In the eCommerce world as in life, Q4–the “golden quarter”, as it’s often known–is responsible for about a third of merchants’ annual revenue, with a steep increase in sales and an influx of new customers. But after every high comes the hangover, with an overwhelming flood of remorseful buyers, conniving resellers, and just plain opportunists.

In the latest episode of our podcast, The Full Cart, we sat down with Eyal Elazar, Riskified’s policy abuse expert. Eyal walks us through the challenges of policy abuse; why it’s an entirely different ball game from CNP fraud; and how a shift in merchants’ mindset can allow them to deliver better experiences to the customers they trust. Listen to the episode to get actionable takeaways that you can put in place tomorrow to start to get a handle on your policy challenges.

Listen and subscribe on Apple Podcasts, Spotify – or right here on our blog.


[00:00:00] Eyal Elazar: This is a chance where every merchant can ask themselves: if I could be able to differentiate between abusers and customers, what would I be willing to offer? This is a chance to get your policies to be even more flexible. This is a chance to provide more promos, better returns experience, and shift from a one-size-fits-all approach to really maximizing the value of each and every customer.

[00:00:36] Alon Livneh: Hi, and welcome back to an all-new episode of The Full Cart. In the eCommerce world as in life, Q4–or the golden quarter, as it’s often known–is responsible for about one-third of merchants’ annual revenue, with a steep increase in sales and an influx of new customers. Everybody’s in it for the holiday craze, but after every high comes the hangover: we can’t escape the now regularly strained supply chains, the increased volume of online fraud, and the overwhelming flood of remorseful buyers, leading to more returns, more refunds, and more exchanges. My guest today is Eyal Elazar, Riskified subject matter expert on policy abuse. I am very excited that he’s going to be with us today and help us make sense of these growing challenges. So Eyal, welcome on board.

[00:01:26] Eyal: Hi Alon, happy to be here.

[00:01:28] Alon: Eyal, I want to kick us off with a bit of a warm up question: What’s the last thing you ordered online and what was that experience like?

[00:01:35] Eyal: So actually the last thing I ordered online were some sweatshirts–had to get accustomed to the COVID time working from home. And I really loved it. Not only was it a great experience in terms of shopping online, but this is a merchant that I shopped with in the past–we’re going to talk refunds and returns in a second–but I had some returns in the past, and I think there’s a lot of value in having confidence when you’re buying with a merchant, knowing that even if something goes sideways, at the end of the day, you’re covered. So I had a very good experience.

[00:02:08] Alon: Oh, I’m happy to hear that. So that’s an excellent lead-in, I want to jump into our topic of the day. I kind of touched on this in the intro, but I was wondering if you could expand on some of the special challenges that merchants face during the first quarter of the year.

[00:02:24] Eyal: So I think you articulated it very well. Q4 is the golden quarter for eCommerce. It’s all about driving new sales, acquiring new customers, and you have a lot of great promos, limited products, excellent sales. But the problem is, whenever you cast a wide net and you open the door too widely, sometimes you also have bad actors coming in. And when I talk about bad actors, these aren’t necessarily fraudsters. These could be legitimate customers, but they take advantage of your store policies. Now, these policy abusers put you in a very tight spot, because you do want to offer these great promotions. You do want to have flexible, lenient policies, but then you have people who are systematically abusing them. And it doesn’t matter if it’s promo abuse, resellers abuse, or refund abuse, it happens to everyone. I mean, just recently PayPal shared that they had to close 4.5 million accounts after finding bad actors who took advantage of their reward programs.

[00:03:26] Alon: That’s a staggering number.

[00:03:28] Eyal: Absolutely. And Amazon had a customer admitting to $290,000 worth of returns scams. Now, this is PayPal and Amazon, so it happens to the best of them. And I think it just goes to show that it’s everywhere and it’s something everyone should be on the lookout for.

[00:03:48] Alon: So it sounds like it really is a problem that merchants should be kind of setting themselves up to solve, I guess. Can you illustrate for us what kind of abuse you see, or what kind of abuse you’ve seen that merchants deal with?

