 | Working against the scam artistFor most online stores, Christmas is the biggest opportunity of the year. Unfortunately, this also applies to the scam artists. Just as you can’t guard against a brick through a shop window, you can’t guarantee that you will never be targeted by online fraudsters. However, although attempts are inevitable, the online merchant is far from defenseless. |
|
We all know the story of waiting ages for a bus, then three come at once. Even if we haven’t had this experience ourselves, the analogy still applies - we may never get a fraud attempt, then three attempts arrive in one day.Fraud in real life
Recently, I was talking to a customer of my company. This merchant sells model railway products online, and he narrated an interesting story. He started with very modest expectations and planned £20,000 sales in the first year, but quickly hit £100k. The business had never experienced fraud, and he didn’t worry about it. Then suddenly he received a series of fraudulent orders in a single day, and lost £3,000-worth of goods. In proportion to his sales and margin, this was a major problem.
Unfortunately this is quite a common occurrence. Hitting a retailer multiple times the same to the fraudster. After all, it's easier to shift a bunch of the same goods than it is to have small quantities of different types of merchandise. The principle of once bitten, twice shy means that the merchant will be harder to con the next time. So maximum advantage is taken while the guard is down.
Just as in traditional retail, there are a variety of types of fraud. Clearly there’s the use of stolen credit cards, but there are other, more subtle approaches too. These range from denying that goods were received to a clever approach adopted by one fraudster who always ordered several of the item he wanted. He then claimed he’d had a short delivery, and returned the goods (less one) for a full refund. Having performed this scam across multiple stores, the issue only came to light from a system that showed that he had received many refunds from a range of retailers.
Fighting back
The weapons in the merchants armour include use of CV2 codes (the three digits from the back of the card), address verification (AVS) and more recently 3D Secure. Experienced merchants have also learnt that fraudulent orders typically have similar characteristics such as using a free email address (Yahoo, Google or Hotmail, etc.), a mobile phone number for contact, using the most expensive shipping method, generally having a large order value, separate delivery and invoice address, and of course there is no history of orders from the customer. An additional precaution that could be taken includes checking addresses against the electoral roll using services such as 192.com.
An extra complication during the Christmas season is that most goods are being bought as gifts, so a higher proportion may be delivered straight to the gift recipient. Therefore they go to a different address than the billing address, which exacerbates the problem.
As the fraud problem has grown, a number of companies such as The Third Man have sprung up to address the issue. Companies like this can provide an advantage to retailers because as well as screening individual transactions, they are able to look at multiple transactions from multiple merchants in order to check for possible fraud. The Third Man claims that the vast majority of fraud attempts can be detected using its technology.
Although fraud is much more likely for small high value goods that have a great secondary market, like iPods, no goods are sacrosanct, so to speak. This was illustrated by a friend of mine who received a number of small orders for Bibles, each of which was paid for and everything was OK. Then they received a very large order, which unfortunately turned out to be fraudulent. It pretty much took their online business down.
Dealing with fraud
When you suspect an order is fraudulent, it’s usually best to contact the buyer to check things out. You can, for instance, ask for a fax of their card statement. Most people committing fraud have no desire to get into a dialogue with their intended victim, as it considerably increases the risk, and they will fail to respond.
Once you are certain that a transaction is fraudulent, you should void it (if it hasn’t yet been settled, an option that is available for up to 24 hours), or refund the payment. Waiting for a charge-back is not a good idea as the bank imposes penalties, and tracks the number of charge-backs that a merchant receives.
How the banks and police do and don’t help
Unfortunately merchants carry the can for fraud, so it’s important for them to take responsibility. Across the industry, there is considerable exasperation that banks don’t seem that interested, particularly in individual instances of fraud. Experience with the police seems to be patchy. My company had the police sit on a case for 12 months as they didn’t understand what eBay was. Against that, one of our customers recently featured on the TV arriving at an address with the police to have the satisfaction of seeing the criminals arrested.
The banks solution to online fraud is 3D Secure (also known as Verified by Visa and Mastercard SecureCode) and the Payment Card Industry Data Security Standard (PCI DSS). PCIDSS is a compulsory standard that makes it harder for scam artists to steal credit card data. 3D Secure is a sort of Chip and PIN (C&P) online. The banks are becoming increasingly keen on 3D Secure because the implementation of C&P has brought a significant reduction in fraud on the high street, unfortunately now accompanied by an increase in the problem online.
With 3D secure, online buyers are prompted to enter their password whenever they use their card. The password is sent directly to Visa or Mastercard and they provide the thumbs up. This should mean that stolen cards can’t be used without their password, just as cards can’t be used in a petrol station without their pin numbers. The banks are so confident of this system that they, rather than the merchant, accept the risk when it is used.
The problem with 3D Secure was that virtually no-one in the general public had heard about the scheme, and sometimes people even thought that it was a scam when presented to them. This meant that few cardholders enrolled and had passwords, and those that did often forget them due to lack of use. For a merchant in the vanguard, making 3D Secure compulsory used to be the kiss of death to an order. Fortunately, this seems to be changing.
Avoiding being run over
The bus may not be your preferred form of transport, but it works for some people. The lesson of fraud can be reinterpreted as a variant of the bus story. It goes like this. I never had a problem crossing the road, then one day I wasn’t just hit by one bus, three of them ran me over.
In the Christmas rush, traditional protection measures must not be neglected. Vigilance is the key. As others tighten up, fraudsters will seek out the softer targets. Experiencing multiple frauds in quick succession isn’t pleasant. The lesson is to be prepared. Don’t let the fraudsters spoil your Christmas.
Chris Barling, CEO
Actinic
www.actinic.co.uk
