Fighting E-commerce Fraud One Click at a Time

Nick Morgan’s apparel company, Shirts That Go, sells children’s high-end T-shirts to customers in the United States. It came as a surprise, then, when the Chapel Hill, North Carolina, company received an online order last year from customer with an IP address in Ghana. Another surprise: the order was to be shipped to a U.S. address.

Using Google Maps, Morgan traced the address to a rural Florida area with a few trailer homes, not his customers’ typical demographic. The shirts were returned as undeliverable, making Morgan suspect someone was testing the card used to buy them. Not long after, he began receiving more orders from Ghana. Morgan’s theory: people were using stolen credit cards to order and then resell his products. To avoid problems, he asked his e-commerce provider to block orders from all Ghana IP addresses.

Morgan's close monitoring prevented his company from losing money to chargebacks, which occur when consumers request refunds for orders they didn’t place. Left unchecked, such chargebacks and other forms of e-commerce fraud are costly to businesses, not only in lost sales but also the time companies spend detecting and resolving problems, and preventing them from happening in the first place.

In 2009, U.S. and Canadian merchants lost $3.3 billion to online fraud, according to First Data, a leading payments processor. More than 100 online merchants responding to a 2009 survey from CyberSource, another payments management company, expected to lose an average of 1.2 percent of their annual revenue to fraud.

"Midsized and small companies have the biggest issue because one fraudulent order can really hit the bottom line," says Howard Schecter, business development director at preCharge Risk Management Solutions, a New York e-commerce fraud screening and order verification service provider.

Combating fraud is tricky. Because fraudsters change tactics all the time, companies must constantly reevaluate what data to collect and where their greatest threats originate. According to a 2010 CyberSource survey, 20 percent of U.S. and Canadian merchants have stopped selling to customers in at least one country due to the high levels of fraud that originate there. Among the highest-risk countries cited in the survey: Nigeria, Ghana, Malaysia and Indonesia.

While merchants fret about doing business internationally, today more e-commerce fraud comes from domestic sources, Schecter says. CyberSource identifies high-risk U.S. cities as New York, Miami and Los Angeles.

In addition to the bad buys, online merchants also have to watch out for family fraud, in which legitimate customers ask for refunds after a child or other family member uses a card without permission. San Francisco online gaming company FlowPlay launched a fraud detection program after learning that kids were using their parents’ credit cards to play its games, says Derrick Morton, the company's CEO. “Parents call us every day telling us that they don't recognize charges, and when we tell them the email address of the person making the purchase we invariably hear, ‘That's my 10 year old’,” he says.

Many e-commerce providers and card companies offer fraud protection programs that check addresses, card security codes, phone numbers and other personal identification for free or a nominal fee.

Although good, those basic services may not be enough. In addition, experts suggest that companies put in place additional anti-fraud checks to approve as many revenue-generating customers as possible while disqualifying all but a statistically irrelevant number of bad orders.

Where to Look for Fraud
To monitor transactions for fraud, experts recommend that merchants analyze and verify the following:

• IP address
• Shipping address
• Email address and user name
• Phone number
• Zip code
• Billing address

At Shirts That Go, Morgan tracks most of that data, plus product mix. If someone orders several of the same shirts in the same size, it raises red flags, he says.

In fraud prevention, it’s best to monitor as many variables as possible since criminals’ tactics change so frequently. Checking addresses is less effective than it was in the past, for example, due to the current rash of email scams that trick customers into visiting fake banking sites where fraudsters can steal their account passwords and then change their addresses.

Tracking Tools and Services
Tracking so much information can be overwhelming, so unless you're a small company filling a few orders per day, automating the process is the way to go.

Pooldawg.com, a Lafayette, Colorado, company that sells pool cues and billiard products to 100,000 customers globally, uses a multi-pronged approach to keep fraud at bay. The company relies on a third-party service to match addresses and card-security codes, and another to process orders from customers using passwords linked to security programs of payment card providers. "When an order comes through, we know it's automatically trustworthy," says Mike Feiman, Pooldawg.com’s president. The company uses a third service, from MaxMind, to score transaction risks. All three services filter into the company’s order processing page, where employees review the data to detect potential fraud.

The services, which cost Pooldawg.com less than $10,000 per year, have reduced charge-backs to a nominal 0.014 percent, Feiman says. While fraud has always been low, no more than 1 percent of annual revenue since the company started in 2006, an improvement of even a fraction of a percentage point can help the bottom line, he says. In 2010, Pooldawg.com’s preventive measures kept it from losing $70,000 to fraudulent transactions.

When FlowPlay, the online gaming company, introduced virtual money to its 117,000 subscribers two years ago, chargebacks soared from almost nothing to 1.5 percent of transactions, an amount equal to several thousand dollars in monthly revenue, Morton says. Since FlowPlay started using a free fraud analysis program offered by Adyen, its ecommerce payments processor, chargebacks have dropped to 0.5 percent, he says. The tool tracks 20 different criteria. It also allows FlowPlay to pre-screen transactions and set custom fraud alerts, including pre-set spending thresholds.

BrickHouse Security, a New York seller of surveillance and security products, fills 4,000 online orders a month for its surveillance and security products. It developed its own fraud-detection software, says CEO Todd Morris. The program analyzes order size, units requested, product type, buyer’s email address, time of day and other customer data the company has collected for six years, Morris says. Using it makes him comfortable continuing to sell to international customers, which account for 15 percent of his business.

But automation isn’t foolproof. PoolDawg.com’s Feiman says his employees still eyeball orders, “because even with all the tools, fraud can slip through."

Avoid Dinging Valid Customers
Fraud protection tools aren’t good if they keep legitimate customers out. To avoid blocking valid shoppers, merchants should balance filters with approvals. “Often big companies will turn away a lot of orders and we can end up approving half of them,” says Schecter, with preCharge. The company’s system is built on a database of order histories and cross-checks names against 2,500 client files to approve orders.

The service used by FlowPlay allows it to maintain a “whitelist” of long-time customers in good standing and process their orders outside of fraud filters.

Other companies such as Pooldawg.com deem fraud risks too high to worry about false positives. “In the case of orders originating from places like Ghana or Malaysia, we simply do not offer service in those areas,” Feiman says.

Fraud prevention pays off over time. At FlowPlay, Morton says the best thing he ever did was to track all scam transactions and use the data to predict potential fraud. “Ultimately we've been able to take this knowledge and create our own tools that check the customer data before they even get to enter their credit card data,” he says.

With the right tools and processes in place, fraud may even become an afterthought. Since introducing various controls, Shirts That Go’s Morgan is confident he now catches most fraud in time. "It's just part of the ecosystem we live in."