Fraudsters are constantly looking to exploit vulnerabilities in eCommerce. They try a number of different approaches (“attack vectors”), and if one is proven effective, they exploit it until it’s discovered and the vulnerability closed. Fraudsters are ever-evolving, and, in order to stay ahead of them, merchants must stay abreast of the latest forms of eCommerce fraud to preempt them as quickly as possible.
At the same time, online shopping behavior is evolving just as quickly. Many merchants struggle to update their fraud-management strategies to account for the changes in customers’ lifestyles and their evolving expectations. That leads to false declines and missed opportunities.
Here we share three interesting order types we have seen over the last 12 months. We’ll show two tactics that we’ve seen fraudsters recently employ along with a suspicious-looking — but legitimate — order. This should help merchants understand how eCommerce fraudsters think and better respond to the threat.
All personal details have been anonymized to protect cardholders’ privacy.
Address Line 2
Many merchants believe Address Verification System (AVS) matches are bulletproof guarantees for legitimate orders. To them we say: THINK TWICE!
Over the past 12 months, we have seen that orders with AVS matches can account for more than 40% of all fraudulent transactions.
A few months ago, one of our merchants received an order for two cult favorite Mac lipstick shades: one in Ruby Woo (Retro Matte; $18.50), and the other in Lady Danger (Matte; $18.50). The shipping and billing addresses were a match with a private-label credit card:
Name: Jane Smith
Address Line 1: 12345 Evergreen DR
Address Line 2: 678 90th Ave NE 450
City: St. Petersburg
Country: United States
Upon initial review, the address appears normal. However, the second address line is unusually long, filled with what resembles the first half of a different address. This was not a mistake. It was an intentional act by a fraudster.
Fraudsters usually leave Address Line 1 intact because the street address in it and the zipcode are what AVS verifies. In order to make their fraudulent orders seem legitimate, fraudsters like to utilize stolen credentials that allow them to get at least a partial AVS match.
As for Address Line 2, there are two main reasons why fraudsters tamper with it. The first is to reuse addresses that are linked to past fraudulent orders.
One of the biggest challenges fraudsters face is in being able to successfully receive their illegally purchased goods. Some use the original cardholder’s mailing address and intercept the goods at that person’s doorstep, known as porch pirating, but that’s risky, difficult, and time-consuming. More often, fraudsters will have the goods delivered to an address of their choice, where they know they can reliably receive them without getting caught.
Cultivating such shipping destinations requires a lot of time and resources. Fraudsters need to recruit delivery people, reshippers, and other individuals (“mules”) willing to put their addresses and services to use for a cut from the fraudsters’ earnings. Because of the heavy investment required, fraudsters want to secure an address that will go undetected for as long as possible. They try to reuse it as much as possible to minimize the need to cultivate a new shipping address.
This is where Address Line 2 comes in. Fraudsters can reuse a shipping address that is linked to previous chargebacks by slightly altering the details of that address. Regarding the Mac lipstick order, the merchant had previously blacklisted “12345 Evergreen DR St. Petersburg, Florida 12345-6789” for its links to a chargeback and installed a rule to deny all future orders that feature that address. However when the fraudster placed an order for the lipsticks with that same address, slightly altered by adding “678 90th Ave Apt 450” in Address Line 2, the merchant’s rules-based fraud-management system approved it, having processed the shipping as distinct from what was blacklisted. For the fraudster, the key is knowing the sweet spot between making an address “dirty” enough to confound linking but “clean” enough to receive shipment.
Automated order-review systems that largely rely on rules struggle to accurately red-flag such “dirty” addresses. Manually reviewing these orders requires a lot of valuable time and resources many merchants cannot afford. In order to avoid false declines, the analyst, for instance, must determine whether the address is fraudulent, or a new building that has not yet been added to Google or Whitepages’ databases.
