eCommerce Fastlane Podcast: Protect Your Shopify Brand

NoFraud’s Director of Business Development, Shoshanah Posner, recently joined the eCommerce Fastlane podcast to discuss the latest fraud trends impacting eCommerce.

In this podcast, you will learn:
– Current fraudster landscape as it relates to data breaches, stolen card data, and synthetic identities.
– What is the Dark Web and what are people doing there?
– Reshipper fraud, triangulation fraud, mule fraud, and how you can protect yourself.

The podcast can be found here. Happy listening!

Preventing Chargebacks for Subscription Billing

Automated subscription payments are quite literally the gift that keeps on giving for eCommerce. Once you’ve acquired a customer, they’re much more likely to buy again and again. Especially popular among Millenials, subscription-based businesses are booming in practically every industry, from personal care products to toys to specialty foods.

Unfortunately, the subscription model also carries an elevated risk of chargebacks from fraudulent behavior. Chargeback sources generally fall into two categories: friendly fraud & criminal fraud. Each requires an effective fraud prevention solution. Let’s talk about ways you can prevent both.

How to Avoid Friendly Fraud Chargebacks
Friendly fraud is a misnomer. It occurs when a customer buys and receives a product, but then disputes the transaction through their bank. There is nothing friendly about this. The product and shipping fees are lost, and you’ll also get hit with a chargeback fee. If the chargeback rate hovers around 0.8%, the fees may set you back thousands of dollars.

It’s nearly impossible to eliminate friendly fraud. However, many subscription chargebacks occur when ethical customers simply don’t understand the subscription process or forget that renewal was due. You may be able to reach out to such customers before they dispute the transaction. Here’s how to reduce those unfriendly friendly fraud chargebacks:

1. Be easy to reach and offer stellar customer service.

According to Verifi, 86% of consumers that filed for a chargeback went straight to their banks without approaching the merchant first. Encourage direct communication with your customers by clearly displaying your customer support information on your website in a prominent location. Provide several convenient ways for them to get in touch (i.e., phone, email, chat, snail mail). When they call, go above and beyond to address their concerns, and cancel their subscription promptly if they ask you to.

2. Make canceling a subscription super simple.

If your cancellation process is confusing, annoying, or time-consuming, your frustrated customers may decide to cut to the chase and call the bank. To avoid this, ensure that canceling a subscription is simple and effortless for them. It’s beneficial to add an “Unsubscribe” button or link to the bottom of your emails or display it clearly on your website so that customers don’t resort to disputing a charge.

3. Be clear about how a free trial works and when it ends.

Your customers should be kept informed about how long their free trial will last and when they’ll be billed. Always send them a message before their trial ends reminding them that they are about to upgrade to the paid version. This will allow them to opt-out if they so choose.

4. Send a courtesy email before filling the first order.

When a customer subscribes, immediately send an acknowledgment email (this can be automated). If the customer has a change of heart or if the subscription purchase was made by mistake, this courtesy notification allows time to cancel. For the business, it mitigates the risk of friendly fraud chargebacks.

5. Notify subscribers before processing their recurring payment.

Subscribers appreciate a reminder message before their recurring payment processes. This can be via email, text message, or whichever way seems the most efficient for your business. It provides a window for them to either prepare for the charge or unsubscribe. While it may be discouraging to see one of your members opt out, the risk of incurring a friendly fraud chargeback is much more detrimental… trust us.

6. Match your billing descriptor to your company or product name.

It’s crucial to make your billing descriptor as close to your company name as possible. A “billing descriptor” is the merchant name that appears on your customer’s credit card statement next to each transaction. If a customer doesn’t recognize that name, they are more likely to dispute the charge.

How to Avoid Criminal Fraud Chargebacks
Data breaches occur almost weekly and stolen credit card information is widely available on the dark web. Fraudsters with sensitive information look for vulnerabilities in an online store’s fraud detection system. The subscription platform is an extremely common target because so many transactions happen simultaneously and criminals think that their activity will fly under the merchant’s radar. You may benefit from setting up a special fraud detection system specifically for subscriptions.

Although subscription transactions are susceptible to all types of fraud, the most typical scheme we have seen is “triangulation fraud.” What is triangulation? This type of fraud involves three parties: the fraudster, the innocent shopper, and the targeted eCommerce store (that’s you). Here’s how it works in four steps:

Step one: The fraudster creates an online store (often on eBay or Amazon) and offers high demand items for extremely low prices. In reality, he doesn’t have any inventory. He’s going to try to scam you into providing these items to the customer for him, instead.

Step two: An innocent, unsuspecting shopper places an order on the fraudulent online store and the fraudster receives payment for the items.

Step three: The fraudster uses stolen credit card data to purchase those same items from your legitimate website and submits the shipping address of the innocent shopper at checkout.

Step four: You ship the items directly to the customer that “purchased” them from the fraudsters online store, who then receives the shipment from you and is none the wiser. Ultimately, the true credit card owner discovers an unauthorized transaction on his or her statement, and the bank issues a chargeback. You are left to deal with the aftermath. In this scenario, you’ve lost the merchandise (and shipping costs) and incurred chargeback fees (and possible penalties).

How can you protect yourself against criminal fraud chargebacks? Here are some important tips to keep in mind:

1. Look for inconsistencies.

Screen every order for potential signs of fraud. Signals of fraud may include unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Some signals of fraud may be that the billing address is different from the shipping address, the email address contains an unusual amount of characters, or the order has an AVS mismatch. Monitor any changes in customer details and pay specific attention to phone numbers, emails, and shipping addresses – these could indicate fraud resulting from an account takeover.

