Ecommerce merchants are understandably worried about fraud, which can be financially crippling to a merchant. But they might not realize that chargebacks can be just as devastating. And with fraudsters getting more and more creative—and with the holiday shopping season just around the corner—you need to be prepared to defend your store against increasingly subtle instances of fraud.
In this episode of Gateway to Ecommerce, Rafael Lourenco, ClearSale’s Executive Vice President, and Bruno Farinelli, ClearSale’s Head of Operations, discuss emerging patterns in ecommerce fraud, the increased risk as we near the holidays, and strategies for protecting your business against fraud and chargebacks.
In our ninth episode, we explore how fraudsters are delivering tricks, not treats, to ecommerce merchants and how these retailers can protect themselves. But first, let’s introduce you to our hosts today:
is ClearSale’s Executive Vice President. A 12-year veteran at ClearSale, Rafael combines the company’s innovation-driven culture and emphasis on communication with a deep understanding of the statistical tools that underpin excellent fraud protection.
is ClearSale’s Head of Operations. Joining ClearSale in 2012 to help optimize the financial performance of the company’s largest customers, Bruno now manages a team of data scientists and fraud experts that are responsible for the company’s budget and main KPIs of the company.
Ecommerce retailers find themselves in a tough position when screening transactions for fraud. Some perfectly normal-looking transactions can actually be fraudulent, while suspicious orders can be legitimate ones. The challenge is to balance the risk of fraud with that of false declines. But while both can be devastating to a merchant’s bottom line and reputation, they don’t have to be an inevitable part of doing business.
Even a spike in online sales doesn’t mean your business will have to suffer from a corresponding rise in fraud and false declines. Here are some factors you’ll want to consider:
• Fraudsters love things that are easy to resell.
• Not every order is what it appears to be: Even legitimate-looking orders can be fraudulent.
• You want your fraud prevention program to deter fraudsters — not legitimate customers from placing orders.
• How can you deliver a seamless customer experience while protecting your business and your customers against fraud?
You’re listening to Gateway to Ecommerce, a podcast by ClearSale. In this series, global ecommerce leaders discuss challenges, best practices, new tech, and secrets to success. And now your host, Rafael.
In this episode, we’re talking all about Halloween, which is right around the corner (at the time this was recorded in September 2020), and we’re going to talk all about our scariest fraud stories. In this episode, we’ll talk about how chargebacks can be just as scary for merchants. And then we’ll also talk about how those unexpected payment reversals threaten your revenues, steal your merchandise and surprise you with those unexpected fees.
How bad is it? According to LexisNexis’ True Cost of Fraud study, for every dollar of fraud committed, U.S. retailers incur $3.13 cents of cost. Yikes. Be sure to check out the episode and make sure you look at us on Apple Podcasts, Google and Spotify.
It may seem early to start thinking about the holiday shopping season, but now’s the perfect time to prepare. Today, we’re going to talk a little bit about Halloween as an excuse to discuss a little bit about some weird and scary stories in the fraud prevention environment. And for that reason, I have with me Bruno Farinelli. He’s the Head of Operations for ClearSale. And for sure, and during these last many years working with fraud, he’s got a lot to tell in terms of stories, and I bet a bunch of them are kind of scary.
I want to just get started by asking about how scary fraud is for merchants. So I know that fraud is something that merchants should be worried about, but why should chargebacks and fraud rank as one of the first items for them to be worried about, Bruno? And with that, I want to welcome you to the podcast.
Thank you. Thank you, Rafael. I’m very happy to be here. Definitely after nine years with ClearSale, I have a lot of things to share. And well, it’s exactly like a horror movie. You never know when the jump scare is going to come. And I think that’s the magic about fraud. It’s extremely dynamic, so you don’t know when it’s going to come and how it’s going to be.
So fraudsters, they can be predictable, so using proxy APs or VoIP phonelines, which are some of the very common and basic strategies a fraudster could use. Or they could go very complex and try to do as much as possible to make you, the merchant, believe that they are actually a good customer. And that’s why you should be concerned, because their behavior, the fraudster, is extremely dynamic.
