The Fraud Risks of Buy Now Pay Later Orders

The “buy now pay later” (BNPL) solutions are quickly gaining adoption as consumers look for new financing options and merchants aim to drive sales. More than one-third of the United States and United Kingdom shoppers use BNPL options, including half of Gen Z and the millennial generations. 

In addition, as many as 30% of Australian adults now have one or more Buy Now Pay Later accounts, which makes for roughly 5.8 million users nationally.

How Consumers see the By Now Pay Later Option

The BNPL option provides a comforting financing option for those who need it. 

Consumers see BNPL as an option to:

  •    • Avoid paying credit card interest
  •    • Make purchases that ultimately would not fit their budget
  •    • Borrow money without a credit check
  •    • Purchase if the consumer dislikes using credit cards
  •    • Circumvent getting approved for a credit card
  •    • Purchase because their current credit cards are maxed out

One commonality within the ever-growing list of BNPL providers is that they mainly offer ‘no fraud liability’ to the merchants they service. Many merchants see this as a reason to give the green light to processing all BNPL orders, no matter how risky they may otherwise look. 

While BNPL orders may not result in direct chargeback costs to the merchant, there may be indirect consequences for merchants that process all such orders.

A Closer Look into BNPL

BNPL services are growing at a rate of 39% a year, with its market share set to double by 2023. By then, 3% of global e-commerce spend will be through BNPL services. Furthermore, 85% of consumers who have used BNPL services plan to continue doing so in the future

BNPL is here to stay, therefore merchants should understand the ins and outs of the process and how BNPL fraudsters can affect their business. 

Brand Impact

If fraudsters discover that they can successfully place BNPL orders on your site without being detected, the chances are they’ll publicize this on both the dark web and more public forums. This publicity of being ‘wide open’ can make your store a target for additional fraudulent orders and other types of fraud, including regular credit card fraud.

The simplicity and increasing adoption of BNPL orders can leave merchants exposed and vulnerable to unpredictable fraud losses and a negative PR outlook from brand loyalists.


The threats BNPL solutions pose to payment incumbents—including card networks and issuers—are growing, and recommendations for vendors vary on vertical, location, processes, and everything in between. 

Differing Fraud Detection

BNPL providers will naturally only fraud screen BNPL orders. Without a holistic view of all orders, BNPL orders that match a store’s unique fraud pattern might not be identified and stopped. 

Fraudsters will use these alternative ways of getting a merchant’s products where there is no other method to do so.

Fraudsters are usually very smart. They know merchants may assume orders created with certain payment methods have no fraud liability to them and auto-approve those orders (per existing business practices). So, fraudsters will place their initial order attempt via one of these companies to establish legitimacy as a customer. 

Once that order goes through, many merchants and fraud systems will consider that customer a ‘trusted’ customer. The fraudster will then change the payment method on that account and make additional orders with actual stolen credit card information.

BNPL Whitelisting Fraud Pattern

A specific fraud pattern involving BNPL orders is increasing in popularity. The pattern contains the following steps:

  1.    1. A fraudster places a couple of low-value BNPL orders with a merchant.
  2.    2. The merchant processes the BNPL orders without proper fraud screening, as they know they will not be liable if it is a fraudulent order.
  3.    3. The fraudster then places a high-value credit card order with a stolen credit card.
  4.    4. The merchant approves and processes the high-value credit card order, as they view the shopper as a trusted repeat customer.

The fraud departments of many BNPL providers are now in a position of playing catch up. Some providers are altering their contracts to place more onerous conditions on merchants regarding fraud liability. It is essential for merchants to pay close attention to these conditions and to be as prepared as possible to meet those conditions.

Merchants Need to Consider the Risks

Merchants need to understand that before approving and processing all BNPL orders, they must consider the above risks and not disregard suspicious orders.

With BNPL, fraud rates may rise because merchants may loosen their fraud techniques for the sake of acquiring the sale. As a result, cybercriminals will gravitate toward merchants that have less fraud protection to find the path of least resistance.

There is no overarching approach other than ensuring your fraud detection techniques evolve and adapt to the growing market to avoid getting blindsided by evolving cyber-attacks.


– Click here for some fraud prevention tips you can implement to your business today.

– To learn about how NoFraud can help your store seamlessly screen your orders (including BNPL orders) for fraud, visit our website.

Reroute Fraud – The Growing eCommerce Problem

Reroute Fraud – The Growing eCommerce Problem 

A Guest Post by Fraud Expert Alexander Hall 

Summer is here. What does this mean for merchants?

The data from our friends over at NoFraud paints a clear picture: during Summertime, fraudsters kick into gear rerouting, intercepting, or hijacking packages of products relevant to summer activities. This concept is nothing new, as the needs of fraudsters are the same as ours. Fraudsters are constantly evolving their tactics to target hot items, and this changes with the emergence of new trends, seasons, releases, and technology upgrades. 

This specific shift in fraudulent directives affects merchants of many industries as the seasonal products range from pool equipment to clothing and apparel, to BBQ accessories, and more. 

Below I have outlined four methods employed by fraudsters and what merchants can do to reduce their exposure and mitigate losses. 

The Methods: 

During my time spent on the other side of the fence, I observed four primary methods used by bad actors to obtain goods illegally. 

Non-Fraud Methods

  1. 1. Package Hijacking

The first method is most familiar. Legitimate customers place orders using legitimate payment methods, but the items are stolen after delivery. Criminals will go as far as to follow the routes of delivery trucks and brazenly pull up to houses and steal the package. Criminals operating in this way are known as porch pirates. The porch pirates have no idea of the contents of the package but are willing to risk jail time to find out. Due to the increase in purchasing of summer-related items, this lends to the uptick in losses identified by NoFraud.

The theft of legitimate packages isn’t so much fraud as it is blatant theft. However, the result is the same for the merchant. Chargebacks for these events are received and coded for unfulfilled or item not received. 

Fraud Methods

The remaining methods are actual fraud. Each of these methods employs different tactics and therefore produces different flags for the merchant to identify. But all of these methods involve the following steps:

– Obtain payment information. 

There are two primary ways for a fraudster to obtain payment information. They can obtain stolen information or establish new payment information and leverage that data. For this article, we will stick to stolen payment information, which is the most common. 

When a fraudster establishes new cards or accounts, they have likely put in the effort to manipulate the necessary information so that they don’t need to redirect successful transactions. When effective fraudsters establish new lines of credit, they tend to use additional techniques in order to associate new addresses with the identity that they are targeting. This results in matching billing and shipping information that the fraudster dictates. 

Fraudsters obtain stolen payment information in many ways, the most prominent channel being Dark Web exchanges. Fraudsters will search various Dark Web forums and purchase stolen information. The information obtained on the Dark Web can include card numbers, account holder names, CVVs, billing addresses, and more. Alongside the payment information are step-by-step instructions for how to complete orders. The information in the instructions may include information that can increase the chances of circumventing fraud filters. 