[00:04:01] Eyal: Policy abuse comes in all different shapes and sizes. You have promo abuse, for example, where whenever you incentivize someone to sign up to your site, we see that anywhere between 10 and 20% even of these signups are fake accounts, accounts you will never hear from again. They only sign up to redeem that special signup promo, and they’re done. There’s no lifetime value.

There’s reseller abuse. So you may see the merchandise that you sold on a special sale or with some special coupons, being sold elsewhere on a higher markup, higher pricing, a week from now or even a month from now. And those same products that you just sold at a discount could be competing with your sales in Q1.

And obviously there’s returns and refunds. I mean, just last month, UPS said that they expect a record of 60 million returned packages during the holiday parcel window. And by the way, that’s surpassing their previous record last year of 55 million post-holiday returns. And the interesting thing is anywhere between 7 and 11% are estimated to be fraudulent, meaning you will either get an empty box, or you can get Item Not Received fraudulent claims, and that’s basically money down the drain. And with returns, we have to remember that only now in Q1 are merchants starting to really feel the volume of returns. Because it could take anywhere between four to eight weeks until you get a return or an item of received claim, and usually during the holiday season, merchants could even give you a three month period. So you’re going to experience returns throughout Q1. It’s going to take some time until you fully understand the return volume you’re going to experience from this holiday season.

[00:06:00] Alon: And then there’s the issue of restocking and inventory… Yeah, I can see why you call it a headache. So it sounds like at a very high level, when we talk about policy abuse, I mean, policy in that sense is anything that merchants are doing to provide better service, a better experience for their customers. You know, merchants provide sales discounts, flexible return policies, so any of those that could be abused kind of sounds like the scope of this problem. But it sounds like a different problem from classic CNP fraud and chargeback abuse. What should merchants be thinking about when they approach the issue of policy?

[00:06:39] Eyal: This is exactly the point. I think merchants have to change their mindset and look at the problem in a different, fresh set of eyes. Fraud and abuse are two different things, and you need to adjust your mindset. With policy abuse, these are not CNP fraudsters, these are not people who got their hands on a credit card. These are actually paying customers, and they may abusing your policies, but not 100% of the time. This could be someone who’s a very loyal customer, maybe even a profitable one, but yeah, they still abuse your policies. It’s not about declining one order. It’s about how are you dealing with your customer? They have a lifetime value. It’s more than a transaction. And abuse is also something which is very merchant specific. What is considered as abuse to one merchant may be legitimate for another merchant. If you take Item Not Received, for example, some merchants could say, you know what?

We can think it’s valid if someone claims two, three, maybe four times Item Not Received until we start getting suspicious because of their volume. Other merchants could be value merchants and they sell really high priced items at a low volume. For them suffering from three Item Not Received or four, that’s a lot. So it’s very different. It’s really a business decision and not just, who is the person behind the credit card?

Merchants need to look beyond the risk. They need to understand the lifetime value of the customer. It’s not just judging them based on a certain behavior, it’s understanding their abuse pattern, or their order history. And, how do they want to address that customer? It’s not just understanding where to draw the line, but also when someone crosses that line, what do you want to do?

It’s again, it’s not a transaction you’re just going to block. There’s various types of friction that you can apply. And this is again, legitimate customers. So to sum it all up, it’s a different mindset, it’s a new ballgame, and merchants have to adapt to dealing with inside threats, and not just outside as fraudsters.

[00:08:54] Alon: That sounds very clear cut, actually. So for example, if I’m a merchant, I want to set a limit. So let’s say the right business case for my personal eCommerce store is say, if someone submits more than three INRs I’ll just block their next transaction.

[00:09:09] Eyal: So this is where it gets a little tricky. Define that someone. Now there’s a difference between an account and an identity, a shopper identity.

We’re used to looking at customers as emails, or account IDs, or credit cards, or addresses, but they’re much more than that. And this is something we call the cycle of abuse. Someone opens up a new account, a new email, and they abuse a policy and they use up their privilege. They can use a certain promo code, they can buy a limited stock, they may even claim Item Not Received. But once you understand that something is off in the behavior of that account, you can block it. It doesn’t stop the shopper, it doesn’t stop the identity. That same shopper will open up a new account. And then they’re going to return and redeem that promo code again, or they’re going to shop that limited item one more time, or they’re going to return an empty box. You block them and they open up a new account, and so on and so on. Basically this is an endless cycle. And when you look at it at an account perspective, there’s very little you can do about it.