Yeah. I love your analogy with the scary movies where you don’t know where the monster is, and I’m sure that would be a million-dollar question. But where are the monsters in ecommerce? I mean, where is the fraud, the more trendy fraud schemes, coming from? Either geographically speaking, or even what are these patterns that you’ve been seeing lately?
Well, geographically speaking, we know that there are some areas in New York, some areas in Florida, in which those guys are usually concentrated. Obviously when they’re mentioning Florida, it involves a lot of the freight forwarders that are located in Florida, which means that those fraudsters could actually be throughout the whole world, because it’s very difficult to trace them.
Now obviously those guys are usually targeting liquidity — anything that’s easy to resell, a fraudster will love to have. So mobile phones, anything technology, fashion, that’s where they’re going to tackle. And when it comes to the schemes, the one that has been biggest headache I believe of all merchants is those one in which the fraudster is able to intercept the package somehow. So they are able to use the cardholder’s address, as if it was the cardholder making a real purchase. But then before this order gets to the cardholder who did an order, they are able to intercept this delivery somehow.
I got you. Yeah. And that’s a little intuitive when we talk about fraud. I think many merchants will think about fraud as this young guy behind a computer, trying to buy something for himself. Or even someone under the assumption that if there is a match in address, a shipping address with billing address for instance, it’s a safe transaction to be delivered. And what you are saying is that sometimes some stuff is not what it seems to be. So even with a match in address and shipping address, you can still have fraud on those orders.
Exactly. But then again, it’s just like in the movies. At the same moment, you do not want to be that naive teenager that is easily taken by the monster. You also don’t want to be the crazy guy who gets always stuck in your house. So in the same way that you want to be careful with chargebacks, you do not want to oversight anything and start declining all of the orders just because something is wrong.
Yeah, from the business perspective, that’s what scares me the most. So you, obviously coming from an operational background and you are on the front line battling with these fraudsters, that’s the thing that you are more scared about. And that’s the number one takeaway or the number one top of mind for merchants and solution providers when it comes to fraud prevention, is the chargeback.
But on the other hand, what concerns the most is how those fraud prevention strategies can become so scared and so in trying to avoid those chargeback costs, they end up being a sales prevention tool or solution instead of just fraud prevention. So we don’t want to make our fraud prevention strategy being also a barrier, an obstacle, for our growth as a merchant. And for me, that’s the most scary thing that can happen, especially when it comes to small and medium businesses. Those guys are gaining market share, so they are trying to acquire new customers. They are putting their names on Google ads and investing a lot of money in digital marketing in general. And the consumer ends up making the choice of purchasing something. And after that, being declined is really a nightmare for anyone working in ecommerce.
And then it doesn’t become solely scary for the merchant, but also scary for the customer.
Rafael Lourenco: Yeah, yeah. Customer experience gets really hurt. And I’d say in these times when digital transformation is moving so fast, I would say that the loyalty of people to a given website, you can’t take it for granted. So any person you can attract to your website that you can move away from the big players — Amazon, eBay, etc. — it’s a super-valuable consumer, and you don’t want to do anything other than please these people.
Exactly like you said. Merchants need to worry with making sure that they have the good customers with them and the fraudsters are away. And that’s why it’s a challenge. And that’s why chargebacks are one of the biggest things that a merchant has. Not only because of the chargebacks itself, but also because of everything that comes with the chargeback prevention.
Yeah. In the end, it’s two sides of the same coin. We’re talking about the cost of fraud itself, the chargeback itself, and all the costs that come along with it, including what you just said, the false positives.
And I want to touch and get a deeper dive on it. But before that, let’s stick a little bit on the chargeback topic and try to dive it a little bit more. What other costs ... I mean, there is this report from LexisNexis that says that for every $1 of fraud committed, the U.S. retailers actually incur in $3.13 additional in costs. So how come we can consider the total cost of fraud as something bigger than what merchants usually see in their bank statements?
Well, hopefully you have the basics. Every chargeback come with a chargeback fee. It is usually between $15 and $30, depending on country, gateway, processor. However, it is also concerning labor, because you need people analyzing those chargebacks and eventually disputing those chargebacks. If you’re working with a company that is disputing those chargebacks on your behalf, like several partners of ClearSale, this also incurs costs. And then you can have a software dedicated to it.