For physical products, the period between an order being placed and when it is shipped allows sellers to check for fraud the old fashion way — by manually reviewing the transactions. For digital products like movies, software packages, mobile/cloud-based apps, e-gift cards, and ebooks, however, an automated fraud detection system is a critical tool. Buying digital goods involves an online transaction followed by an instant electronic delivery. There is typically a one-second window to spot and stop a fraudulent transaction. Many digital eCommerce businesses process millions of transactions per day, and when only 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more.

2. Install a fraud prevention service.

Screening orders manually can be a huge drain of time and resources. You may want to consider an automated solution that can do all the fraud vetting for you. Some even offer a chargeback guarantee, which means you’ll be compensated if a chargeback does slip through their system.

3. If a chargeback does occur, don’t forget to cancel the subscription.

While seemingly an obvious follow-up, we have seen this step missed and the chargebacks keep rolling in.

4. Don’t offer a completely free product.

Shy away from offering a completely free product in the hope that some customers will become long term customers. Sometimes fraudsters use bots to create multiple orders in an attempt to get as many free products as possible. Smart tactic, right?

Bots are often used to infect innocent devices or software with malware (malicious software). They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms. Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that you charge at least a shipping fee to disincentivize this behavior.

Unsubscribe from Subscription Fraud
User-friendly policies and some basic best practices will prevent many instances of chargebacks. What’s more, automating your fraud protection process will save you time, money, and labor (not to mention headaches). NoFraud is an option that is compatible with all Bold products. NoFraud’s automated fraud detection tools will interface with your integrated payments process and virtually eliminate chargebacks while keeping your approval rate high. If any chargebacks do occur, you’ll be fully reimbursed under a Chargeback Protection Guarantee.

To find out more about how NoFraud’s AI-powered solution can help your business and to try it for yourself, just send an email to shoshanah@nofraud.com.

ARE FREIGHT FORWARDERS A RED FLAG FOR FRAUDULENT BEHAVIOR?

Receiving an order with a request for delivery to a “freight forwarder” or “reshipper” can make even the most experienced eCommerce merchant wary. For many online sellers, a freight forwarder is strongly associated with fraud—often, it’s assumed to be a fake address used by scammers—and for good reason.

In this blog post, we’re breaking down our most frequently asked questions about how to safely do business with customers that use freight forwarders, what you can do to identify fraud and fight chargebacks, and how NoFraud’s fraud prevention service can help protect you.

Q: What is a freight forwarder?

A: A freight forwarder, or reshipper, is a business that receives packages and reships them to a secondary destination. Many freight forwarders are international shippers, accepting packages from businesses in one country and sending them on to customers in another country.

Here’s an example of how it works: a customer places an order through your site and puts in the freight forwarder’s address as their shipping address. You accept payment from the customer and ship their order to the freight forwarder, and the freight forwarder loads it onto a shipping container and reships it to your customer.

Q: How can I tell if the shipping address on my order belongs to a freight forwarder?

A: An order shipped to a freight forwarder often contains a string of numbers and letters in the address field (for example: 321 Harbor Road Suite 303 #XYZ-56784567). The freight forwarder uses this number to keep track of which packages belong to which customer, or which shipping container they need to be repacked into.

If you look it up on Google Maps, a freight forwarder will typically appear as a storefront or warehouse. Because they often ship internationally, most freight forwarders are located at a country’s borders, and many are near large coastal shipping ports. Examples of popular locations for freight forwarders include Wilmington, Delaware; Portland, Oregon; and Miami, Florida.

There are publicly available lists of registered freight forwarding companies, so you can always research a shipping address and see if it comes up as a reshipper.

Q: Why are orders sent to freight forwarders considered high risk?

A: Many scammers use freight forwarders to disguise their fraudulent orders as valid ones. While shipping a package to Nigeria may raise some eyebrows, shipping a package to Doral, Florida is more likely to go unnoticed by a merchant’s fraud detection system. By hiding behind a reshipper’s address, these scammers hope to sneak past your defenses.

Using a freight forwarder’s address also protects the fraudster’s identity, as they can receive an item without revealing their true location. This is especially helpful for those who place orders using stolen credit card information.

Q: How do freight forwarder scams work?

A: Scammers have figured out a number of different ways to cheat merchants through reshipping fraud, also called delivery address fraud. Here are a few of the more common schemes:

The fake address, fake payment scam
The scammer places an order for delivery to a real reshipping company but pays with stolen or falsified information. By the time you’ve gotten a declined payment bank notification and a chargeback fee, the scammer has already received his order from the reshipper. It’s difficult to track him down because you don’t have his real billing or shipping information.

The fraud mule scam
Perhaps the most infamous form of reshipping fraud, the fraud mule scam takes advantage of innocent third parties. Scammers recruit people looking for legitimate work-from-home jobs as gift wrappers or shipping inspectors. The scammer places orders through your site (usually with stolen credit cards) and ships the packages to the clueless “gift wrappers.” They reship the items to the scammer, who takes possession of the goods without ever giving the merchant his real location or identity.

The fraud mule scam hurts a staggering number of innocent people: the merchant; the owner of the stolen credit card; and the “fraud mule,” the person who unknowingly reships stolen products. For a more in-depth description of this scam and how to spot it, check out our blog post on fraud mule scams.

The shipping costs scam
The scammer starts by inventing a fictional freight forwarding company. He may try to make it look credible by creating a fake website or by giving it a name that’s close to the name of a real freight forwarder.