– Place the order. 

By following the instructions found on the dark web and plugging in the stolen payment information, the fraudster places the order. Fraudsters will often filter through billing addresses on the Dark Web forums to purchase card information local to their operation. This is where the first and least reliable method comes into play. 

  1. 2. Shipping Items to a Non-Billing Address

In this method, the fraudster follows the instructions found online. They enter accurate and complete payment information but use a different shipping address. The instructions found online indicate that the shipping address can be within a threshold of “X km” from the billing address before an escalation is triggered. Then, the fraudster places the order, taking advantage of merchants that employ rules-based fraud prevention, and the order is shipped.

  1. 3. Adjusting Shipping Information After Checkout, Before Shipment

The third method involves social engineering against the merchant’s customer service team. When placing the order, the fraudster plugs in the correct payment information as well as the shipping address to match the billing. If this satisfies merchants’ fraud prevention guidelines, the order is usually confirmed. Then, expecting the fulfillment to take a few days, the fraudster calls customer service or submits an urgent ticket, requesting that the shipping address be adjusted. 

This tactic can effectively bypass the fraud prevention analysis employed during checkout and takes advantage of a company’s desire to satisfy the needs and requests of its customers. The shipping address is changed, the order is processed, the shipping label (with the new, unrelated address) is printed, and the package is shipped. 

  1. 4. Adjusting Shipping Information with the Courier Service 

The fourth and final method takes place after the package has been shipped and leverages social engineering against the courier service. As with the third method, the fraudster inputs all of the correct and matching billing and shipping information during checkout. Once the tracking information has been received, the fraudster contacts the courier service and uses any number of justified reasons to ask them to hold the package at the post office. For instance, they may say that an emergency came up and their cousin will pick up the package. After providing the postal worker with the information for the “Pickup Person,” the conversation ends. 

The Systems of Manipulation

Before we talk about the steps you can take to prevent fraud, let’s pull back from the granular view of the methods and identify how the fraudster is manipulating existing systems to achieve their goals. 

For the first and simplest method, the criminal drives around and watches for unattended packages. The “system” that is being manipulated is on the level of the general public, people who don’t collect their packages immediately upon delivery. 

In the second method, the fraudsters take advantage of e-commerce systems that haven’t yet employed even the most basic fraud prevention measures. Not all orders with mismatching billing and shipping information will be fraudulent. However, if left unchecked, this can wreak havoc, resulting in enormous losses for the merchant.   

Alternatively, in the third method, the fraudsters identify that an effective fraud prevention system is in place. Instead, they attack the merchant based on its customer satisfaction policies. The needle on the gauge indicating merchant security and customer satisfaction is stuck at 90 degrees, allowing fraudsters to assume the guise of legitimate customers to adjust orders. 

Using the fourth method, which is the most reliable method, the fraudsters understand that the merchant is well-equipped and knowledgeable regarding the processes in their system. The checkout form has additional verifications in place behind the scenes, and the customer service team cannot be duped into making changes during the fulfillment process. 

Because the merchant’s systems are robust, the fraudster engages with the next system down the line and associates a new identity with the order for pickup. The value of assigning a supposed brother-in-law, sister-in-law, or cousin is that the name can be anything. Historically speaking, the postal service does not employ investigational services to challenge this information.

This is an escalation process employed by effective fraudsters. By moving the exploit further and further down the line and finally moving the exploit out of the merchant’s hands entirely, effective fraudsters can maintain a high success rate. This is but one example of many forms of fraud that are becoming more and more evident with each shift or passing cycle.

What can be done? 

There are four critical elements to an effective fraud prevention strategy: knowledge, data, monitoring, and more data

Knowledge of the internal processes and hand-offs within your company is an essential part of your fraud-prevention strategy. It is helpful not to think of instances as “transactions” but as “transfers of value.” The reason for this is simple: Fraudsters are not limited to exploits centered around cash, checks, and cards. Therefore, your fraud prevention strategy shouldn’t be either. By identifying your transfers of value, you have a great starting point for envisioning your fraud prevention policies and processes. All that is left is to fill in the blanks. 

Data is shared at lightning speed among service providers and publications. Stay up to date with the information that identifies emerging trends.  As your company grows outward into new territories, new systems, and new processes, become aware of emerging threats so you can arm yourself against them. 

Monitoring the performance of your company will give you insight worth its weight in gold. Monitor where attempts have been identified in your own operations and report them so that you can raise awareness within your organization. 

This can seem like a truckload of effort, trial and error, and man-hours…and it is. This is where service providers step in to the picture with:

More Data is available for operations who look for it. Public information is powerful on its own. It tells us what to keep our eyes open for. But proprietary information is golden. By partnering with effective fraud prevention solution providers, merchants can leverage a symphony of proprietary data. Service providers use experienced personnel to orchestrate and manage the lifespan of your transactions by referencing a myriad of past information. They then use this data to make the best assertion against suspicious transactions, resulting in an operable balance between merchant security and customer satisfaction. 

How Do Service Providers Do This? 

Consider the first method that I outlined above. By tracking a data-rich network of CNP Merchants who report chargebacks for stolen packages, a part of the analysis might result in the cross streets or zip code being flagged, with action taken to recommend using signed delivery. The data of the merchant network allows for the merchant to be aware of the risk prior to experiencing losses.

Consider the second method: billing and shipping mismatch. By scrutinizing every mismatch, a company runs the risk of prolonging or even canceling good orders in its attempt to catch the bad ones. This risks damaging the relationship with good customers. However, by employing the data from an extended merchant network, analysts may reveal past purchases that fit this pattern. Perhaps a parent orders a gift for the child, a boss for an employee, or brother for a sister, a friend for a friend. You don’t know for sure, but global data networks can help thin the fog. 

With the third method, the “customer” requests to change the shipping address to one different from the billing address. The ‘new’ address likely isn’t in your system. Is it in the merchant network? Are there chargebacks associated with it? It’s unlikely that you will find the answer to these questions in your data, but you can tap into the merchant network of your service provider to find them.

Service providers can also respond to the fourth method by taking a proactive approach. By tapping into reports of past occurrences, service providers cross-reference relevant information with numerous data points from sources ranging from social media to utility services providers to courier services.

By partnering with a fraud prevention service provider like NoFraud, you get access to more data sources and software that operates behind the scenes to automate your transaction analysis. Coupled with a well-informed decision-making process, merchants can rest easy knowing that their operation has the right balance of customer satisfaction and transaction security. 

A Peek into the Mysterious Dark Web

You’ve probably heard of the “dark web.” If you’ve ever wondered where a stolen credit card turns up after a cyberattack against a company or financial institution, that’ll be the place. But what exactly is the dark web and what does it look like? And do you know what risk it poses to your business?