If I talk about real life situations, let’s take a physical store. I go into a physical store every day and I do something which is slightly off. I may get away with it once, but if I returned the next day with a fake mustache, and the next day with a wig, and then with a hat or sunglasses, now I will still be identified as the same shopper who’s trying to manipulate me again, because there’s some type of intimacy when it comes to physical stores. But when it comes to online and the big growth engine where every customer counts, I can change one character in my email, I can spell ‘apartment’ or ‘boulevard’ differently, and all of a sudden I’m a completely different shopper. I’m a completely different person and I can get away with anything because I have no abuse history. And in order to really get a handle on preventing abuse, you have to start thinking of identities and not accounts. When you understand the identity of a shopper, what’s their true shopping behavior, what’s the real lifetime value, only then can you implement and enforce policy in an effective way. And not only will you be able to differentiate between loyal customers and policy abusers, you will also be able to look at all the policy abusers and differentiate them. Some policy abusers may still be profitable customers. And you may want to start with some type of friction, but you definitely want to maintain or hold on to that customer because they’re very loyal and very profitable.

Some abusers are not profitable. They have a negative margin or they’re extremely abusive and you want to block them out. Some have negative margins. And you want to block those customers, those abusers. When you take on an identity perspective, you can have a new set of capabilities and really analyze each customer differently. I think this is what kind of sets the tone there.

[00:12:40] Alon: I guess I understand your analogy for a brick and mortar scenario. I mean, obviously in that context, let’s say like a small mom and pop shop, you know, it’s the same seller every day, the same shopper. So I can intuitively understand how they’re going to identify you as the same customer even if you change your appearance a little bit. But in an online setting, how can merchants solve this visibility gap if they don’t see you? How do they know what your identity is?

[00:13:07] Eyal: So I think there’s a couple of things the merchants can start doing tomorrow. Once they understand the concept of ‘cycle of abuse’, and a certain shopper could have a lot of different accounts, they can start looking at it and investigate things differently. They can start looking at similar emails or looking at more than just emails, crossing emails, credit cards, addresses, phones.

Now these are all the things merchants already have today. They just need to understand that it’s more than just one data point that defines the customer and they need to find some kind of correlation. So yeah, they can do it offline after an order was submitted, but they will still be able to identify abusers, at least at some scale.

And fortunately enough a lot of the time policy abusers are relatively lazy. They don’t want to change too much. They don’t want to invent a whole new identity every time. So there’s a lot of abuse that they can still prevent by only doing that. Now, the problem is we see that it’s something, it’s a beginning, but it’s really hard to do efficiently and at scale. Because if you really want to take on an identity-based approach, you need to have a couple of things:

First you need to have a lot of data enrichment capabilities. You need to look beyond the phone number and email. You need to look at IP, behavior analytics. You need to look at device fingerprints. And the more data points you have, the better capabilities you have in matching those data. 

Then you want to have a strong merchant network, because when you see an email for the first time at your store, there’s a very good possibility that if you had access to other merchants, you would see that email in different merchants and you’ll be able to get even more data.

The third thing is you want to have machine learning based clustering. Now this is more than just linking data points together, because you can link as many data points as you want, but you really want to be accurate when it comes to who that identity is. You want to understand, for example, if you’re talking to four people sharing an office, and naturally they have the same address and IP, or is this four different accounts with one identity who is abusing your store.

And lastly we need to have very strong business rules, which are identity-based. And you asked me just before if three Item Not Received claims are a good business rule. But you can do much more than that. Once you understand the identity, how about, what is their Item Not Received value? Are they abusing you 20% of the time, or 30% of the time? And then you can decide whether or not this identity is profitable or not.

[00:16:01] Alon: And you can tie directly to margins.