He then places a large order with your business and asks that you deliver it to his “freight forwarder,” presenting it as a real company. He asks that you cover the cost of shipping and promises to reimburse you. Since the “freight forwarder” belongs to the scammer, he’ll keep any money you send him and then cut off contact.

Q: Are orders sent to freight forwarders ever safe?

A: Yes. There are plenty of genuine customers who use freight forwarders. For example, some use reshipping services when they want to order a product that can’t be shipped directly to their country.

Other international shoppers use freight forwarders to save money. Many people who live outside of the USA have a preference for American brands, which can be prohibitively expensive when purchased abroad. It’s sometimes cheaper to just order the items from American sites and reship them through a freight forwarder.

These authentic international clients can become your loyal customers, and they often place high-value orders. It would be a shame to decline doing business with them due to the risk of reshipping fraud.

Q: How do I distinguish between legitimate and fraudulent orders being shipped to freight forwarders?

A: While you should be cautious about orders shipped to freight forwarders, denying all shipments to reshippers will result in lost sales and hurt your bottom line—especially since the typical customer that uses a reshipper has a higher-than-average cart value. The key to successfully identifying fraudulent orders is to look at the other data points for clues.

These key data points include:

Use of a Proxy
IP proxies disguise a user’s internet connection. For a scammer, they’re a way to attempt to conceal their identity and pass as a legitimate customer.

IP Location
It often makes sense for international shoppers to use freight forwarders, for the reasons listed earlier in this blog post. It makes a lot less sense for a shopper in the US to ship to a freight forwarder when he or she could have accepted delivery directly, to his or her own address. An American IP address paired with an American freight forwarder could be a sign that the customer is only using the reshipper as a “fake address” to cover their tracks.

Do you have multiple orders with different customer names, but all with the same IP address? That’s a red flag. A scammer might be trying to pass himself off as several shoppers to avoid suspicion.

Billing address
Be cautious when an order is placed from a geographic area you don’t normally do business with, especially when the billing address doesn’t match the shipping address. Another consideration: an expensive order coming from a low-income area should put you on your guard. The order might be coming from a scammer, or a “freight mule” unknowingly working for a scammer.

Country where the credit card was issued
Many scammers use stolen credit cards from another country. If a customer’s credit card is from one country and their IP address is from another, there’s a higher risk that the order is fraudulent.

Email longevity
A brand new email account is a sign that your customer may be creating a fake identity to try and fool your fraud detection systems.

Customer order history
When a customer who’s done business with you over a long period of time orders to a reshipper, it’s usually a safe transaction. Be warier of first-time customers, especially when they place expensive orders.

Be suspicious of customers who place many orders in a very short period of time. It’s an unusual behavior for legitimate customers, but scammers often hit businesses with clusters of orders to the same address.

Reshipper history
Check to see if the reshipper has been flagged for fraud by other businesses. Can you find this address on a list of registered reshippers? Some fraudsters create fake reshipping businesses as part of their scams. Be suspicious of freight forwarders you’ve never heard of, especially if their websites seem phony or no one answers your requests for verification.

When you pay attention to these data points, it’ll be easier to spot inconsistencies that point to fraud.

Q: How can NoFraud help?

A: NoFraud’s AI-powered fraud prevention solution interfaces with your integrated payments process to provide you with peace of mind. It gives you instant, automatic fraud decisions on all your orders, including those headed to freight forwarders. Our screening system analyzes all of the above data points and more (such as global blacklists, AVS mismatch detection, etc.) and lets you ship with confidence to your international clients while steering clear of the fraudsters out there.

To learn more about how NoFraud can help your business stay safe from freight forwarder scams, reach out to Shoshanah at shoshanah@nofraud.com.

Update: How Is Online Fraud Trending?

Fraudsters and online stores have played an evolving game of cat-and-mouse ever since the first eCommerce platform was invented. In this article, we’ll talk about some of the latest emerging patterns of fraudulent behavior and what it’s costing businesses that don’t have an effective fraud prevention solution, so you can stay ahead of the curve.

Digital Goods and Why Fraudsters Love Them

The Risk Solutions True Cost of Fraud Report is a LexisNexis study that examines the growing trends in eCommerce sales fraud and the consequences for businesses of all types and sizes. According to a recent report, chargeback losses have increased by 60% among digital goods merchants.

“Digital goods” is a common term to describe any products that are stored, used, and distributed in an electronic format. Digital goods are typically delivered to the consumer via email or download from the Internet. They include products like movies, music files, software packages, cloud-based apps, eGift cards, audiobooks and ebooks. Due to their convenience and widespread popularity, the sale of digital goods is on the rise, and the fraud schemes that target them are as well.

One key factor responsible for the dramatic increase in this type of fraud is that fraudsters see the immediate delivery of digital products as a weakness they can exploit. When it comes to physical products, there is a timeline between when an order is placed and when it is shipped, which allows a seller to check for fraud the old fashion way — by manually reviewing the transaction. Buying digital goods, however, often involves an online transaction followed by an instant electronic delivery. Under such circumstances, a company typically has a window of less than one second to spot and stop a fraudulent transaction. Therefore, fraud screening must occur at the moment of purchase, which is impossible for businesses without an automated fraud detection solution linked with their integrated payments process.

Fraud prevention services use analytics to reveal unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Many eCommerce businesses process millions of transactions per day, and so if even 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more. In short: eCommerce businesses (especially large ones) must get a highly efficient automated fraud detection system.