The internet is composed of billions of web pages spread across millions of web servers worldwide. Only a small percentage of those pages are accessible through a conventional search engine like Google. Known as the “open web,” this collective of data makes up about 5% of the total internet.

The other 95% is called the “deep web” and consists of web pages that are designed to evade a search engine’s algorithm. Think of your email inbox or your online banking account—a Google search won’t pull them up. Everything from internal business networks to confidential academic journals are out of reach. Web pages on the deep web aren’t necessarily nefarious or illegal. They’re mostly where private user activity goes on daily.

Then there’s the “dark web.” It’s a very small, concealed part of the deep web that’s made up of sites accessible only with specialized web browsers and other software. Although the dark web has legal uses, it also attracts cybercriminals that wish to conduct activity beneath police radar. Hackers often sell stolen personal identity and company information, as shown in this screenshot of a page featuring a menu of consumers’ payment data for purchase. Notice how they may also provide a card holder’s ZIP code, SSN (social security number), DOB (date of birth) and other intimate details that’ll fool an inexperienced fraud analyst into thinking nothing is amiss when the card is used.

A screenshot from the Russian Market, a forum that specialises in carding and related services. Picture: VMware Carbon Black Source: Supplied


Although it isn’t a direct threat, the dark web is where fraudsters acquire stolen credit cards so they can attack your online store. NoFraud helps businesses thwart this threat by using a combination of human intelligence and AI-powered, multi-layered fraud screening technology to instantly detect and block fraudulent orders in real-time, eliminating chargebacks and boosting order approval rates.

Want to learn more about how we’re fighting fraud? Visit

Beware of the renewed ‘bait and switch’ fraudster scheme

A harmful fraud scheme from the past has recently reemerged—ready to strike merchants when their defenses are low. Here’s what you need to know.

Everyone loves the revival of an old classic. Except when it comes to fraud.

Recently, fraudsters have revived a conniving scheme that can lead to chargebacks on high-value purchases. With the holiday season just around the corner and fraudsters are gearing up to take advantage of the vulnerable, it’s especially important to make sure you don’t become a victim. And that starts with knowing how it works and what signs to look out for.

How it works:

It begins with the fraudster stealing the cardholder’s information. (Usually, they have access to all of the cardholder’s cards, indicating that the cardholder was likely hacked.) The fraudster then uses the cardholder’s real name, phone number, and address—but usually a brand new email address—to place a high-value order. Since most of the information used is legitimate, the order is not detected as fraudulent.

As if that’s not bad enough, here’s where it gets really insidious.

The fraudster, posing as the company from which the order was placed, sends an email to the cardholder requesting that they confirm the purchase—and asking whether they’re happy with their item. (The email address usually does not include the company’s legitimate domain, e.g.  Alternatively, the fraudster may call the cardholder on the phone using a fake company number.

The cardholder responds that they did not order the item and, seeing the charge on their card, realizes their card has been compromised. However, they believe the fraudster is a legitimate rep from the company and will help them resolve the issue. The fraudster then “helpfully” provides the cardholder with “return labels,” promising a refund when the order is returned. When the item arrives at the cardholder’s address, they unknowingly ship the item directly to the fraudster—never to see their money refunded.

Just like that, the merchant receives a chargeback and loses the high-value item.

Here are a couple of tips to minimize your chances of falling victim to this kind of fraudulent behavior.

1. In most of these cases, fraudsters test multiple cards until they find one with a sufficient balance for the high-value order. If you see multiple card attempts on orders, that should raise a red flag.

2. On high-value orders, verify the legitimacy of the email address used to make the purchase.

The downside to these solutions is that they require a careful manual review of all orders. If you’re looking for a fraud detection solution that’s less time-consuming, more efficient, and delivers decisions with the highest level of accuracy, NoFraud may be a perfect fit for your business.

NoFraud’s proprietary software combines machine learning technology with human expertise to guarantee safe checkout, detect and prevent fraud, and eliminate the risk of chargebacks. In the rare case that a chargeback manages to slip through our system, you’re covered by our 100% Chargeback Protection Guarantee. Click here to get an instant quote.

If you would like to share your experience with this fraud trend or if you have any questions, please feel free to reach out via email to

What You Need to Know About Ecommerce Fraud and Fraud Detection

Online shopping has been increasing significantly in popularity over the past decade. By 2021, it’s estimated that around 17.5 percent of all retail sales will occur through online storefronts. While online shopping has been very popular for quite some time, it has become the main method of shopping for many consumers since the COVID-19 pandemic began. Unfortunately, the prevalence of online shopping has also brought about a significant rise in fraud on various online eCommerce platforms like Magento, Shopify, and WooCommerce. If you manage an online store on one of these platforms, it’s important that you look into fraud detection and prevention methods to ensure that customer information is kept safe and secure.

Fraud Is On the Rise

While online shopping has been highly popular for many years, the ongoing threat of the COVID-19 pandemic has caused consumer behavior to shift in a variety of ways, which has itself caused attackers to alter their approaches when it comes to committing fraud. For instance, food delivery has become much more commonplace, which is why fraudsters have focused on this industry in recent months. Some of the top examples of fraud in the online shopping industry include:

  • – Draining loyalty points that can be resold on the dark web
  • – Stealing financial and credit card information
  • – Committing account takeover attacks
  • – Placing orders for services or goods through accounts that have been hacked

The rise in fraud also correlates with changes that online merchants have been making in recent months to account for the increase in online shopping. For instance, many of these merchants are making regular changes to their online applications, which invariably causes more vulnerabilities and bugs to occur when the applications go live. Before you focus on implementing WooCommerce or Shopify fraud prevention techniques, it’s essential that you understand why fraud is occurring more regularly and what the modern trends are with online shopping fraud.

Modern Trends in Ecommerce Fraud

Along with the types of attacks mentioned previously, attackers have been using highly sophisticated bots that are able to solve the CAPTCHA programs that many site owners implement to bolster security. A CAPTCHA is typically used to ensure that the individual entering into their account is a human instead of a bot. However, recent advancements allow this form of security to be bypassed. It’s also important to understand that many of the attacks that have been taking place are focused on APIs as well, which means that they are no longer solely centered around the website itself.

When malicious traffic is sent to a website, it’s typically sent in spikes that occur throughout periods of 24-48 hours. During these sustained spikes, the levels of malicious traffic are significantly higher than those of legitimate traffic from actual users of the website. Unless websites are ready for the changes that have occurred with online shopping fraud, instances of successful fraud will be much more likely to occur.

While fraud is increasing in practically every area of online shopping, there are three separate targets that have had the most sizable percentage increases in fraud, which include home furnishings, online fashion, and food delivery. When looking specifically at home furnishings, account takeover attacks have been especially prevalent and have occurred at a rate of four times higher than before the pandemic. Keep in mind that attackers aren’t solely focusing on the top 50 retailers. With home furnishings, fraud attacks occur on small company websites as well.

