E-commerce merchants — especially smaller ones — may not think they’re at risk for e-commerce fraud. After all, their brand recognition, volume and revenues aren’t as high as those of the big players. So why would a fraudster target them?
Fraudsters know that small merchants can’t afford enterprise-level fraud protection services and other defenses. Instead, small retailers hope to blend in with the other hundreds of thousands of online retailers and cross their fingers that the fraud solution that came with their e-commerce platform will be enough to help them survive the financial impact of the occasional fraudulent purchase or chargeback.
But fraudsters are becoming increasingly sneaky, and that means fraud can appear at any point during an online transaction — and generally when merchants least expect it. Here are five tricks fraudsters can use to easily circumvent simple fraud prevention solutions to commit big fraud.
It’s often ridiculously easy for fraudsters to figure out how a merchant’s fraud filters are set up, and then exploit that knowledge by structuring their fraud to avoid detection. Unfortunately, this means merchants can’t rely solely on their fraud filters to provide the protection they need.
In one recent case, two high-end Florida merchants fell victim to multiple fraudulent purchase attempts for high-value products in the $5,000-$7,500 price range.
The fraudsters used different names and emails for each of the purchases, with shipping addresses in varying parts of the state. Names, addresses and AVS numbers matched on all these orders, which enabled the fraudsters to avoid any potential red flags from fraud filters. What’s more, when the fraud protection vendor called to confirm the orders, the fraudsters were ready for the inevitable phone calls and questions, confidently answering all the screening questions.
But although these transactions looked legitimate on the surface, the fraud prevention vendor saw beyond the superficial details and identified the broader patterns at play. Although the orders came from four different IP addresses, the vendor saw that each order came from the same device ID (a unique number that identifies a computer regardless of the network to which it’s connected). This is not a factor usually incorporated into standard fraud filters, but because it’s a stronger computer identifier than an IP address, in this case it’s what ultimately exposed the fraudsters.
It seems too simple to work, but some fraudsters redirect shipments with just one call to the freight carrier. In one case, a merchant received a legitimate-looking order, their fraud prevention solution reviewed and approved it, and the transaction was processed. Shortly after the purchase, the cardholder initiated a chargeback, claiming they never placed the order.
When the fraud vendor investigated the transaction, they learned FedEx received a call from the merchant (it was actually the fraudster) requesting the shipment be returned to the store, but to an address different from the origination address. The new address turned out to be that of a freight forwarder, and the package was gone.
Because FedEx believed it was communicating with an authorized merchant representative, it honored the request to change the shipping address. Even worse, the merchant hadn’t purchased the specific insurance coverage needed to cover this type of fraud — even though the merchant did nothing wrong — so they were out the product and the purchase price.
When customers have to have a product now, many merchants let customers place orders online and pick them up from the local brick-and-mortar store. Unfortunately, many merchants won’t require the customer to present the credit card used for the transaction — or even an ID — to get their goods.
Fraudsters take advantage of this lapse in security, using stolen data to purchase high-value goods online and safely picking up their goods in the store, often before the cardholder realizes their account has been compromised.
Some tech-savvy cybercriminals launch botnets to capture sensitive banking and financial data from the users of infected devices. Fraudsters then use the compromised data to quickly make fraudulent purchases from multiple retailers.
With an increasing number of customers considering their loyalty rewards to be equivalent to cash, a program hack can be devastating to businesses and customers.
Millions of people use their Starbucks mobile app to pay for food and drink, keeping the lattes flowing by connecting their loyalty card to their credit card for automatic replenishment. Fraudsters use this to their advantage by hacking into customers’ Starbucks accounts, transferring that balance to gift cards they control and using the auto-reload feature to immediately access more cash.
But loyalty cards with cash balances aren’t the only accounts at risk. There’s an entire underground network for hackers who steal and sell hotel and travel points and then make fraudulent travel redemptions.
Today’s fraudsters are getting more savvy by the minute, coming up with new ways to get away with big purchases — while leaving merchants stuck with high chargeback fees, large penalties and damaged reputations.
And as attacks increase in sophistication, it’s only going to get harder for retailers to distinguish the legitimate transactions from the fraudulent ones.
That’s why today’s online retailers need more than just the simple fraud protection solution that’s integrated into their e-commerce platform. The fraud filters these solutions use put merchants at risk of missing fraud patterns and approving transactions that – on the surface – appear to be legitimate. Instead, they have to be able to see the bigger fraud picture. And that comes with choosing a fraud prevention provider that combines automated rules-based filters plus expert manual analysis.
Download ClearSale’s e-book “Is a Fraud Managed Services Solution Right for Your Business?” to learn how a managed fraud solution can help protect your business and customers against today’s clever fraudsters.