Average # of Total Fraud Attempts Per Month

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

Credit Card Data Breaches Hurt eCommerce, Not Consumers

When it comes to preventing credit card fraud, eCommerce merchants must keep a very watchful eye. Fraudsters often obtain credit card information to make unauthorized purchases, but how do they gain access to this sensitive data? Two words: Data breaches. Data breaches in businesses and financial institutions are largely responsible for the continuous rise in sales fraud.

In 2014 and 2015, data breaches hit an all-time high, and we continue to see its effects today. The Identity Theft Resource Center noted that there were 786 data breaches in 2014, a 27.5% increase from 2013. Within the first six months of 2015, 436 data breaches exposed more than 135 million records. With so much personal data floating around on the dark web, it’s easy for a fraudster to find credit card information and execute an attack.

At first glance, it may seem that the customer is the victim of a data breach. However, customers who discover fraudulent activity are protected by their financial institution. All they need to do is file a dispute and get their money back. They can even freeze their credit to prevent identity theft. Merchants, however, are the ultimate victim.

The millions of dollars lost from chargeback fees can do serious damage to businesses. Some of the largest companies in retail such as Staples, Michaels, Neiman Marcus, Home Depot, Goodwill, and K-Mart, have been seriously harmed by data breaches. Other businesses like Dairy Queen, P.F. Chang’s, casinos, UPS, and large chain hotels have hacked within the last few years.

To learn more about how stolen credit card information can sneak its way into your transactions, click here.

Combating Bot Attacks

There’s been a 33% increase in automated botnet activity since 2019. A bot or botnet is a network of compromised computers and similar devices controlled by one central server. Bot networks can consist of hundreds, thousands, and sometimes millions of computer devices being controlled by one source. Bots are often used to infect innocent devices or software with malware (malicious software). While the central “command” server can control the bot, they also have the worm-like ability to self-propagate. They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms.

Merchants need to be on high bot-alert when selling heavily discounted or free products. Sometimes fraudsters use these bots to create multiple orders in an attempt to get as many free products as possible. A smart tactic, right? Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that the merchant charge at least a shipping fee to disincentivize this behavior.

Synthetic Identity Fraud

Synthetic identity fraud is when fraudsters create fake identities by stealing Social Security numbers and coupling them with false information like names, addresses, and even dates of birth. This constitutes a serious threat to merchants because there is no identifiable culprit. Synthetic identity fraud can take years to detect, and it may even go unnoticed. It has become the fastest growing and most common financial crime in the United States. It cost banks $6 billion in 2016, with the average chargeback amounting to $15,000.

There are two methods that fraudsters use to create synthetic identities:

1. Manipulated Synthetics – This type of false identity is created from an individual’s real identity, but with limited changes made to their SSN and other personal information. This method is popular among people attempting to hide their credit card history in order to open a new line of credit, but it can also be used by fraudsters with malicious intent.

2. Manufactured Synthetics – Here, fraudsters collect bits and pieces of personally identifiable information (PII) from a group of real people and create a single fake identity. This is much more difficult to detect.

Identity fraudsters are capable of opening many accounts simultaneously. Then, they can use those accounts responsibly to build a credit score. When they rack up enough fraudulent charges, they use real credentials (used to create their fake identity) to pose as a fraud victim and get their credit line restored. Then, they use the additional credit to commit more theft.

Synthetic identity fraud is a complicated challenge, growing by the day. Solving this problem requires effective strategies that examine the core issue of identity legitimacy and typical outcomes. There needs to be a long and short term holistic prevention system capable of addressing the entire issue.

How Do You Determine the Cost of Fraud?

According to the LexisNexis Fraud Multiplier, the average cost of each dollar of fraud is now $3.13. This is up by 6.5% since 2019.

LexisNexis Fraud Multiplier

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

To determine the “cost of fraud” companies should pay close attention to:

– Chargeback Fees: The chargeback fee was created to be a customer protection tool. Chargeback fees and refunds are taken from the merchant’s account automatically without any consultation. Merchants may dispute a chargeback if it’s illegitimate or fraudulent. However, the fees that come from the original chargeback will always remain the merchant’s responsibility.

– Penalty Fees: Penalty fees are primarily based on the percentage of chargebacks received in relationship to total sales. Merchants who exceed the allowed threshold are subject to penalties from both the card network and the acquirer.

– Merchandise redistribution: This is the process of planning, controlling, and managing the flow of merchandise from a vendor to a distribution center and then on to the store or customer. Rerouting along the way (due to fraud) can result in extra costs of thousands of dollars.

– Labor/investigation: Work and investigation in a fraud predicament takes time, energy, money (lots of it).

What Can You Do to Fight Chargebacks?

With the current fraud trends, the Risk Solutions True Cost of Fraud Report highlights the importance of using “more sophisticated fraud mitigation solutions”. It finds that “merchants who use a multi-layered solutions approach experience fewer issues and a lower cost of fraud.” A multi-layered approach to fraud defense may include some or all of the following: traditional verification solutions, automated fraud solutions, a one-time passcode, knowledge-based authentication, and/or digital verification and document verification.

To learn more about how NoFraud can help your business navigate these ever-evolving fraud trends, reach out via email to shoshanah@nofraud.com.

What Is a Fraud Mule Attack and How Do I Prevent One?

A new fraud trend is developing in the eCommerce world, and it’s especially hard for most fraud detection solutions to catch. Known as a fraud mule attack, parcel mule scam, or reshipping scam, this notorious form of fraud harms innocent victims beyond the merchants that are scammed.

