Ready to learn more?
A Guest Post by Fraud Expert Alexander Hall
Summer is here. What does this mean for merchants?
The data from our friends over at NoFraud paints a clear picture: during Summertime, fraudsters kick into gear rerouting, intercepting, or hijacking packages of products relevant to summer activities. This concept is nothing new, as the needs of fraudsters are the same as ours. Fraudsters are constantly evolving their tactics to target hot items, and this changes with the emergence of new trends, seasons, releases, and technology upgrades.
This specific shift in fraudulent directives affects merchants of many industries as the seasonal products range from pool equipment to clothing and apparel, to BBQ accessories, and more.
Below I have outlined four methods employed by fraudsters and what merchants can do to reduce their exposure and mitigate losses.
During my time spent on the other side of the fence, I observed four primary methods used by bad actors to obtain goods illegally.
The first method is most familiar. Legitimate customers place orders using legitimate payment methods, but the items are stolen after delivery. Criminals will go as far as to follow the routes of delivery trucks and brazenly pull up to houses and steal the package. Criminals operating in this way are known as porch pirates. The porch pirates have no idea of the contents of the package but are willing to risk jail time to find out. Due to the increase in purchasing of summer-related items, this lends to the uptick in losses identified by NoFraud.
The theft of legitimate packages isn’t so much fraud as it is blatant theft. However, the result is the same for the merchant. Chargebacks for these events are received and coded for unfulfilled or item not received.
The remaining methods are actual fraud. Each of these methods employs different tactics and therefore produces different flags for the merchant to identify. But all of these methods involve the following steps:
Obtain payment information.
There are two primary ways for a fraudster to obtain payment information. They can obtain stolen information or establish new payment information and leverage that data. For this article, we will stick to stolen payment information, which is the most common.
When a fraudster establishes new cards or accounts, they have likely put in the effort to manipulate the necessary information so that they don’t need to redirect successful transactions. When effective fraudsters establish new lines of credit, they tend to use additional techniques in order to associate new addresses with the identity that they are targeting. This results in matching billing and shipping information that the fraudster dictates.
Fraudsters obtain stolen payment information in many ways, the most prominent channel being Dark Web exchanges. Fraudsters will search various Dark Web forums and purchase stolen information. The information obtained on the Dark Web can include card numbers, account holder names, CVVs, billing addresses, and more. Alongside the payment information are step-by-step instructions for how to complete orders. The information in the instructions may include information that can increase the chances of circumventing fraud filters.
Place the order.
By following the instructions found on the dark web and plugging in the stolen payment information, the fraudster places the order. Fraudsters will often filter through billing addresses on the Dark Web forums to purchase card information local to their operation. This is where the first and least reliable method comes into play.
Shipping Items to a Non-Billing Address
In this method, the fraudster follows the instructions found online. They enter accurate and complete payment information but use a different shipping address. The instructions found online indicate that the shipping address can be within a threshold of “X km” from the billing address before an escalation is triggered. Then, the fraudster places the order, taking advantage of merchants that employ rules-based fraud prevention, and the order is shipped.
Adjusting Shipping Information After Checkout, Before Shipment
The third method involves social engineering against the merchant’s customer service team. When placing the order, the fraudster plugs in the correct payment information as well as the shipping address to match the billing. If this satisfies merchants’ fraud prevention guidelines, the order is usually confirmed. Then, expecting the fulfillment to take a few days, the fraudster calls customer service or submits an urgent ticket, requesting that the shipping address be adjusted.
This tactic can effectively bypass the fraud prevention analysis employed during checkout and takes advantage of a company’s desire to satisfy the needs and requests of its customers. The shipping address is changed, the order is processed, the shipping label (with the new, unrelated address) is printed, and the package is shipped.
Adjusting Shipping Information with the Courier Service
The fourth and final method takes place after the package has been shipped and leverages social engineering against the courier service. As with the third method, the fraudster inputs all of the correct and matching billing and shipping information during checkout. Once the tracking information has been received, the fraudster contacts the courier service and uses any number of justified reasons to ask them to hold the package at the post office. For instance, they may say that an emergency came up and their cousin will pick up the package. After providing the postal worker with the information for the “Pickup Person,” the conversation ends.
The Systems of Manipulation
Before we talk about the steps you can take to prevent fraud, let’s pull back from the granular view of the methods and identify how the fraudster is manipulating existing systems to achieve their goals.
For the first and simplest method, the criminal drives around and watches for unattended packages. The “system” that is being manipulated is on the level of the general public, people who don’t collect their packages immediately upon delivery.