As for online fashion, high-end fashion moved quickly from brick-and-mortar stores to online websites back in February and March. Since that time, items like cosmetics, clothing, and sportswear have had a substantial rise in site traffic. Because these items have increased in popularity, fraud attempts have also become more prevalent. It’s possible for an online fashion website to obtain seven times more malicious traffic than legitimate traffic in the same time period. Loyalty card attacks are also very common with online fashion since many of the primary retailers in the industry have loyalty programs.

When looking specifically at food delivery, restaurants, and businesses that offer these services have seen increases in food delivery that range from 70-200 percent. Because of this heightened popularity, websites are finding it more difficult to implement security features that are equipped to handle new users and the distinct behavior patterns that come with them. Account takeover attempts are particularly common within the online food delivery industry.

These trends in online shopping fraud indicate that new security measures will need to be implemented by online shopping websites and platforms if they want to avoid being the recipient of successful fraud attempts. While the presence of COVID-19 explains why fraud is occurring at an ever-increasing rate, customers won’t be happy if they find that hackers are gaining access to their data or accounts. If you want to make sure that fraud doesn’t occur with your website, it’s important that you take the necessary steps to bolster your website security.

Common Techniques of Payment Fraud

There are six basic types of online shopping fraud that you should be aware of, which include:

– Identity theft
– Clean fraud
– Friendly fraud
– Triangulation fraud
– Affiliate fraud
– Merchant fraud

Identity theft is a very common form of fraud that allows the attacker to perform transactions through the shopping platform in question. In order to perform identity theft, attackers work to obtain credit card information, account information, or email addresses from their targets. Once they gain access to the right information, it’s possible for them to make purchases on your store under the name of a customer of yours.

Clean fraud refers to transactions on an online shopping platform that look legitimate but are actually fraudulent. Attackers will steal credit card information before inputting this information into an online shopping platform or website. This form of fraud is very difficult to detect. When looking at friendly fraud, this occurs when a customer pays for an item but eventually initiates a standard chargeback, which they can do by claiming that their account details or credit card information was stolen. They will be reimbursed while also receiving the product in question.

Triangulation fraud is named as such because it uses three points of interest to commit fraud. For one, a fake storefront is created, which lists in-demand items at very affordable prices that are considerably lower than market value. When customers purchase one of these items, the attacker will gain access to address information and credit card data. From here, goods are purchased at another store before they are sent to the customer, which makes the transaction appear to be legitimate. The third aspect of triangulation fraud involves making many additional purchases with the use of the stolen credit card data. Because the initial order was legitimate, it can take some time for this form of fraud to be detected.

Affiliate fraud involves making money directly from an affiliate marketing program by falsely increasing signups and traffic data. As for merchant fraud, this form of fraud takes place when an order is made but the item is never shipped. If performed correctly, it can be very difficult for the customer to get their money back. If you manage an online shopping store or platform, you’ll want to take steps to bolster your eCommerce fraud prevention techniques.

Financial Impact of Fraud

Fraud will invariably have a significant impact on nearly all online shopping sites and businesses. Even if fraud is prevented, retailers spend anywhere from 5-10 percent of their annual budget on fraud prevention. Along with the overall costs of fraud management, it’s important to understand that online retailers must also deal with chargeback losses and false positives. If an attacker gains access to your website and steals credit card information from a high amount of your customers, your reputation will take a hit, which will invariably reduce your annual revenues as you work towards improving your reputation.

Keep in mind that false positives are transactions that are legitimate but flagged as fraudulent, which means that false positives reduce sales and damage your reputation among customers. It’s believed that upwards of 30 percent of transactions that are flagged as fraudulent are actually legitimate. While the overall costs associated with fraud prevention are high, they are much lower when compared to the costs that come with dealing with the aftermath of successful attacks against your website or platform.

How to Engage In Ecommerce Fraud Prevention

In order for your online storefront to be successful on a long-term basis, you will need to engage in eCommerce fraud prevention as well as fraud detection, the latter of which may help you stop fraud attacks before they are completed. There are a myriad of modern prevention capabilities that your business should look into if you want to be at the forefront of fraud prevention. By preventing a high percentage of fraud from taking place, you may garner a reputation as providing customers with a secure user experience, which is invaluable.

Fraudsters are becoming increasingly sophisticated with the kinds of attacks that they administer. If you want to be on top of these issues, it’s very important that you make use of modern security techniques and methods. Some of the online fraud prevention techniques that you use with your storefront include PCI-DSS, CVV, an anonymous proxy server, and various security services.

If you’re looking to engage in WooCommerce, Magento, or Shopify fraud prevention, one software service that you should consider is NoFraud, which is designed specifically to address concerns with eCommerce fraud. This particular software service can be connected with the top platforms for online storefronts, which include Magento, BigCommerce, Shopify, and WooCommerce. Unlike many software services that strive to reduce fraud, NoFraud aims to increase the number of approved transactions instead of focusing on blocking transactions. When implemented into your online storefront, this solution can effectively reduce false positives, which ensures that a higher amount of legitimate transactions take place.

The top features that are available with NoFraud include:

  • – The ability to screen phone orders
  • – The ability to cancel chargeback protection with certain orders
  • – Extensive email and phone support
  • – Comprehensive reporting so that you can remain aware of any attempt at fraud that occurs on your website
  • – The ability to create multiple user accounts
  • – The ability to build lists of customers who are allowed on your website as well as customers who are denied from using your platform
  • – Transaction insight

Once you have implemented this software into your online storefront, you should quickly notice a higher order acceptance rate, increased efficiency, and a significantly reduced chargeback cost.

Because of the rise in online shopping, fraud is prevalent across all shopping platforms like Shopify and Magento. While the COVID-19 pandemic is ongoing, you will likely notice an influx of customers who are shopping at your online storefront. In order to maintain your reputation and reduce the expenses that come with fraud, it’s essential that you focus on bolstering your fraud detection and prevention techniques. With the right software, you can prevent most fraud from occurring on your website, which ensures that your users are provided with a consistent and exemplary user experience. If you act today, you should be able to accommodate the increase in traffic to your website, which can help you keep successful attempts at fraud to a minimum.

eCommerce Fastlane Podcast: Protect Your Shopify Brand

NoFraud’s Director of Business Development, Shoshanah Posner, recently joined the eCommerce Fastlane podcast to discuss the latest fraud trends impacting eCommerce.

In this podcast, you will learn:
– Current fraudster landscape as it relates to data breaches, stolen card data, and synthetic identities.
– What is the Dark Web and what are people doing there?
– Reshipper fraud, triangulation fraud, mule fraud, and how you can protect yourself.