And eventually, you may even want to go ahead and legally prosecute fraudsters, which is something that we know that some merchants do in large cases. And obviously this comes with a cost as well.
Rafael Lourenco: Yeah. And I’ve heard of a couple of different stories. When you say large cases, we do know a lot of situations at ClearSale in which we saw a merchant going through a big spike in fraud, a big spike in chargeback and sometimes in a big scale.
So why don’t you tell us some stories about a fraud in which, I mean, the merchant was really hard hit by fraudsters in a scary way, taking the Halloween as an excuse for those stories.
I think when it comes to cases that had an impact, but are also scary, the first one that comes into my mind, and I think you might remember, it’s a case in which fraudsters, they were buying something. And most of the cases they were using the customers’ and the cardholders’ real address. In some of those cases, they were using the cardholders’ real email as well. Meaning, it wasn’t account takeover.
However, there was something very different than regular account takeover cases, which was the fact that there was no one living at the address at that moment. So for example, if he was using my credit card, he was shipping it to my old address, so I wasn’t living there anymore. So how could someone be having something delivered to a house that no one lives in anymore? And in the end, this was a fraud. And that’s pretty scary, having someone delivering something to an empty house.
Yeah, you think about ghosts and think ... but at the end of the day, what they are doing in my point of view, they’re trying to play the system.
So they know there will be address matching, and they’re using it against the fraud prevention solutions.
Bruno Farinelli: Exactly. And then we have to think, how the hell is the fraudster getting to this product? So one of the options is always, he’s able to intercept it with the courier. But in this specific case, the fraudsters were able to pose as realtors. So they would be getting the keys to the house in order to show those houses and things like this. And by doing this, they would be able to get those deliveries whenever they were made.
Wow, wow. Yeah.
It’s really a pretty scary case.
Really scary and really complex. Sophisticated actions from the fraudsters. And again, I think I was talking about the stereotype of fraudsters being these young people willing to have a pair of sneakers, but the reality is much different, and very much scarier than that. We’re talking about organized criminals, organized crime. And some of those stories go in that direction.
Exactly. And as it is in any other place. Once crime gets organized, you start to have people that not only come from a criminal background, but are also coming from couriers and shipping companies. So their MO gets wider.
Yeah. It makes a lot of sense. And I can think of a couple of more of other ways, the same logic in which someone uses an old address, can use it for different types of frauds and not even a fraudster.
So I wonder … these guys are spending 24 hours a day thinking about it, and they will come up with different ideas. So can you provide us with a second story or example?
Yeah, and I think this one should be one of the biggest nightmares for a merchant ever. One of our enterprise clients in the past, they had an internal breach. So an employee of theirs, who later become a former employee, had access to a batch of credit cards. And then he started going on a rampage using all of those credit cards, eventually providing correct billing addresses, as if all of those customers were making purchases.
And it was a very interesting story, because usually this client’s private label had a very low fraud rate. And from one day to the other, the fraud rate spiked. So it was a very crazy story. The fraudster would never stop, so I think we were talking about two years in a row. Specifically doing fraud prevention for this specific guy, because he had a very specific MO in which he would try to use symbols to hide the real address he was sending the orders to. He would even use codes that only the post office was able to read. So specific numbers and specific letters that the post office would know what they meant.
Yeah, it sounds to me that ... I mean, not only when you tell stories like this, not only am I thinking about the level of sophistication those stories have, but also about the level of how much they share information. I mean, fraudsters and the criminals in general.
I mean, the same way we are here talking about ways to prevent merchants from fraud, I’m sure there might be a podcast or something, or a reunion of fraudsters, talking about those stories and how to replicate it, how to make money out of those breaches.
Exactly. And sadly, it’s very easy for us to find those sources as well. So you could use either Facebook, or obviously in the dark web, you’re going to find a lot of references in which fraudsters are not only discussing breaches for existing websites, but also even offering their services or their data. So you can easily buy a batch of credit card numbers online, or you can easily hire a fraudster.