In this blog post, we’ll explain how fraud mule scams are operated, as well as tips on how you can keep your business safe and fight chargebacks.

Here’s how a fraud mule scam works:

1. The Promise

A scammer or group of scammers starts by recruiting unsuspecting accomplices. The scammer advertises a work-from-home position on a job board or social media site, promising a quick and easy way to make money as a gift wrapper, shipping inspector, packaging assistant, or similar title. All the applicants have to do, they are told, is receive packages to their home address and reship them to another address, often located in Eastern Europe or Nigeria. One study found that most shipping fraud scammers operated in or around Moscow, with ninety percent using mules living in America to ship packages to Russia.

When advertising the fake job opening, the scammer will often target low-income neighborhoods to take advantage of people desperate for more income. To the job applicants, the promise of earning a lucrative salary for performing simple and easy tasks must seem too good to be true—and it is.

2. The Setup

The fraudster hires one or more people, who will become his “mules,” or “drops,” as they are called by many scammers. Once they’ve chosen the mules, the fraudsters will collect their new hires’ personal information, ostensibly in order to pay them for their work. This usually includes their Social Security numbers, dates of birth, and banking information. Then, sophisticated fraudsters will add their “employee’s” billing address to the account of a stolen credit card via social engineering, using cards issued by banks with lax security.

3. The Purchase

Following instructions from his or her “boss,” the new “employee” will then make an expensive online purchase, unwittingly using the stolen credit card linked with their personal information. These purchases usually consist of valuable items that can easily be resold, such as consumer electronics.

From a fraud prevention standpoint, the order looks like a perfectly safe order. There is no detectable AVS mismatch; the customer’s billing address matches that on record at the bank, the shipping and billing addresses match and the name on the order is consistent with public records of where the “cardholder” lives.

Variations:

In a simpler but slightly less fool-proof version of the same scam, the fraudster will pay for the purchase himself (using the stolen credit card), and use the fraud mule’s shipping address. The fraud mule doesn’t pay for the packages they receive, but because their address and personal information is being used, they still act as a buffer between the scammer and the stolen goods.

Other scammers will ask their “employees” to pay for shipping costs themselves, promising to reimburse them later. Since many fraud mule scammers are based overseas, the cost of reshipping orders can be significant for the mules being taken advantage of. Of course, the fraud mules never receive reimbursement for the money they lay out.

While some small-time fraudsters carry out the entire scam on their own, more serious criminals operate the scam as a service to other crooks. The “operators,” as they are known, set up a network of mules and then charge other scammers (known as “stuffers”) to reship packages through the mule network.

5. The Aftermath

The merchant processes and ships the order to the “employee,” who sends it on to the fraudster. The real owner of the credit card sees the fraudulent charges to his account and calls his bank. Eventually, the merchant receives a notification and a chargeback fee.

The consequences can be devastating. The merchant loses valuable merchandise and receives a chargeback. The unsuspecting “fraud mule” can be held legally accountable for trafficking stolen goods, and will usually receive no payment for his or her “work.” Most are unceremoniously fired within thirty days of being “hired,” as the scammer tries to avoid detection by cutting ties with his mules.

In the worst scenarios, the scammer will “pay” the mule with a fraudulent check or money order, made out for more money than has been promised. The mule will be told to keep the amount he or she has “earned” and transfer the difference back to the “employer.” The mule will deposit the bad check and send the difference to the scammer from his or her personal bank account, only to be held liable by the bank for the full amount when the check is discovered to be counterfeit.

Why is this type of fraud happening now?

Fraud mule scams typically require stolen payment credentials, which can be obtained by attacks from hackers. Given the rash of data breaches that have occurred in recent years, the new trend of delivery address fraud comes as no surprise. The Equifax data breach in 2017 exposed the data of 140 million Americans, including, in some cases, credit card numbers. In March of 2019, 106 million people in the United States and Canada had their records exposed. Included among the stolen data were 140,000 Social Security numbers and 80,000 linked bank account numbers.

These incidents are only two examples of a growing global problem. The market consultancy Juniper Research projects that the number of records stolen in data breaches will increase 22.5% per year through 2023, reaching a staggering 146 billion private records compromised. Each one of these stolen records can be used to place fraudulent orders, putting untold numbers of businesses and individuals at risk.

How will this fraud trend affect your business?

Fraud mule scams typically involve large orders, often in the thousands of dollars. Because the most sophisticated scammers link their employees’ data to stolen credit cards, the fraudulent orders appear perfectly legitimate to most fraud prevention systems.

With so much at stake, merchants need to be able to identify orders placed by mules. Even one chargeback can be devastating to the bottom line, especially for merchants with narrow profit margins. On the other hand, overcautious fraud-prevention solutions result in lost sales.

Traditional fraud-detection solutions can’t keep up

It’s hard to estimate the amount of fraudulent behavior that goes undetected every year, but there are always new schemes being developed by unscrupulous thieves. As new methods of fraud evolve, standard rules-based fraud-detection systems fall short, unable to stay ahead of the trends.

The fraud mule scam is a perfect example of a fraud trend designed to slip past a rules-based fraud prevention solution. Most machine learning systems would also fail to uncover it because no similar fraud tactics would have been in the labeled training data for the supervised learning systems.

What can you do to protect your business from fraud mule attacks?

To avoid losing valuable merchandise to fraud mule scammers, you’ll need to learn to spot the red flags that many such scams have in common.

