picture with:
More Data is available for operations who look for it. Public information is powerful on its own. It tells us what to keep our eyes open for. But proprietary information is golden. By partnering with effective fraud prevention solution providers, merchants can leverage a symphony of proprietary data. Service providers use experienced personnel to orchestrate and manage the lifespan of your transactions by referencing a myriad of past information. They then use this data to make the best assertion against suspicious transactions, resulting in an operable balance between merchant security and customer satisfaction.
How Do Service Providers Do This?
Consider the first method that I outlined above. By tracking a data-rich network of CNP Merchants who report chargebacks for stolen packages, a part of the analysis might result in the cross streets or zip code being flagged, with action taken to recommend using signed delivery. The data of the merchant network allows for the merchant to be aware of the risk prior to experiencing losses.
Consider the second method: billing and shipping mismatch. By scrutinizing every mismatch, a company runs the risk of prolonging or even canceling good orders in its attempt to catch the bad ones. This risks damaging the relationship with good customers. However, by employing the data from an extended merchant network, analysts may reveal past purchases that fit this pattern. Perhaps a parent orders a gift for the child, a boss for an employee, or brother for a sister, a friend for a friend. You don’t know for sure, but global data networks can help thin the fog.
With the third method, the “customer” requests to change the shipping address to one different from the billing address. The ‘new’ address likely isn’t in your system. Is it in the merchant network? Are there chargebacks associated with it? It’s unlikely that you will find the answer to these questions in your data, but you can tap into the merchant network of your service provider to find them.
Service providers can also respond to the fourth method by taking a proactive approach. By tapping into reports of past occurrences, service providers cross-reference relevant information with numerous data points from sources ranging from social media to utility services providers to courier services.
By partnering with a fraud prevention service provider like NoFraud, you get access to more data sources and software that operates behind the scenes to automate your transaction analysis. Coupled with a well-informed decision-making process, merchants can rest easy knowing that their operation has the right balance of customer satisfaction and transaction security.
Contribution from freelance writer Jenny Holt
According to the Association of Certified Fraud Examiners, a typical organization loses 5% of revenue every year to fraud. For businesses, online fraud typically manifests itself in the form of credit card fraud, identity theft, mobile phone transaction fraud, international purchasing fraud, phishing scams, and downloaded malware that collects credit card information from customers. To protect your business and customers from this very prevalent and increasing threat, take the following steps into consideration. (more…)
Written by Liz Parks for STORES Magazine
When e-commerce merchants try to manage their own fraud protection, they can invest substantial time and effort striving to make the right transaction decisions on their own. As they do, they risk significant losses from fraudulent orders or through “false positives” that mistakenly flag legitimate orders. According to the 2016 LexisNexis True Cost of Fraud Study, and average $2.40 per transaction is lost to online fraud. Although high-volume online retailers can use very sophisticated and expensive fraud protection programs, that has not historically been the case for lower volume online merchants with more limited financial resources.
Continue reading about how NoFraud automates the process for businesses, saving them time and money, here.
This post is from X-Payments blog announcing our new partnership. Written by Anna Shvetsova.
We are pleased to announce the release of X-Payments 3.0.2. This time, we’ve added only one but very important and in-demand feature — NoFraud. As you’ve definitely guessed, this is the tool to help you fight fraud more effectively and easily.
Why Think of Fraud Prevention?
According to LexisNexis True Cost of Fraud study 2016, fraud cost retailers 32 Billion in the U.S. alone! Fraud attempts are up to 33% this year with 46% getting through existing fraud prevention tools. With EMV Chip technology adoption in the U.S., eCommerce fraud is expected to soar as it did in the UK (50%) & Australia (79%) On the other hand, 1.5% of legitimate transactions rejected due to overzealous fraud prevention. (more…)
Below is a guest post from one of our partners, Rand Marketing:
To experts in the Magento e-commerce platform, the release of Magento 2.0 has been a bittersweet experience. We’re all very excited to see the evolution of Magento, especially after waiting so long for this new version to be released. On the other hand, adoption has been a very slow process, and Magento 1.9.2.x is still the recommended version for most developers.
In November, I wrote a piece about the official deployment of Magento 2.0 officially being made available for public consumption. In March, I wrote another article about Magento 2.0 building up steam, and getting closer to being useful for the mainstream. In April, shortly after this year’s Magento Imagine conference, EyeMagine, posted that “Specifically, there are over 1,000 open known issues in the Magento 2 codebase, as of writing this article. (more…)