In the second method, the fraudsters take advantage of e-commerce systems that haven’t yet employed even the most basic fraud prevention measures. Not all orders with mismatching billing and shipping information will be fraudulent. However, if left unchecked, this can wreak havoc, resulting in enormous losses for the merchant.
Alternatively, in the third method, the fraudsters identify that an effective fraud prevention system is in place. Instead, they attack the merchant based on its customer satisfaction policies. The needle on the gauge indicating merchant security and customer satisfaction is stuck at 90 degrees, allowing fraudsters to assume the guise of legitimate customers to adjust orders.
Using the fourth method, which is the most reliable method, the fraudsters understand that the merchant is well-equipped and knowledgeable regarding the processes in their system. The checkout form has additional verifications in place behind the scenes, and the customer service team cannot be duped into making changes during the fulfillment process.
Because the merchant’s systems are robust, the fraudster engages with the next system down the line and associates a new identity with the order for pickup. The value of assigning a supposed brother-in-law, sister-in-law, or cousin is that the name can be anything. Historically speaking, the postal service does not employ investigational services to challenge this information.
This is an escalation process employed by effective fraudsters. By moving the exploit further and further down the line and finally moving the exploit out of the merchant’s hands entirely, effective fraudsters can maintain a high success rate. This is but one example of many forms of fraud that are becoming more and more evident with each shift or passing cycle.
What can be done?
There are four critical elements to an effective fraud prevention strategy: knowledge, data, monitoring, and more data.
Knowledge of the internal processes and hand-offs within your company is an essential part of your fraud-prevention strategy. It is helpful not to think of instances as “transactions” but as “transfers of value.” The reason for this is simple: Fraudsters are not limited to exploits centered around cash, checks, and cards. Therefore, your fraud prevention strategy shouldn’t be either. By identifying your transfers of value, you have a great starting point for envisioning your fraud prevention policies and processes. All that is left is to fill in the blanks.
Data is shared at lightning speed among service providers and publications. Stay up to date with the information that identifies emerging trends. As your company grows outward into new territories, new systems, and new processes, become aware of emerging threats so you can arm yourself against them.
Monitoring the performance of your company will give you insight worth its weight in gold. Monitor where attempts have been identified in your own operations and report them so that you can raise awareness within your organization.
This can seem like a truckload of effort, trial and error, and man-hours…and it is. This is where service providers step in to the picture with:
More Data is available for operations who look for it. Public information is powerful on its own. It tells us what to keep our eyes open for. But proprietary information is golden. By partnering with effective fraud prevention solution providers, merchants can leverage a symphony of proprietary data. Service providers use experienced personnel to orchestrate and manage the lifespan of your transactions by referencing a myriad of past information. They then use this data to make the best assertion against suspicious transactions, resulting in an operable balance between merchant security and customer satisfaction.
How Do Service Providers Do This?
Consider the first method that I outlined above. By tracking a data-rich network of CNP Merchants who report chargebacks for stolen packages, a part of the analysis might result in the cross streets or zip code being flagged, with action taken to recommend using signed delivery. The data of the merchant network allows for the merchant to be aware of the risk prior to experiencing losses.
Consider the second method: billing and shipping mismatch. By scrutinizing every mismatch, a company runs the risk of prolonging or even canceling good orders in its attempt to catch the bad ones. This risks damaging the relationship with good customers. However, by employing the data from an extended merchant network, analysts may reveal past purchases that fit this pattern. Perhaps a parent orders a gift for the child, a boss for an employee, or brother for a sister, a friend for a friend. You don’t know for sure, but global data networks can help thin the fog.
With the third method, the “customer” requests to change the shipping address to one different from the billing address. The ‘new’ address likely isn’t in your system. Is it in the merchant network? Are there chargebacks associated with it? It’s unlikely that you will find the answer to these questions in your data, but you can tap into the merchant network of your service provider to find them.
Service providers can also respond to the fourth method by taking a proactive approach. By tapping into reports of past occurrences, service providers cross-reference relevant information with numerous data points from sources ranging from social media to utility services providers to courier services.
By partnering with a fraud prevention service provider like NoFraud, you get access to more data sources and software that operates behind the scenes to automate your transaction analysis. Coupled with a well-informed decision-making process, merchants can rest easy knowing that their operation has the right balance of customer satisfaction and transaction security.
Payments companies and retailers have a sobering forecast to ponder for online fraud. By 2023, global online fraud losses from e-commerce, airline ticketing, money transfer, and banking services will grow from $22 billion projected in 2018 to $48 billion, says Juniper Research in a new report.