The podcast can be found here. Happy listening!

Preventing Chargebacks for Subscription Billing

Automated subscription payments are quite literally the gift that keeps on giving for eCommerce. Once you’ve acquired a customer, they’re much more likely to buy again and again. Especially popular among Millenials, subscription-based businesses are booming in practically every industry, from personal care products to toys to specialty foods.

Unfortunately, the subscription model also carries an elevated risk of chargebacks from fraudulent behavior. Chargeback sources generally fall into two categories: friendly fraud & criminal fraud. Each requires an effective fraud prevention solution. Let’s talk about ways you can prevent both.

How to Avoid Friendly Fraud Chargebacks
Friendly fraud is a misnomer. It occurs when a customer buys and receives a product, but then disputes the transaction through their bank. There is nothing friendly about this. The product and shipping fees are lost, and you’ll also get hit with a chargeback fee. If the chargeback rate hovers around 0.8%, the fees may set you back thousands of dollars.

It’s nearly impossible to eliminate friendly fraud. However, many subscription chargebacks occur when ethical customers simply don’t understand the subscription process or forget that renewal was due. You may be able to reach out to such customers before they dispute the transaction. Here’s how to reduce those unfriendly friendly fraud chargebacks:

1. Be easy to reach and offer stellar customer service.

According to Verifi, 86% of consumers that filed for a chargeback went straight to their banks without approaching the merchant first. Encourage direct communication with your customers by clearly displaying your customer support information on your website in a prominent location. Provide several convenient ways for them to get in touch (i.e., phone, email, chat, snail mail). When they call, go above and beyond to address their concerns, and cancel their subscription promptly if they ask you to.

2. Make canceling a subscription super simple.

If your cancellation process is confusing, annoying, or time-consuming, your frustrated customers may decide to cut to the chase and call the bank. To avoid this, ensure that canceling a subscription is simple and effortless for them. It’s beneficial to add an “Unsubscribe” button or link to the bottom of your emails or display it clearly on your website so that customers don’t resort to disputing a charge.

3. Be clear about how a free trial works and when it ends.

Your customers should be kept informed about how long their free trial will last and when they’ll be billed. Always send them a message before their trial ends reminding them that they are about to upgrade to the paid version. This will allow them to opt-out if they so choose.

4. Send a courtesy email before filling the first order.

When a customer subscribes, immediately send an acknowledgment email (this can be automated). If the customer has a change of heart or if the subscription purchase was made by mistake, this courtesy notification allows time to cancel. For the business, it mitigates the risk of friendly fraud chargebacks.

5. Notify subscribers before processing their recurring payment.

Subscribers appreciate a reminder message before their recurring payment processes. This can be via email, text message, or whichever way seems the most efficient for your business. It provides a window for them to either prepare for the charge or unsubscribe. While it may be discouraging to see one of your members opt out, the risk of incurring a friendly fraud chargeback is much more detrimental… trust us.

6. Match your billing descriptor to your company or product name.

It’s crucial to make your billing descriptor as close to your company name as possible. A “billing descriptor” is the merchant name that appears on your customer’s credit card statement next to each transaction. If a customer doesn’t recognize that name, they are more likely to dispute the charge.

How to Avoid Criminal Fraud Chargebacks
Data breaches occur almost weekly and stolen credit card information is widely available on the dark web. Fraudsters with sensitive information look for vulnerabilities in an online store’s fraud detection system. The subscription platform is an extremely common target because so many transactions happen simultaneously and criminals think that their activity will fly under the merchant’s radar. You may benefit from setting up a special fraud detection system specifically for subscriptions.

Although subscription transactions are susceptible to all types of fraud, the most typical scheme we have seen is “triangulation fraud.” What is triangulation? This type of fraud involves three parties: the fraudster, the innocent shopper, and the targeted eCommerce store (that’s you). Here’s how it works in four steps:

Step one: The fraudster creates an online store (often on eBay or Amazon) and offers high demand items for extremely low prices. In reality, he doesn’t have any inventory. He’s going to try to scam you into providing these items to the customer for him, instead.

Step two: An innocent, unsuspecting shopper places an order on the fraudulent online store and the fraudster receives payment for the items.

Step three: The fraudster uses stolen credit card data to purchase those same items from your legitimate website and submits the shipping address of the innocent shopper at checkout.

Step four: You ship the items directly to the customer that “purchased” them from the fraudsters online store, who then receives the shipment from you and is none the wiser. Ultimately, the true credit card owner discovers an unauthorized transaction on his or her statement, and the bank issues a chargeback. You are left to deal with the aftermath. In this scenario, you’ve lost the merchandise (and shipping costs) and incurred chargeback fees (and possible penalties).

How can you protect yourself against criminal fraud chargebacks? Here are some important tips to keep in mind:

1. Look for inconsistencies.

Screen every order for potential signs of fraud. Signals of fraud may include unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Some signals of fraud may be that the billing address is different from the shipping address, the email address contains an unusual amount of characters, or the order has an AVS mismatch. Monitor any changes in customer details and pay specific attention to phone numbers, emails, and shipping addresses – these could indicate fraud resulting from an account takeover.

For physical products, the period between an order being placed and when it is shipped allows sellers to check for fraud the old fashion way — by manually reviewing the transactions. For digital products like movies, software packages, mobile/cloud-based apps, e-gift cards, and ebooks, however, an automated fraud detection system is a critical tool. Buying digital goods involves an online transaction followed by an instant electronic delivery. There is typically a one-second window to spot and stop a fraudulent transaction. Many digital eCommerce businesses process millions of transactions per day, and when only 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more.

2. Install a fraud prevention service.

Screening orders manually can be a huge drain of time and resources. You may want to consider an automated solution that can do all the fraud vetting for you. Some even offer a chargeback guarantee, which means you’ll be compensated if a chargeback does slip through their system.

3. If a chargeback does occur, don’t forget to cancel the subscription.

While seemingly an obvious follow-up, we have seen this step missed and the chargebacks keep rolling in.

4. Don’t offer a completely free product.

Shy away from offering a completely free product in the hope that some customers will become long term customers. Sometimes fraudsters use bots to create multiple orders in an attempt to get as many free products as possible. Smart tactic, right?

Bots are often used to infect innocent devices or software with malware (malicious software). They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms. Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that you charge at least a shipping fee to disincentivize this behavior.

Unsubscribe from Subscription Fraud
User-friendly policies and some basic best practices will prevent many instances of chargebacks. What’s more, automating your fraud protection process will save you time, money, and labor (not to mention headaches). NoFraud is an option that is compatible with all Bold products. NoFraud’s automated fraud detection tools will interface with your integrated payments process and virtually eliminate chargebacks while keeping your approval rate high. If any chargebacks do occur, you’ll be fully reimbursed under a Chargeback Protection Guarantee.