 – Order Velocity:

Some scammers cut their mules loose (usually by pretending to fire them) after ordering and reshipping one large, expensive purchase. Many more scammers, however, try to send as many packages as possible through their mules before firing them, usually after about thirty days. That means you’ll see a sudden spike of orders to one address, all in a short period of time, from a customer who’s never done business with you before.If one of your customers (and especially a new customer) is ordering more frequently than is normal, consider it a red flag.

 – Income Disparity:

Fraud mule scammers need to find mules who are desperate enough for money, and limited enough in employment options, that they’ll jump at the chance to reship packages. For this reason, they tend to target low-income neighborhoods.

At the same time, scammers are interested in stealing expensive items with high resale value. If you notice that a customer has placed a particularly expensive order for delivery to a low-income neighborhood, look deeper. You might be looking at an order placed by a fraud mule.

– Delivery Address Mismatch:

If you’re suspicious that an order might be part of a fraud mule scam, look up the cardholder’s address. If the scammer hasn’t managed to add his mule’s information to the stolen credit card, you’ll see that the delivery address doesn’t match the cardholder’s address on file. If this is the case, you can call the number associated with the cardholder to confirm that they placed the order.

Beware, though: if you’re dealing with a very thorough scammer, you might find yourself talking to someone who was hired to impersonate cardholders for just that reason.

Nothing beats expert humans

Today, even with advanced fraud rules engines and machine learning, merchants still need experienced fraud analysts to catch the sharpest fraudsters out there. NoFraud fuses man and machine to create the most effective fraud detection system available to interface with your integrated payments process, ensuring peace of mind for you. It’s a solution that has seen tremendous success in combating the recent wave of fraud mule scams. Using NoFraud’s cutting-edge technology, our expert analysts spot the subtle clues across our customer data and react quickly, saving our clients millions in potential fraud losses.

To learn more about this new fraud trend and how NoFraud can help you protect your business, reach out via email to shoshanah@nofraud.com

From breach to checkout, how stolen credit card data gets into your orders

From breach to checkout, how stolen credit card data gets into your orders

Once breached credit card data spills onto the dark web, it’s only a matter of time before some of that data trickles into your eCommerce site’s transaction volume. Nevermind that you’ve plugged all possible leaks in your payment process. Fraudsters will gleefully water down your order form with credit card data stolen from elsewhere. If you’ve ever wondered how that data flows from its rightful owner, across the depths of the dark web, and into your orders, then you need to listen to The Online Fraudcast’s Episode 8–What Happens to Stolen Credit Cards.

No time to listen? We’ve broken out the highlights for you.

How does credit card data spill onto the dark web?

“Credit card numbers get compromised by any number of methods”, says Brett Johnson, Consultant at AnglerPhish.com, and The Online Fraudcast’s co-host. It may be a large database hack, such as Target or Home Depot, a phishing attack targeting the easily deceived, or malware installed on brick-and-mortar stores’ POS systems. Or the data could be compromised on a smaller scale: card skimmers at gas stations, quick snapshots at restaurants, old-school theft of the mail, or fraudulent eCommerce sites (more on that later).

“The sad truth of it is that most of the time the people who are using stolen credit card data won’t be caught,” says Johnson, once known as the internet’s original godfather. “Credit card theft is probably the easiest crime for cyber criminals to commit. You don’t need a victim’s social security number, and there are more credit card numbers available on the dark web now than there ever have been. It’s no longer a problem that you can arrest your way out of.”

What happens to a credit card number when it’s stolen?

Its fate depends on whether it was part of a small- or large-scale breach.

In the case of small-time card skimmers or physical thieves, they’re likely to put the data up for sale within 24 to 48 hours. Ironically, because these numbers are breached piecemeal, it can take longer for the issuer to realize what’s happening. If the card’s owner isn’t vigilant, the useful lifespan of the card data can be longer.

Data lost in larger volumes takes longer to become available. A successful database breach or phishing campaign could yield millions of credit card numbers at a time. The perpetrators want to sell those numbers wholesale to distributors who will resell the data in smaller batches.

Before the distributors will buy the data, they need assurance that most of the numbers are valid. So, the breaching group will validate a small portion of the cards’ information. Non-profits’ donation forms are popular targets for validation, since the forms are designed to minimize the amount of friction for donors.

The validated data could appear for sale in as little as a week, or it could take months. It depends on whether an older batch of data has to sell first. Like your friendly neighborhood grocer, sellers want to move older product before making fresher batches available. Otherwise, they may not get any return on their work. Why?

“Large-batch data has a shorter lifespan because it’s sold to multiple different resellers who are selling it through many different channels,” says Johnson. “That data goes into use faster, and in multiple geographies. The card issuer is likely to notice the problem sooner and shut down all of the breached cards quicker.”

How many people are committing credit card fraud?

There’s no way to determine the absolute number of credit card fraudsters, but the dark web marketplaces offer some sense of scale.

By the time Johnson’s dark web forum, Shadowcrew, was closed down in 2004, he estimates the community counted 4,000 active members.

When Alphaay was shutdown in July, 2017 it was the largest criminal network on the internet with 240,000 members (most of whom used the marketplace to buy drugs). Of those, Johnson estimates that up to 60,000 were active fraudsters.

(In a later episode of The Online Fraudcast, Johnson discusses the closure of Wall Street Market, which boasted 1.15 million user accounts at the time it was shut down. If we apply Alphabay’s ratio of users to active fraudsters, that could mean over 250,000 people involved in credit card fraud.)

