“'Blacklists' block not only fraudsters but also many good customers.”
– David Fletcher, Senior Vice President at ClearSale
Think deny lists are the best way to prevent ecommerce fraud?
If so, you’re definitely not alone. deny lists are a popular “hands-off” way for ecommerce merchants to try to protect themselves from fraud.
But the ecommerce merchant whose deny list blocked a loyal celebrity customer might have a different opinion.
That’s what happened to one of our clients before they decided to work with us. A celebrity customer who was making multiple high dollar purchases (upwards of $3,000 each) per week was deny listed because the transaction frequency and amounts “seemed” suspicious.
Like most celebrities, this customer was using an assistant’s name to protect their identity. And they weren’t too happy about being blocked.
The loss was significant:
The lesson our client learned? Fraud prevention deny list can backfire in epic fashion.
Merchants need to have a strategy to prevent chargebacks. Otherwise, they run the risk of carrying a high chargeback rate, which will result in high fees and monitoring programs with their credit card processors.
A fraud prevention deny list is a shortcut that many ecommerce merchants use to protect themselves from repetitive chargebacks and other types of criminal fraud. It is a list of information pertaining to the transaction, including
Typical Deny List Data Points:
When merchants are hit with chargebacks they often add the transaction information to a filter that is set to automatically deny any future transaction containing any of those data values.
It seems simple. But that’s the problem. It’s too simple. People move, they are multi-channel shoppers, their email addresses change – and deny lists cut too broad of a swath to even consider these finer points of consumer behavior.
At ClearSale, we talk about false declines and how detrimental they are to your ecommerce business. A false decline happens when a legitimate transaction is mistaken for fraud. The customer is subjected to embarrassment, humiliation, and unnecessary concern about their credit card security.
The result is a lost sale and an upset customer who may be among the 37% that will never shop with you again. Fraud prevention Deny Lists exponentially increase the likelihood of false declines exponentially and can risk your losing the lifetime value of a good customer.
In 2020, every other transaction in the financial industry was related to an account takeover (ATO). That represents a 20% increase in ATO from the previous year. It’s not surprising, then, that ATO fraud attempts increased by 282% from 2019 to 2020.
ATO fraud happens when a fraudster hacks into an online database and steals customer data. This data is then used by that fraudster (and others) to take over the identity of legitimate customers and even change or set up new bank/credit card accounts in the customer’s name.
Why is this important? It highlights the risk of putting customers on a fraud prevention deny list solely because of a chargeback and/or fraudulent transaction. By doing this, you will almost certainly be deny listing legitimate customers – who are as much victims as your business is.
Instead, merchants need to apply more sophisticated ways to evaluate transactions, such as up-to-date intelligence, behavioral biometrics, purchase history, and account velocity. This pinpoint approach prevents fraud without catching legitimate customers in the net.
Not all order details from a fraudulent transaction are unique to the fraudster. For example, large apartment buildings, university dorms, shippers, and other multi-unit buildings share an address but include a large number of people. Blocking one of those addresses can prevent hundreds of legitimate customers from making transactions.
Along the same lines, IP addresses are dynamic. The IP address a user has today can belong to someone else five days from now. Adding an IP address to a deny list will almost certainly block a valid customer.
Fraudsters constantly change the details they provide when placing orders online. Think about how easy it is to create a new email accounts today. Fraudsters have a treasure trove of stolen credit card details, proxy servers, and shipping addresses to choose from.
Plus, it’s important to understand that unless you’re a fraud prevention expert, fraudsters will often be three steps ahead of you. So, adding their transaction details to a deny list and blocking their transactions will only cause them to use a different combination of credit card and shipping address details.
In some unique situations, a deny list may make sense. Usually, those situations have nothing to do with fraud or are peripherally related. But there are times when preventing customers from making transactions is needed.
|
“Not Worth the Trouble” CustomersThere are customers who are more hassle than their transactions are worth – whether it’s due to disagreements about quality, returns, or even the “customer who is never happy.” Putting these customers on a deny list to keep them from coming back to your online store and creating more drama and work for you and your employees frees up your time to deliver great service to other valued customers. |
|
Known CriminalsAnother example are the customers who’ve been caught stealing in a brick-and-mortar stores. You definitely don’t want them to do business with you again, since they have already shown their intent.
|
|
Fired EmployeesIf you’ve had to let an employee go for stealing and/or the employee has expressed a desire for vengeance of any type, you’ll definitely want to block them from making purchases and having any access to your ecommerce presence altogether.
|
Blocking these customers makes sense, but we recommend being very judicious with deny list and considering a more comprehensive approach to fraud prevention.
If you have been using fraud prevention deny lists, here’s how to determine if your deny list is helping or hurting:
If your deny list is working, your false decline rate should be low. If you are experiencing a high rate of false declines and social media complaints and blocked transactions, your first place to look should be your deny list.
If the last time you updated your fraud prevention deny list was more than two months ago and you include IP addresses, make sure to create a process for evaluating and updating your list. And most importantly, track why each entry is on the list. During each evaluation, see if that rationale is still relevant – you may have new information that can change things considerably.
Ultimately, fraud prevention deny lists should be handled gingerly. To truly fight fraud, you’ll need a more strategic approach.
Fraud prevention is not a one-size-fits-all activity. Not only do you need to stay up-to-date on fraud trends, locally and globally, you also need to have the experience and bandwidth to do a complete analysis using technology and manual reviews.
If you’re thinking, “That’s a full-time job in itself!” you’re right. And depending on your sales volume and industry, it may be several full-time jobs. The sophistication and power behind today’s fraud attacks won’t be stopped by in-house solutions unless you’ve got a dedicated team of experts to hand.
That’s where a fraud prevention partner comes in. An expert team that can analyze transactions, identity potential fraudulent patterns, and maintain a warning list for further examination will help you take fraud off your plate, so you can focus on sales and grow your business. At ClearSale, we can help you find alternatives to a fraud prevention blacklist and keep your online business protected.