As the holiday season kicks off, ecommerce merchants are preparing for Cyber Monday, the biggest day of their fiscal year. Simultaneously, online fraudsters are setting up camp on the dark side of the web like an army of cyber Grinches ready to steal seasonal revenue. Armed with fresh motivation from widespread EMV adoption and tactics like phony middleman storefronts, fraudsters eagerly await the Cyber Monday surge to drive their season of online fraud.
The rise of online fraud from EMV chip adoption
According to data from MasterCard, 33% of U.S. retailers have already upgraded their payment terminals to accommodate EMV cards. MasterCard spokeswoman, Beth Kitchener expects that number to reach 45% by Cyber Monday. Research-based consulting firm, Javelin reports a 113% increase in card-not-present fraud since the EMV migration began last October. The correlation between the two is undeniable.
The same growth in online fraud was seen in other countries when they switched to EMV. Boston-based independent research and advisory firm, Aite Group reports a 79% increase in online fraud in the UK when they introduced the program from 2005 to 2008. In Australia and Canada online fraud rates almost doubled. Aite Group also predicts card-not-present fraud will reach $6 billion by 2018.
A scam for the holidays
The same way merchants meet with their teams to strategize on seasonal specials, fraudsters anticipate the mindset of the merchant and devise new ways to deceive them. This season, expect to see an increase of phony middleman storefronts.
Criminals set up phony eBay or Amazon storefronts and resell products from legitimate ecommerce sites like home improvement center, Build.com. The criminal collects a customer’s credit card number, never delivers the product, and then uses the stolen card number to purchase other products. The merchant gets hit with chargebacks and fees from multiple angles.
Founding partner of Missouri-based payment advisory MSP Consulting, Patrick T. O’Boyle says one large e-tailer lost from $70,000 to $100,000 in chargebacks over a consecutive five-month period.
“Once the fraudsters have the information, they charge the customer’s card twice,” says O’Boyle citing an incident report filed this past winter. “The first charge is through their false eBay or Amazon storefront,” says the report. The second charge is when they buy the product with the stolen credit card and have it shipped it to their address versus the cardholder’s billing address, says O’Boyle.”
The merchant ends up clobbered with chargebacks plus fees from both the fraudster who used the card to purchase the items and again when the actual card owner discovers the fraudulent charge on his or her card statement.
The e-tailer O’Boyle described allegedly filed a complaint with the Federal Trade Commission, which is reportedly investigating the fraud and seeking stricter controls from online sellers like Amazon and eBay. However, Frank Dorman, spokesperson for the FTC, declined to confirm or deny the claim saying in an email, “all information regarding investigations, including whether or not there is one, is nonpublic.” Amazon and eBay did not respond to inquiries.
Good things, and fraud, come in small packages
While some of us may be pleasantly surprised by holiday gifts like diamond jewelry or an expensive car, most of us will be getting smaller, less expensive gifts – and so will our fraudster counterparts. Savvy fraudsters often disguise fraud by mirroring average customer purchases to avoid drawing suspicion. “I think a lot of people are surprised when I say that our average fraud order is under $500,” says risk specialist for Build.com, Jamie Ceccato. Fraudsters buy “things they think will pass under the radar.”
Ceccato forecasts easily re-sellable smart devices to top the wish lists of fraudsters this Cyber Monday. Items like NEST security cameras and thermostats, blue-tooth compatible light sockets, and Skybell WiFi doorbells. Kitchen Aid brand mixers and Milwaukee combination tool kits will also be popular. Last Thanksgiving the big items for fraudsters were the Insinkerator garbage disposal unit, and the Washlet toilet.
Recognizing address verification systems and PCI compliance regulations aren’t enough, Build.com encourages its 200-strong salesforce to dig deeper and explore online to validate the legitimacy of a customer; a beat them at their own game approach.
“Our motto is ‘get creepy.’ Use whatever can be gleaned from the web to validate a billing and shipping address,” says Ceccato. “Little things that you can find on anybody at any given time.”
“They say they just bought a new house. Look at their Facebook page. Maybe they took pictures of themselves in front of their home holding their ‘For Sale’ sign or ‘Sold’ sign,” Ceccato advises. “If they have a business name in the order where it’s going to, check out LinkedIn. See if they actually worked there.”
At Build.com sales people make decisions. “We are different in a lot of ways from other merchants because our sales center still reviews orders,” says Ceccato. “They still have the ability to release orders that are being held for manual review. I don’t think a lot of other merchants have been doing that for quite some time. I feel like the ones I talk to don’t have as much involvement from the sales center side on manually reviewing and releasing their risk orders.”
Securing your shopping cart
Another idea favored by fraud-containment experts is to keep “hot and cold customer lists”, the higher the temperature the poorer the customer’s business history. For a hot customer “you manage the elements of that account, the email, the name, the card, and don’t allow any more sales to go through on that card,” says O’Boyle. “Cold ones are ones that have a good sales history. So when they put in an address to ship to that’s different from what their billing address is on file, well, you’re probably going to trust them if it’s within reason.”
O’Boyle tells clients to avoid incorporating a guest checkout that requires minimal criteria to approve, calling such facile security measures “great for fraudsters.”
But all too often his customers resist him in fear of slowing down the checkout process, giving buyers more time to rethink the purchase. “Well, if you’re going to have that guest checkout you’re going to continue to increase your chances of fraud,” O’Boyle warns them. “That’s a fact.”
He also suggests telling privacy-sensitive customers that personal information is being gathered for security, not marketing purposes, in cases where that is true.
On all international orders, O’Boyle says proceed with caution. “You can’t do some of the address verification and proof of delivery requirements that would be needed.”
Are you ready for Cyber Monday?
While there are numerous best practices ecommerce merchants can adopt to minimize fraud, the only solution certain to eliminate fraud liability and chargebacks is Signifyd, as evidenced by both O’Boyle and Ceccato.
At Build.com chargebacks started to climb prior to the EMV migration. In early 2014, they signed up with San Jose, California-based ecommerce fraud protection provider, Signifyd. Drawing on the data of thousands of merchants with real-time machine learning and risk analysts, Signifyd approves or rejects an order with a detailed summary of the reasoning behind each decision. Most importantly, Signifyd provides a 100% financial guarantee for all approved orders.
“We found that before using Signifyd, our annual fraud was 0.17% of our total sales,” says Ceccato. “After, that number dropped to 0.07%.”
This past summer Signifyd helped Build.com catch one fraudster using the name Gary in four different orders for Samsung Smart Refrigerators. Ceccato says she was alerted by a low Signifyd score and then by the owner of one of the stolen cards. After that, she was able to deduce all the Gary orders were connected. “Two of them we cancelled before we even shipped them. The one that got loaded onto a truck got turned right back around.”
O’Boyle also touts Signifyd’s successes against online fraud. “We had a client that was seeing their chargebacks approaching 3% to 4% of their sales at the peak. They were able to reduce that to under tenths of a percentage point – an enormous reduction.”
Prepare for Cyber Monday and take back your holiday revenues from cyber Grinches. You’ve worked hard all year to shine during the holiday season and you deserve to keep all the revenues from this shopping season. Let this holiday season be a time for celebration for you and your colleagues, not fraudsters. A complete plan of action combined with Signifyd can provide the protection you need to maximize your holiday income. Accept more orders and slash your order review times without the fear of fraud.