Big honeypots: one-day fire sales on no-name eCommerce sites

Remember the fraudulent eCommerce sites mentioned earlier? Here’s some public service announcement material for you; those sites harvest discount-chasing consumers’ credit card information. Karisse Hendrick, owner/principal consultant at Chargelytics Consulting, and Johnson’s co-host described pop-up scam eCommerce sites offering Black-Friday-like deals.

“I saw one site offering very expensive exercise watches with biometrics for a very steep discount, which wasn’t available anywhere else,” says Hendrick. “The site claimed to have just a few of each of these expensive items for ‘one day only.’ Aside from a few other items, it was a pretty sparse website. I’d never heard of the company before.”

This spurred Johnson to share how he would run such a scam, if he were still in the business of crime: “I would buy stolen credit card information to order high-value, in-demand items like those watches. Once I got those products in, I’d set up a merchant website and sell those products at a steep discount. It would take a little bit longer to monetize the stolen credit card data, but it would allow me to harvest all of my customers’ payment information. Plus, this preliminary phase would make my merchant website look more legitimate. Two months down the line I could buy more stolen credit card data, run that data through my merchant website, without needing any products, and cash out.”

eCommerce merchants caught in the middle

In this conversation, Hendrick is quick to point out that “Ecommerce merchants aren’t the ones losing their customers’ data, they just happen to be the platform by which criminals are monetizing stolen credit card data. There’s a big difference between where the data comes from and where the data is used.”

If you’re managing fraud in-house, then check out these timeless Fraud Prevention Tips Every eCommerce Merchant Should Know. There’s a good chance you’re spending more than is necessary to solve the problem. Find out how much fraud is costing your business.

NoFraud Partners with Cashier by Bold

NoFraud is pleased to announce an integration with Cashier, by Bold, available to our Shopify and BigCommerce customers.

Cashier is a feature-rich global checkout solution designed to help your business scale. You can create a flawless shopping experience for your customers with advanced features such as Upsell after checkout, stored credit card accounts, the ability to sell in 150 + currencies, and much more. Best of all, our high converting one-page checkout can be fully customized to match your branding, complete with custom URL and design.”

CNP Fraud Will Hit.. Are You Prepared?

Originally posted on Inside Retail Australia.

Increasingly complex card-not-present fraud will cost retailers US$130 billion globally in digital sales over the next five years.

A Juniper Research study predicts that retailers’ slow pace in keeping up with new fraud prevention requirements will allow cybercriminal practices to become more widespread as more and more consumers shop online. It observes that established point-of-sale vendors will need to move towards mobile POS technology in order to expand their reach into fresh markets and reduce their exposure to card-not-present fraud.

“A layered fraud detection and prevention (FDP) solution naturally helps directly preventing fraud, but it also offers major gains in terms of recovering potentially lost revenue through false positives,” said the report’s author Steffen Sorrell. “This is something about which retailers remain undereducated, and has allowed fraudsters to capitalise on relatively low FDP spend”.

An implication of the Juniper research is that a low understanding of FDP investment return is causing the low uptake of the technology. the report anticipates digital payment players will be spending $9.6 billion annually on FDP solutions by 2023.

Read the full article here.

The Truth About Gateway Filters

Many online merchants fight chargebacks by using payment gateway filters to protect their integrated payments processes from fraudulent behavior. What they may not realize is that these gateway filters are actually hurting their businesses by declining perfectly safe orders along with fraudulent ones.

In this blog post, we’ll walk you through the nitty-gritty of what payment gateways do, how you can use their filters to screen for fraud—and why you shouldn’t.

What is a Payment Gateway?

Payment gateways process online payments from credit and debit cards. They make online shopping possible by connecting and authorizing payments between eCommerce customers and merchants.
requirements to ensure safe checkout.

There are two main types of gateways: hosted and integrated.

Hosted Gateways:

Payment-processing companies like PayPal operate hosted gateways. The main benefit of using a hosted gateway to manage your transactions is that the hosting company is responsible for all compliance and security requirements to ensure safe checkout.

The downside is that your customers will have to leave your website to place their orders. They’ll be redirected to the gateway host’s website, which means that you won’t have full control over their entire online shopping experience.

A sense of disconnection can jolt a customer out of the shopping process prematurely.

Consider this example: a potential customer spends time browsing the products on your website, which you’ve carefully designed to run smoothly and reflect your brand. When he’s ready to check out, he is suddenly and unexpectedly rerouted to the gateway host’s website to finish processing his payment. Suppose your customer thinks that the gateway site is slower, less secure, or even less visually appealing than your own familiar website. In that case, he might just reconsider his purchase and abandon his cart.

Integrated Gateways:

Alternatively, integrated gateways can be built into your website so that your customers never have to leave your site during the payment process.

WooCommerce is an example of an integrated payment gateway. Like many similar services, WooCommerce integrates neatly into most websites. However, you’ll be charged a processing fee for each transaction, making it a costly choice for businesses that handle many small transactions.

Also, unlike their hosted counterparts, integrated gateways put the burden of data security on your business. They require some technical expertise to manage, so if you aren’t at least somewhat skilled at computer programming, you may need to hire a programmer to set up and maintain your payment gateway.

It’s important to choose the right payment gateway for your business. Again, if your customers don’t feel that their payment information is secure, or if they run into difficulties during the order process, they’re likely to abandon their carts and take their business elsewhere.

According to the 2016 American Express Digital Payments Security Survey, 42% of online shoppers reported that they had decided not to complete an order due to security concerns.

That number rises to 48% among members of Generation X (those born in the years between 1965 and 1980), and 50% of Millennials surveyed (those born between 1981 and 1996).

What is a Gateway Filter?