To find out more about how NoFraud’s AI-powered solution can help your business and to try it for yourself, just send an email to

Update: How Is Online Fraud Trending?

Fraudsters and online stores have played an evolving game of cat-and-mouse ever since the first eCommerce platform was invented. In this article, we’ll talk about some of the latest emerging patterns of fraudulent behavior and what it’s costing businesses that don’t have an effective fraud prevention solution, so you can stay ahead of the curve.

Digital Goods and Why Fraudsters Love Them

The Risk Solutions True Cost of Fraud Report is a LexisNexis study that examines the growing trends in eCommerce sales fraud and the consequences for businesses of all types and sizes. According to a recent report, chargeback losses have increased by 60% among digital goods merchants.

“Digital goods” is a common term to describe any products that are stored, used, and distributed in an electronic format. Digital goods are typically delivered to the consumer via email or download from the Internet. They include products like movies, music files, software packages, cloud-based apps, eGift cards, audiobooks and ebooks. Due to their convenience and widespread popularity, the sale of digital goods is on the rise, and the fraud schemes that target them are as well.

One key factor responsible for the dramatic increase in this type of fraud is that fraudsters see the immediate delivery of digital products as a weakness they can exploit. When it comes to physical products, there is a timeline between when an order is placed and when it is shipped, which allows a seller to check for fraud the old fashion way — by manually reviewing the transaction. Buying digital goods, however, often involves an online transaction followed by an instant electronic delivery. Under such circumstances, a company typically has a window of less than one second to spot and stop a fraudulent transaction. Therefore, fraud screening must occur at the moment of purchase, which is impossible for businesses without an automated fraud detection solution linked with their integrated payments process.

Fraud prevention services use analytics to reveal unusual patterns that coincide with credit card fraud, money laundering, or loan fraud. Many eCommerce businesses process millions of transactions per day, and so if even 0.3 percent of those one-second windows are missed, large financial institutions may suffer losses of $10 million per year or more. In short: eCommerce businesses (especially large ones) must get a highly efficient automated fraud detection system.

Average # of Total Fraud Attempts Per Month

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

Credit Card Data Breaches Hurt eCommerce, Not Consumers

When it comes to preventing credit card fraud, eCommerce merchants must keep a very watchful eye. Fraudsters often obtain credit card information to make unauthorized purchases, but how do they gain access to this sensitive data? Two words: Data breaches. Data breaches in businesses and financial institutions are largely responsible for the continuous rise in sales fraud.

In 2014 and 2015, data breaches hit an all-time high, and we continue to see its effects today. The Identity Theft Resource Center noted that there were 786 data breaches in 2014, a 27.5% increase from 2013. Within the first six months of 2015, 436 data breaches exposed more than 135 million records. With so much personal data floating around on the dark web, it’s easy for a fraudster to find credit card information and execute an attack.

At first glance, it may seem that the customer is the victim of a data breach. However, customers who discover fraudulent activity are protected by their financial institution. All they need to do is file a dispute and get their money back. They can even freeze their credit to prevent identity theft. Merchants, however, are the ultimate victim.

The millions of dollars lost from chargeback fees can do serious damage to businesses. Some of the largest companies in retail such as Staples, Michaels, Neiman Marcus, Home Depot, Goodwill, and K-Mart, have been seriously harmed by data breaches. Other businesses like Dairy Queen, P.F. Chang’s, casinos, UPS, and large chain hotels have hacked within the last few years.

To learn more about how stolen credit card information can sneak its way into your transactions, click here.

Combating Bot Attacks

There’s been a 33% increase in automated botnet activity since 2019. A bot or botnet is a network of compromised computers and similar devices controlled by one central server. Bot networks can consist of hundreds, thousands, and sometimes millions of computer devices being controlled by one source. Bots are often used to infect innocent devices or software with malware (malicious software). While the central “command” server can control the bot, they also have the worm-like ability to self-propagate. They are capable of causing major damage to individuals and businesses alike. A bot attack may consist of gathering passwords, identity theft, collecting financial information, DoS attacks, relaying spam, logging keystrokes, opening back doors on the infected computers, and exploiting back doors opened by viruses and worms.

Merchants need to be on high bot-alert when selling heavily discounted or free products. Sometimes fraudsters use these bots to create multiple orders in an attempt to get as many free products as possible. A smart tactic, right? Bot attacks are particularly active on Black Friday and Cyber Monday. We recommend that the merchant charge at least a shipping fee to disincentivize this behavior.

Synthetic Identity Fraud

Synthetic identity fraud is when fraudsters create fake identities by stealing Social Security numbers and coupling them with false information like names, addresses, and even dates of birth. This constitutes a serious threat to merchants because there is no identifiable culprit. Synthetic identity fraud can take years to detect, and it may even go unnoticed. It has become the fastest growing and most common financial crime in the United States. It cost banks $6 billion in 2016, with the average chargeback amounting to $15,000.

There are two methods that fraudsters use to create synthetic identities:

1. Manipulated Synthetics – This type of false identity is created from an individual’s real identity, but with limited changes made to their SSN and other personal information. This method is popular among people attempting to hide their credit card history in order to open a new line of credit, but it can also be used by fraudsters with malicious intent.

2. Manufactured Synthetics – Here, fraudsters collect bits and pieces of personally identifiable information (PII) from a group of real people and create a single fake identity. This is much more difficult to detect.

Identity fraudsters are capable of opening many accounts simultaneously. Then, they can use those accounts responsibly to build a credit score. When they rack up enough fraudulent charges, they use real credentials (used to create their fake identity) to pose as a fraud victim and get their credit line restored. Then, they use the additional credit to commit more theft.

Synthetic identity fraud is a complicated challenge, growing by the day. Solving this problem requires effective strategies that examine the core issue of identity legitimacy and typical outcomes. There needs to be a long and short term holistic prevention system capable of addressing the entire issue.

How Do You Determine the Cost of Fraud?

According to the LexisNexis Fraud Multiplier, the average cost of each dollar of fraud is now $3.13. This is up by 6.5% since 2019.

LexisNexis Fraud Multiplier

Source: LexisNexis Risk Solutions 2019 True Cost of Fraud Study E-commerce/Retail Report

To determine the “cost of fraud” companies should pay close attention to:

– Chargeback Fees: The chargeback fee was created to be a customer protection tool. Chargeback fees and refunds are taken from the merchant’s account automatically without any consultation. Merchants may dispute a chargeback if it’s illegitimate or fraudulent. However, the fees that come from the original chargeback will always remain the merchant’s responsibility.

– Penalty Fees: Penalty fees are primarily based on the percentage of chargebacks received in relationship to total sales. Merchants who exceed the allowed threshold are subject to penalties from both the card network and the acquirer.

