In this post we explain why you should stop relying on blacklists for fraud prevention.
Managing eCommerce fraud operations is no easy task; whether hiring, training, and managing a manual review team, monitoring approval rates, and optimizing internal rules, a fraud manager’s attention is often drawn to many places at once. With so much on their plate at any given time, it’s easy to understand why merchants are drawn to “silver bullet” solutions to manage and prevent chargebacks.
One “solution” to chargebacks often utilized by merchants is fraud prevention blacklists. When hit with a chargeback, all the transaction details are simply added to a blacklist, so that the next time an order is placed from the same email or IP address, the transaction is automatically declined. While they may seem like a great way to streamline internal operations and to prevent future fraud, blacklists are in fact a misguided way to address chargebacks.
Blacklists block not only fraudsters but also many good customers. Moreover, there are basic methods fraudsters can use to “fool” your blacklists. In this post, I will explain why you should stop relying on blacklists for fraud prevention.
What Are eCommerce Fraud Prevention Blacklists?
Fraud prevention blacklists, also known as negative lists, contain credit card details, customer names, email addresses, physical addresses, and sometimes even entire countries that companies have identified as fraudulent or risky. These are then blocked from access to purchase. Companies use blacklists because it seems like an effective way to identify customers who have previously yielded a chargeback and to prevent them from placing another order in the future.
In fact, these lists were cited as the tool most commonly used by eCommerce merchants to prevent fraud in the 2017 Global Fraud Survey published by the Merchant Risk Council. Specifically, 96% of the 466 merchants surveyed reported using internal blacklists to manage online fraud, and another 1% planned to start using blacklists in the near future. Some of the online retailers surveyed mentioned using shared blacklists (shared between several merchants), while others were relying on industry-specific blacklists.
Despite their popularity, negative lists are unfortunately an oversimplified and ineffective “solution” to eCommerce fraud.
eCommerce Fraud Isn’t Spam (Or Why Not To Use Blacklists)
Blacklists can be extremely effective for certain purposes, for instance stopping spam email. Want to avoid getting another email from a Nigerian prince asking for your bank details? No problem – simply tag the email message as “spam,” and your email provider will block the sender, preventing any future messages they send from arriving in your inbox. In fact, by tagging that email message as “spam,” you are helping other email users, as your email provider will route all messages from that sender directly to their spam folder.
Card not present fraud, however, is not spam.
Accurately detecting and identifying payment fraud is much more complex than identifying a cheap email ploy. First of all, some of the transactions online merchants decline due to fraud are in fact legitimate orders and are falsely declined. While most merchants are quite confident in their fraud-related decisions, Riskified’s data shows that between 40%-70% of orders merchants typically decline are legitimate and should have been approved. So, if you are tagging orders as fraudulent and adding their details to a blacklist, you are likely blacklisting a lot of good customers.
Second, even when a transaction is definitely fraudulent, not all the order elements are related to the fraudster or to the fraud ring. For example, some physical addresses – such as large apartment buildings, university dorms, corporate offices, and reshippers – serve a wide variety of people. Just because one of the people affiliated with these locations defrauded your store does not mean you should consequently block all other customers shipping to that location.
Third is the fact that fraudsters constantly change the details they provide when placing orders online. Opening new email accounts, attempting to pay with a variety of stolen credit card details, employing proxy servers, and shipping to drop points are all fraudster “best practices” – designed to help conceal their true identity and avoid being caught. So not only will your blacklist result in good customers being wrongly rejected, fraudsters will not have a hard time placing another order on your site despite your best efforts to update your blacklists.
Blacklists – A Surefire Way to Reject Legitimate Orders
In the field of fraud prevention, it’s easy to forget that while fraud does exist, the vast majority of CNP transactions are legitimate. Oftentimes, orders that appear to be high-risk are in fact placed by good customers. Following are two legitimate transactions that would have been rejected by merchants relying on fraud prevention blacklists.
The first example is an order that would typically be placed on a blacklist because it originates in Nigeria, a “risky” country. In this order, the BIN country doesn’t match the billing address, and both the shipping address and IP address are Nigerian. Most fraud scoring tools would flag this order as high-risk; any merchant who blacklists “risky countries” such as Nigeria would reject this high-value order outright!
In fact, this order is not fraudulent, and was placed by a Turkish businessman working for a company based in Nigeria. A close review of the IP address showed that it is a corporate IP, allowing us to easily link the customer to his position at this particular company based in Nigeria. This example of a customer living abroad and placing an order via his work computer clearly illustrates why blacklisting certain IP addresses or countries could prevent legitimate consumers from placing an order at your store.
The second example is an order that would typically be blacklisted because the shipping address is linked to previous chargebacks. Our systems also detected a high velocity of orders shipping to this address. On top of that, the order features another “risky country” – Algeria:
Thanks to data scraping and tagging, our systems identified the shipping address as a package reshipping service based in the US. This explains the high velocity of orders shipping to the address as well as the links to previous chargebacks; all it takes is one fraudster to yield a chargeback with a reshipper for all subsequent transactions to be flagged as high risk or in the case of blacklists – to be automatically rejected.
A merchant who blacklists addresses from which chargebacks were previously incurred would have declined this particular order without ever seeing it. More importantly, this illustrates how problematic it is to group orders based only on shipping address – as a single address may serve dozens or even hundreds of people.
Whitelists are just as problematic
It’s worth noting that this issue also applies in reverse. In the same way that blacklists end up contributing to false declines, whitelists – lists of good customers or cards whose orders skip the review process and are instantly approved – often result in high chargeback rates. The appeal is clear: whitelists can lighten the burden on review teams, and improve the shopping experience for returning customers. For these reasons in the aforementioned 2017 Global Fraud Survey, 79% of polled merchants reported using whitelists. But the issue is that most fraudster MOs involve placing orders with stolen credit card information, and if that credit card is on your whitelist you’ll approve the order without even looking at it.
Just as with negative lists, whitelists are an oversimplified solution to improving fraud review accuracy. They make merchants easy targets for fraud and create more problems than they’re worth.
Seeing the Bigger Picture: Being Proactive Rather Than Reactive
It’s clear why eCommerce merchants need to avoid chargebacks. High chargeback rates indicate that fraud is not being successfully prevented. But reacting to chargebacks by creating longer, more robust blacklists is not an effective solution in the long term.
If you use blacklists, consider asking yourself the following questions:
- What is your false decline rate?
- How often do you analyze and update your blacklist?
- Is this black-and-white approach really the best solution for a problem that affects top-line revenue?
These questions can help you understand how blacklists are impacting fraud management operations and to target areas for improvement.
Not only will fraudsters be able to overcome your blacklists and to continue placing orders with your store, the false declines caused by the lack of granularity of this fraud prevention tool will result in both lost sales revenue and insulted customers. A better way to prevent fraud is to proactively spot fraudulent patterns using dynamic tagging and linking. Fraud teams that invest in building nuanced, sophisticated fraud detection models will reap the benefit of sustained growth and exponential customer lifetime revenue in the long run.