[00:16:03] Eyal: Absolutely. I think the smart merchants do tie it up directly to margins. They say, this abuser is not profitable if they’re costing me more than what I’m getting. I don’t want to allow them to shop in my store again. And it makes perfect sense when you think about it, it’s just that not too many merchants think about it that way.

[00:16:23] Alon: So you’re saying that beyond implementing a one-size-fits-all solution, it’s really a shift in mindset. So within an eCommerce organization, whose responsibility is it?

[00:16:37] Eyal: That’s a very good question. This problem is relatively new. So up until now, we talked about how to solve it, but there’s also a question of who solves it. And again, we see that more and more people are involved. For example. fraud are usually involved, meaning they analyze it, they want to prevent abuse. But it goes beyond just the fraud and the analysts. It goes to customer service because at the end of the day, this is how you’re treating your own customers. And if you block someone from filing a claim, then they will probably call you and you need to know what to say. You need to know how to respond. Sometimes it has to do with compliance. Sometimes it’s about finance, because it’s about the margins. It’s not just about stopping abuse, it’s about how to have more good, profitable deals.

And it could be eCommerce, whenever it comes to resellers or understanding the true conversion rate. At the end of the day, it touches almost everyone in the organization, and shifting to an effective policy prevention mindset is really about evolving. It’s really about working with many people in the organization to understand the business logic and then understand how to enforce it.

But we’ve talked to many, many merchants and I can’t say that there’s a best practice, something that kind of stands out and say, this is the person in charge, this is the way to tackle it. I think a lot of the merchants today are still figuring that out.

[00:18:20] Alon: Well, hopefully it will be easier for them to figure that out once they listen to this episode. Thanks for the walkthrough, Eyal, are there any final takeaways or tips that you can give to merchants?

[00:18:31] Eyal: Yes. We’ve talked about the threats and how to identify them and how to defend against them, but I think that this is an opportunity for merchants to think about how they work with their customers. And I think this is a chance where every merchant can ask themselves, if I could be able to differentiate between abusers and customers, if I will be able to really understand the lifetime value of each customer, what would I be willing to offer? This is a chance to get your policies to be even more flexible. This is a chance to provide more promos, better returns experience, and as you mentioned, shift from a one-size-fits-all approach to really maximizing the value of each and every customer. And yes, they may be forced into that corner of changing the way they look and changing the way they do things, but when they will do that change, they will get so much more than blocking the threat. I think they’ll be able to get more out of each and every customer, and offer better service, better promos, and really have the confidence in providing more to their customers. So I do think that there is a silver lining to policy abuse, and I think we will only understand it in a couple of years to come, and this could be something which affects everyone.

[00:20:09] Alon: You know, what you said about having a flexible customer-based policy kind of really fits into this wider discussion that’s going on around eCommerce about personalization in general and about using AI for personalization. I think a lot of the times merchants think about personalization as in, what kind of products can I offer you based on what you’ve already purchased or what you’re searching, or what kind of experience can I offer you based on the kind of shopper that you are. But it’s actually really interesting to also think of your policy as something that you can tailor per customer based on, you know, their history, and the probability of abusing your policy. So I think it fits into that wider discussion in a very interesting way.

[00:20:52] Eyal: Absolutely. I mean, just imagine what you can do if whenever someone wants to exchange an item or return an item, you would know exactly who to trust and you can offer some perks and say, you know what, keep that item. I’m going to send you the different size anyway. You can donate it, you can reuse it, you can do whatever you want. You don’t have to ship it back. You’re going to save the logistics and you’re going to provide better perks. And this is just one example. So, I completely agree. I think this is a skill set that every merchant should have.

[00:21:25] Alon: That’s fantastic. Thank you very much for joining us today. I had a pleasure talking to you and I hope it was a fine experience for you, too.

[00:21:32] Eyal: I had a fantastic time. Thanks for having me.

[00:21:34] Alon: That’s it for a conversation with Eyal on the subject of policy abuse. I hope you found it interesting and illuminating. As always, if you like the show, please consider rating us on Apple or on Spotify, and if you want to be the first to know when our next episode drops, don’t forget to hit the subscribe button on your favorite podcast app. Until next time.