– Merchandise redistribution: This is the process of planning, controlling, and managing the flow of merchandise from a vendor to a distribution center and then on to the store or customer. Rerouting along the way (due to fraud) can result in extra costs of thousands of dollars.

– Labor/investigation: Work and investigation in a fraud predicament takes time, energy, money (lots of it).

What Can You Do to Fight Chargebacks?

With the current fraud trends, the Risk Solutions True Cost of Fraud Report highlights the importance of using “more sophisticated fraud mitigation solutions”. It finds that “merchants who use a multi-layered solutions approach experience fewer issues and a lower cost of fraud.” A multi-layered approach to fraud defense may include some or all of the following: traditional verification solutions, automated fraud solutions, a one-time passcode, knowledge-based authentication, and/or digital verification and document verification.

To learn more about how NoFraud can help your business navigate these ever-evolving fraud trends, reach out via email to

What Is a Fraud Mule Attack and How Do I Prevent One?

A new fraud trend is developing in the eCommerce world, and it’s especially hard for most fraud detection solutions to catch. Known as a fraud mule attack, parcel mule scam, or reshipping scam, this notorious form of fraud harms innocent victims beyond the merchants that are scammed.

In this blog post, we’ll explain how fraud mule scams are operated, as well as tips on how you can keep your business safe and fight chargebacks.

Here’s how a fraud mule scam works:

1. The Promise

A scammer or group of scammers starts by recruiting unsuspecting accomplices. The scammer advertises a work-from-home position on a job board or social media site, promising a quick and easy way to make money as a gift wrapper, shipping inspector, packaging assistant, or similar title. All the applicants have to do, they are told, is receive packages to their home address and reship them to another address, often located in Eastern Europe or Nigeria. One study found that most shipping fraud scammers operated in or around Moscow, with ninety percent using mules living in America to ship packages to Russia.

When advertising the fake job opening, the scammer will often target low-income neighborhoods to take advantage of people desperate for more income. To the job applicants, the promise of earning a lucrative salary for performing simple and easy tasks must seem too good to be true—and it is.

2. The Setup

The fraudster hires one or more people, who will become his “mules,” or “drops,” as they are called by many scammers. Once they’ve chosen the mules, the fraudsters will collect their new hires’ personal information, ostensibly in order to pay them for their work. This usually includes their Social Security numbers, dates of birth, and banking information. Then, sophisticated fraudsters will add their “employee’s” billing address to the account of a stolen credit card via social engineering, using cards issued by banks with lax security.

3. The Purchase

Following instructions from his or her “boss,” the new “employee” will then make an expensive online purchase, unwittingly using the stolen credit card linked with their personal information. These purchases usually consist of valuable items that can easily be resold, such as consumer electronics.

From a fraud prevention standpoint, the order looks like a perfectly safe order. There is no detectable AVS mismatch; the customer’s billing address matches that on record at the bank, the shipping and billing addresses match and the name on the order is consistent with public records of where the “cardholder” lives.


In a simpler but slightly less fool-proof version of the same scam, the fraudster will pay for the purchase himself (using the stolen credit card), and use the fraud mule’s shipping address. The fraud mule doesn’t pay for the packages they receive, but because their address and personal information is being used, they still act as a buffer between the scammer and the stolen goods.

Other scammers will ask their “employees” to pay for shipping costs themselves, promising to reimburse them later. Since many fraud mule scammers are based overseas, the cost of reshipping orders can be significant for the mules being taken advantage of. Of course, the fraud mules never receive reimbursement for the money they lay out.

While some small-time fraudsters carry out the entire scam on their own, more serious criminals operate the scam as a service to other crooks. The “operators,” as they are known, set up a network of mules and then charge other scammers (known as “stuffers”) to reship packages through the mule network.

5. The Aftermath

The merchant processes and ships the order to the “employee,” who sends it on to the fraudster. The real owner of the credit card sees the fraudulent charges to his account and calls his bank. Eventually, the merchant receives a notification and a chargeback fee.

The consequences can be devastating. The merchant loses valuable merchandise and receives a chargeback. The unsuspecting “fraud mule” can be held legally accountable for trafficking stolen goods, and will usually receive no payment for his or her “work.” Most are unceremoniously fired within thirty days of being “hired,” as the scammer tries to avoid detection by cutting ties with his mules.

In the worst scenarios, the scammer will “pay” the mule with a fraudulent check or money order, made out for more money than has been promised. The mule will be told to keep the amount he or she has “earned” and transfer the difference back to the “employer.” The mule will deposit the bad check and send the difference to the scammer from his or her personal bank account, only to be held liable by the bank for the full amount when the check is discovered to be counterfeit.

Why is this type of fraud happening now?

Fraud mule scams typically require stolen payment credentials, which can be obtained by attacks from hackers. Given the rash of data breaches that have occurred in recent years, the new trend of delivery address fraud comes as no surprise. The Equifax data breach in 2017 exposed the data of 140 million Americans, including, in some cases, credit card numbers. In March of 2019, 106 million people in the United States and Canada had their records exposed. Included among the stolen data were 140,000 Social Security numbers and 80,000 linked bank account numbers.

These incidents are only two examples of a growing global problem. The market consultancy Juniper Research projects that the number of records stolen in data breaches will increase 22.5% per year through 2023, reaching a staggering 146 billion private records compromised. Each one of these stolen records can be used to place fraudulent orders, putting untold numbers of businesses and individuals at risk.

How will this fraud trend affect your business?

Fraud mule scams typically involve large orders, often in the thousands of dollars. Because the most sophisticated scammers link their employees’ data to stolen credit cards, the fraudulent orders appear perfectly legitimate to most fraud prevention systems.

With so much at stake, merchants need to be able to identify orders placed by mules. Even one chargeback can be devastating to the bottom line, especially for merchants with narrow profit margins. On the other hand, overcautious fraud-prevention solutions result in lost sales.

Traditional fraud-detection solutions can’t keep up

It’s hard to estimate the amount of fraudulent behavior that goes undetected every year, but there are always new schemes being developed by unscrupulous thieves. As new methods of fraud evolve, standard rules-based fraud-detection systems fall short, unable to stay ahead of the trends.

The fraud mule scam is a perfect example of a fraud trend designed to slip past a rules-based fraud prevention solution. Most machine learning systems would also fail to uncover it because no similar fraud tactics would have been in the labeled training data for the supervised learning systems.

What can you do to protect your business from fraud mule attacks?

To avoid losing valuable merchandise to fraud mule scammers, you’ll need to learn to spot the red flags that many such scams have in common.

 – Order Velocity:

Some scammers cut their mules loose (usually by pretending to fire them) after ordering and reshipping one large, expensive purchase. Many more scammers, however, try to send as many packages as possible through their mules before firing them, usually after about thirty days. That means you’ll see a sudden spike of orders to one address, all in a short period of time, from a customer who’s never done business with you before.If one of your customers (and especially a new customer) is ordering more frequently than is normal, consider it a red flag.