Thanks to the proliferation of synthetic identities—when fragments of real identity information is used to create a new identity—and account takeovers, criminals are increasingly skirting anti-fraud measures retailers and payments companies use, Juniper says.
Originally posted on Digital Transactions by Kevin Woodward. Read the rest of the article here.
Original article was written by Jim Daly for DigitalTransactions.net
Merchants’ actual fraud costs are up for the third year in a row and their total fraud-related expenses also are rising, according to the latest True Cost of Fraud study from LexisNexis Risk Solutions.
Fraud as a percentage of the revenues reported by the 653 retailer risk-control executives surveyed for the 2017 study was 1.58%, up 7.5% from 1.47% in 2016. As recently as 2013, fraud was only 0.51% of revenues before increasing to 0.68% the following year and then taking a big jump to 1.32% in 2015. (more…)
Originally posted on internetretailer.com By Matt Linder.
All but one day so far this holiday season has produced $1 billion in online sales in the U.S., according to Adobe.
Interest in online deals showed no signs of slowing down hot on the heels of a strong Thanksgiving weekend.
Traffic to the top 25 U.S.-based online retailers was up 10% year over year Sunday and 4% on Saturday, according to data from the Verizon Retail Index shows.
Retailers should view this as a sign shoppers are both engaged and willing to spend, says Michele Dupré, group vice president of retail, hospitality and distribution for Verizon Enterprise Solutions. “This healthy spike in weekend traffic demonstrates the importance of getting promotions right when consumers are focused on ticking items off their holiday shopping lists,” she says. (more…)
Written by Liz Parks for STORES Magazine
When e-commerce merchants try to manage their own fraud protection, they can invest substantial time and effort striving to make the right transaction decisions on their own. As they do, they risk significant losses from fraudulent orders or through “false positives” that mistakenly flag legitimate orders. According to the 2016 LexisNexis True Cost of Fraud Study, and average $2.40 per transaction is lost to online fraud. Although high-volume online retailers can use very sophisticated and expensive fraud protection programs, that has not historically been the case for lower volume online merchants with more limited financial resources.
Continue reading about how NoFraud automates the process for businesses, saving them time and money, here.
The ‘2016 American Express Digital Payments Security Survey’ reveals that 70% of merchants in the U.S. have seen sales conducted via digital channels rise in recent times.
However, the report reveals that sales could be much higher if it wasn’t for payment fraud. Overall, nearly half (48%) of online shoppers who have made a purchase online in the past twelve months – or about 80 million consumers – have experienced payment fraud. (more…)
Original post from cardnotpresent.com
Nearly a year after the EMV liability shift in the U.S.—a move specifically engineered to incent retailers to install EMV-compliant POS systems in their stores—only 44 percent of merchants are equipped with the new terminals, according to a new report from The Strawhecker Group. Further, not all of those merchants that have installed EMV-enabled systems are using them. Only 29 percent of U.S. merchants can actually accept chip cards, the report said, with terminal certification delays the main culprit.
Despite fewer U.S. merchants accepting chip transactions a year into the transition to EMV than predicted, however, the effects experts predicted have largely come true. Studies over the past few months have consistently shown that counterfeit fraud at the physical point of sale is dropping, while card-not-present fraud is surging. (more…)
In a recent study conducted by Juniper Research, they found that CNP (Card Not Present) fraud will significantly increase to more than double by 2020. They attributed this jump to the implementation of the EMV chip in brick and mortar stores, which has already caused fraudulent activity to shift online by 11% since October. Because of the higher security the chip provides, fraudsters have been less inclined to focus on brick and mortar and they shifted their efforts to online.
This shift has major online retailers tightening security by integrating proactive fraud prevention solutions to thwart off fraudulent activity and reduce the risk targeting their business. And although fraud tactics perpetually change, solutions like NoFraud are developed to detect the latest behavioral trends among fraudsters to stay one step ahead and reduce fraud significantly. Major retailers using these solutions have succeeded in reducing their fraud rate.
Read the full article here: SC Magazine.
Battling eCommerce credit card fraud can be an incredibly time consuming, often frustrating, endeavor. Many companies have dedicated staff or entire fraud departments focused on reducing fraud. Often, the cost of running a fraud-prevention campaign can be more costly than the losses incurred by fraud. A successful anti-fraud solution targets the cost of fraud rather than fraud itself.
To calculate the true cost of fraud, all the contributors warrant consideration. The easiest one to assess is chargebacks, the value of stolen merchandise. Equally costly, however, is revenue lost due to false positives. (more…)