So you can tell the fraudster, “Look, I want to buy this. How much?” And the guy’s going to say that it’s one third of the regular price. And what’s he’s going to do is that he’s going to go there and try to have something delivered to you using a stolen credit card.
Yeah, I got you. I got you. And two things that caught my attention of what you’re saying. The first one is, in the second story of yours, you mentioned an employee. So the enemy could be among us and we’re not even seeing. And the second thing is thinking about those examples, the fraudsters are very aware of the fraud prevention tools, and they are always trying to play against those tools.
And what are some of the ways to move around it? I mean, I know that we have an important element of our process that includes many revisions, meaning a human being behind the decisions of blocking some orders. So what’s the role of a manual review process in this world where we’re talking about fraudsters trying to play the system a little bit?
I think it’s basically, as we always say, the human needs to look the things that machines could be overlooking. So even if an order has all the positive signs, it doesn’t always necessarily mean it’s a good order. So the human can be looking at factors that, even if it’s one factor that is weird about an order, that’s where he needs to be looking at to make sure that there is nothing weird.
So just to give you an example. Let’s assume I have a normal order — everything matches, the address matches the cardholder. However, the construction of the email, it’s not normal, so it could be a little weird. That could be something that a machine might not easily find. However, a human analyst would find it suspicious and could then move toward investigating the order a bit more. And the challenge is, obviously when you have a team of analysts, the challenge then becomes looking at those orders carefully enough, but obviously always with the intention of making sure that all the good orders are approved.
Yeah. Yeah. It sounds like these fraud manual reviewers — they sound like a little bit to me like Ghostbusters. Like they’re trying to find the ghost. But they are also trying not to believe in stories that someone is just making up.
Speaking of the Ghostbusters and Halloween, I’d like to hear from you. What makes the holiday season so special when it comes to spikes in sales? What are the elements that make you guys in operations and anybody out there in fraud prevention teams and departments — what make the holiday season special? And what kind of different fraud patterns and what defers fraud prevention during the holiday season versus a regular period of the year?
Well, I think the first one, and that’s a huge belief of ours, is that during holiday season, the ghosts are harder to catch. Because usually what we know is that in volume terms, the fraud level will not increase. However, a lot of good customers will be buying in your stores. This means that in percentage levels, the fraud is lower, which also means that they are harder to find. It’s like finding needle in a haystack, but it’s a huge needle that if you let go, can cause you a lot of trouble.
This is our challenge: Finding this needle without putting all the haystack on fire. That’s a big challenge for fraud prevention when it comes to the holiday season. And I think that now this year, the challenge is going to be even bigger, because we’re in the middle of this huge digital transformation. So right now, expectations for this holiday season are huge, so fraud teams need to make sure they are up to par with it.
And again, we’re talking a little bit of unpredictability about it. It’s hard to tell what’s the direction that next month and the next couple of months will take us when it comes to volumes, after all that happened throughout this year.
Unpredictability is always something that we’re used to when it comes to fraud prevention.
Rafael Lourenco: Yeah. We’ve got to be used to that. Well, Bruno, I think it was very illuminating, our conversation today. Thank you for the answers.
What an excellent conversation between Rafael and Bruno. And as we wrap up today, remember that many reviews and analytics are two ways that merchants can reduce their fraud costs. In addition, as you reduce chargebacks, make sure you’re not increasing your false declines. And also know that false declines are proving to be even more an expensive problem for merchants.
If you’d like to know more about how to prevent ecommerce fraud, visit our website. We have a ton of resources dedicated to this topic that can help you on your ecommerce journey at www.clear.sale. If you have any questions or would like to suggest a topic that you’d like to cover, send us an email at email@example.com.
Thanks again for listening to Gateway to Ecommerce Podcast, where global ecommerce leaders discuss challenges, best practices, new tech, and secrets to success. Subscribe to our podcast on Apple Podcasts, Spotify, or Google Play, and leave us a review. Join us again for episode 10, where our Executive Vice President, Rafael, continues to discuss ecommerce with a focus on the jewelry industry. See you next time.
For more ecommerce insights, visit us on our website at www.clear.sale.