 – Income Disparity:

Fraud mule scammers need to find mules who are desperate enough for money, and limited enough in employment options, that they’ll jump at the chance to reship packages. For this reason, they tend to target low-income neighborhoods.

At the same time, scammers are interested in stealing expensive items with high resale value. If you notice that a customer has placed a particularly expensive order for delivery to a low-income neighborhood, look deeper. You might be looking at an order placed by a fraud mule.

– Delivery Address Mismatch:

If you’re suspicious that an order might be part of a fraud mule scam, look up the cardholder’s address. If the scammer hasn’t managed to add his mule’s information to the stolen credit card, you’ll see that the delivery address doesn’t match the cardholder’s address on file. If this is the case, you can call the number associated with the cardholder to confirm that they placed the order.

Beware, though: if you’re dealing with a very thorough scammer, you might find yourself talking to someone who was hired to impersonate cardholders for just that reason.

Nothing beats expert humans

Today, even with advanced fraud rules engines and machine learning, merchants still need experienced fraud analysts to catch the sharpest fraudsters out there. NoFraud fuses man and machine to create the most effective fraud detection system available to interface with your integrated payments process, ensuring peace of mind for you. It’s a solution that has seen tremendous success in combating the recent wave of fraud mule scams. Using NoFraud’s cutting-edge technology, our expert analysts spot the subtle clues across our customer data and react quickly, saving our clients millions in potential fraud losses.

To learn more about this new fraud trend and how NoFraud can help you protect your business, reach out via email to

From breach to checkout, how stolen credit card data gets into your orders

From breach to checkout, how stolen credit card data gets into your orders

Once breached credit card data spills onto the dark web, it’s only a matter of time before some of that data trickles into your eCommerce site’s transaction volume. Nevermind that you’ve plugged all possible leaks in your payment process. Fraudsters will gleefully water down your order form with credit card data stolen from elsewhere. If you’ve ever wondered how that data flows from its rightful owner, across the depths of the dark web, and into your orders, then you need to listen to The Online Fraudcast’s Episode 8–What Happens to Stolen Credit Cards.

No time to listen? We’ve broken out the highlights for you.

How does credit card data spill onto the dark web?

“Credit card numbers get compromised by any number of methods”, says Brett Johnson, Consultant at, and The Online Fraudcast’s co-host. It may be a large database hack, such as Target or Home Depot, a phishing attack targeting the easily deceived, or malware installed on brick-and-mortar stores’ POS systems. Or the data could be compromised on a smaller scale: card skimmers at gas stations, quick snapshots at restaurants, old-school theft of the mail, or fraudulent eCommerce sites (more on that later).

“The sad truth of it is that most of the time the people who are using stolen credit card data won’t be caught,” says Johnson, once known as the internet’s original godfather. “Credit card theft is probably the easiest crime for cyber criminals to commit. You don’t need a victim’s social security number, and there are more credit card numbers available on the dark web now than there ever have been. It’s no longer a problem that you can arrest your way out of.”

What happens to a credit card number when it’s stolen?

Its fate depends on whether it was part of a small- or large-scale breach.

In the case of small-time card skimmers or physical thieves, they’re likely to put the data up for sale within 24 to 48 hours. Ironically, because these numbers are breached piecemeal, it can take longer for the issuer to realize what’s happening. If the card’s owner isn’t vigilant, the useful lifespan of the card data can be longer.

Data lost in larger volumes takes longer to become available. A successful database breach or phishing campaign could yield millions of credit card numbers at a time. The perpetrators want to sell those numbers wholesale to distributors who will resell the data in smaller batches.

Before the distributors will buy the data, they need assurance that most of the numbers are valid. So, the breaching group will validate a small portion of the cards’ information. Non-profits’ donation forms are popular targets for validation, since the forms are designed to minimize the amount of friction for donors.

The validated data could appear for sale in as little as a week, or it could take months. It depends on whether an older batch of data has to sell first. Like your friendly neighborhood grocer, sellers want to move older product before making fresher batches available. Otherwise, they may not get any return on their work. Why?

“Large-batch data has a shorter lifespan because it’s sold to multiple different resellers who are selling it through many different channels,” says Johnson. “That data goes into use faster, and in multiple geographies. The card issuer is likely to notice the problem sooner and shut down all of the breached cards quicker.”

How many people are committing credit card fraud?

There’s no way to determine the absolute number of credit card fraudsters, but the dark web marketplaces offer some sense of scale.

By the time Johnson’s dark web forum, Shadowcrew, was closed down in 2004, he estimates the community counted 4,000 active members.

When Alphaay was shutdown in July, 2017 it was the largest criminal network on the internet with 240,000 members (most of whom used the marketplace to buy drugs). Of those, Johnson estimates that up to 60,000 were active fraudsters.

(In a later episode of The Online Fraudcast, Johnson discusses the closure of Wall Street Market, which boasted 1.15 million user accounts at the time it was shut down. If we apply Alphabay’s ratio of users to active fraudsters, that could mean over 250,000 people involved in credit card fraud.)

Big honeypots: one-day fire sales on no-name eCommerce sites

Remember the fraudulent eCommerce sites mentioned earlier? Here’s some public service announcement material for you; those sites harvest discount-chasing consumers’ credit card information. Karisse Hendrick, owner/principal consultant at Chargelytics Consulting, and Johnson’s co-host described pop-up scam eCommerce sites offering Black-Friday-like deals.

“I saw one site offering very expensive exercise watches with biometrics for a very steep discount, which wasn’t available anywhere else,” says Hendrick. “The site claimed to have just a few of each of these expensive items for ‘one day only.’ Aside from a few other items, it was a pretty sparse website. I’d never heard of the company before.”

This spurred Johnson to share how he would run such a scam, if he were still in the business of crime: “I would buy stolen credit card information to order high-value, in-demand items like those watches. Once I got those products in, I’d set up a merchant website and sell those products at a steep discount. It would take a little bit longer to monetize the stolen credit card data, but it would allow me to harvest all of my customers’ payment information. Plus, this preliminary phase would make my merchant website look more legitimate. Two months down the line I could buy more stolen credit card data, run that data through my merchant website, without needing any products, and cash out.”

eCommerce merchants caught in the middle

In this conversation, Hendrick is quick to point out that “Ecommerce merchants aren’t the ones losing their customers’ data, they just happen to be the platform by which criminals are monetizing stolen credit card data. There’s a big difference between where the data comes from and where the data is used.”

If you’re managing fraud in-house, then check out these timeless Fraud Prevention Tips Every eCommerce Merchant Should Know. There’s a good chance you’re spending more than is necessary to solve the problem. Find out how much fraud is costing your business.