A gateway filter is a set of rules used by a payment gateway to identify and reject payments that seem likely to be fraudulent. To some extent, eCommerce merchants can usually set up and adjust the filters on the gateways they use to customize their specifications.

For example, you could set your gateway filter to deny all transactions with AVS mismatches—billing addresses that don’t match the addresses on file with the credit card company. You could also set your gateway filters to deny all transactions with CVV mismatches—when the card verification value does not match the code associated with the credit card—or block transactions from certain countries entirely.

Gateway filters are usually free to use and can be a decent fraud prevention tool for merchants who don’t experience much fraud. They’re far from a perfect solution, however.

What’s the Problem with Gateway Filters?

The selection of available rules is limited, so you can’t screen for every type of transaction fraud. The gateway filter rules are also not very flexible. This leaves the merchant with an unpleasant choice. They can set the rules too loosely and unintentionally allow fraudulent transactions to be processed, which results in lost merchandise and a costly chargeback fee. On the other hand, they can set the rules too strictly and decline legitimate transactions along with fraudulent ones.

A high false rejection rate can cost merchants heavily in lost sales, especially since rejected customers are likely to take their future business to a competitor. Advisory firm Javelin Strategy and Research found that 32% of legitimate customers whose transactions were declined by a merchant’s overcautious fraud-prevention filters never shopped with that merchant again.

“We estimate that in the U.S. alone, the value of false declines is more than thirteen times the total amount lost to actual card fraud,”

says Al Pascual, senior vice president, research director, and head of fraud and security at Javelin.

Consider these Statistics:

3.6% of all eCommerce shoppers put in the wrong billing address when they check out. Standard fraud-detection filters will flag these orders with an “AVS N” error notification and decline the transaction—even though 91.9%of those orders are from legitimate customers.
6.7% of all eCommerce shoppers enter a billing address that’s only partially correct (leading to the error notification “AVS A,Z”). A full 98.1% of those orders are legitimate, but all of them will be denied by overzealous gateway filters.
– Similarly, 15% of all transactions do not have an exact CVV match. 98.7%of those orders are safe to ship, but you won’t ship any of them if your strict gateway filter declines them first.

By turning away good customers, your gateway filters could be forcing you to leave money on the table. Take a few minutes to check if you have those profit-killing settings for your filters turned on at your payment gateway. By switching them off, you can easily boost your order acceptance rate by more than 10%.

Is Manual Review a Safe Substitute for Gateway Filters?

For many eCommerce businesses, achieving adequate security without turning away valid customers is impossible with their payment gateway filters. In this case, they’ll need to rely on a more accurate fraud detection solution.

Often, merchants will fight fraud with manual review, counting on employees to look through orders, spot the fraudulent ones, and decline them. However, manual review is an expensive and time-consuming solution, even when merchants choose to review only orders worth more than a certain dollar amount.

When engaging in manual review, business owners are stuck paying for countless hours of human resources, often hiring employees whose only job is to screen orders for fraud. These employees are still vulnerable to human error, especially when they don’t have access to all the available fraud-detection databases and technologies. Moreover, manual review can be relatively slow and tedious, resulting in delays when processing a high volume of orders.

What Can I Do to Protect my Business from Fraud if I’m not Relying on Gateway Filters or Manual Review?

A genuinely effective fraud detection system uses multiple layers of technology to analyze many data points from various sources and drastically reduces the need for manual review. 

Unfortunately, they tend to be prohibitively expensive, difficult to set up and maintain, and designed with large businesses in mind. For many smaller companies, these technology-driven solutions are not a viable or cost-effective option.

This is exactly why NoFraud was created. NoFraud’s automated fraud prevention service provides a layer of advanced protection between an eCommerce site’s shopping cart and its payment gateway, running quickly and smoothly in the background without slowing down the customer’s shopping experience.

NoFraud is also capable of reliably identifying when data mismatches are the result of honest customer errors. When typos are detected, NoFraud alerts customers instead of declining their orders, allowing them to correct their information and complete their purchases. That means you don’t lose out on a sale every time someone makes a mistake while typing in their billing address.

NoFraud is easy to use, affordable and adapts to keep up with evolving fraud threats. By comparing data gathered from all NoFraud users, NoFraud’s algorithm is able to spot emerging fraud trends and better protect all the merchants who rely on it.

There’s a human element to NoFraud, too. Our team of experts carefully monitors the declined transactions and makes sure that our software never turns away legitimate orders from your business. It’s the ideal fraud prevention solution, weeding out the fraudulent orders for you without compromising your bottom line in the process.

NoFraud is the perfect option for smaller businesses, requiring no monthly minimums and no long-term contracts. You can try NoFraud at no risk today. In just minutes, NoFraud’s powerful algorithm will integrate seamlessly into your payment system to keep your business safe from fraud and overcautious fraud-prevention filters.

To find out more about how NoFraud’s AI-powered solution can help your business and to try it for yourself, click our ‘Request a Quote’ button at the top of the page. 

NoFraud is now fully integrated with GiftWizard

Great news for our Shopify merchants!

NoFraud is now fully integrated with GiftWizard, Shopify’s leading app for Gift Cards, and the first automated Rewards and Cashback solution.

GiftWizard provides merchants with everything they need in order to manage, market and distribute Stored Value Cards. With GiftWizard, you can take your Gift Cards to the next level.

As of today, GiftWizard is involved in millions of transactions, including clients such as Chubbies, Kanye West, SF Chronicle, BuzzFeed and Miami Heat.

Learn more here, or contact their team at info@giftwizard.co.