Merchants can protect themselves with these Address Line 2-type fraud attacks by using solutions powered by meticulously trained machine-learning models. Riskified assisted the Mac lipstick seller with a model that tested various irregularities in the address fields, such as length of Address Line 2, and repetition of street, drive, avenue, or boulevard in both Address Line 1 and 2. (Click here to learn more.)
The second reason that fraudsters tamper with Address Line 2 is more simple. Confusion over the address creates an opportunity for the fraudster to later intervene and amend the shipping destination to where it is most convenient for pick up. For example, the fraudster could call customer service and claim he copy-pasted an additional line by mistake. Or the merchant could reach out to the fraudster, mistaking him for the original cardholder, to seek verification on the mailing address. The fraudster can use social engineering tactics to convince the customer service representative that he is the original cardholder or owner of the order, and that he wants to have the package delivered to a different address.
For this very reason, many merchants no longer offer consumers the ability to change the delivery address once the order has been processed and fulfilled. At the same time, merchants don’t want to lose customers for not accommodating their needs. If the bad order has been approved by fraud review, customer service representatives are inclined to trust that the request is genuine and make the address change to accommodate the customer’s request, without realizing that the customer is actually a fraudster.
This is why it is crucial to nip fraud in the bud, at the very beginning of the online sales funnel before the fraudulent order makes its way to fulfillment and shipping. The farther fraud gets in the customer journey, the higher the cost merchants face to correct. Merchants pay nearly three times that of a digital dollar of fraud loss, and that’s a cost merchants can very easily avoid by having the right fraud-prevention solution.
In February, we saw an order for a $1,395 Balmain mid-rise skinny biker jeans, placed at a luxury high-end fashion merchant. It was a straightforward order to review, largely because the fraudster used a Japanese credit card for an order to be delivered to Brooklyn, New York. What was alarming about this attempt was that the fraudster had managed to log in to the account of a loyal customer.
The fraudster had all of the login information (email address and password) for the original account holder, who we will call Sarah, as well as access to Sarah’s gmail account. The only piece of information the fraudster was missing was Sarah’s US credit card. So another person’s credit card, in this case a Japanese card, was used.
Sarah has a long history with the merchant as a loyal, reliable customer. She first opened her account on the merchant’s site in 2015, and has used two US credit cards to make more than 30 purchases, with each order amount ranging from $500 to $1,500. It’s clear that the fraudster is aware of Sarah’s value as a customer for the merchant and knew that logging in through her account would give more cover.
Catching these account takeover (ATO) attacks at the point of sale and declining those orders is not ideal. The merchant will need to alert the original account holder that their account had been breached and that they need to change their login information to stop further misuse. The fraudster may have obtained the account login information from breaches other than that of the merchant, but that won’t matter. That notification will be disastrous, as the customer will blame the merchant for the fallout of having personal information compromised.
That said, catching the fraudster and declining the order is still better than paying a chargeback. To catch an ATO attack at checkout, make sure your fraud detection system is able to detect changes in behavior, including the shopper logging in from a different IP address than usual, and if the customer is shopping like a legitimate customer or a fraudster (read more about behavioral analytics here).
But far better for both the merchant and consumer is to prevent fraudsters from ever logging into the customer’s legitimate account in the first place. Riskified’s account protection solution applies our core ability to recognize legitimate customers from bad actors earlier in the purchase process. Our solution looks at account logins and determines if the shopper is who he or she claims. We then either allow the login, block the login or challenge the user to verify his or her identity. By checking the user at account login rather than waiting for checkout, we’re able to protect your legitimate customers and increase approval rates down the line. In addition to protecting you from chargebacks, this will protect your brand’s reputation keep your customers happy.
Bulk Gift Card Purchases
Is it still a gift if you buy it for yourself? Consumers, especially millennials and younger, are increasingly buying gift cards for themselves. Last year, 62% of consumers between ages 18-34 bought a gift card for themselves, as did 60% of those aged 35-58 and 54% of baby boomers, according to First Data’s 2017 Prepaid Consumer Insights Study. Their biggest incentives for self-purchase were discounts (37%), loyalty or award programs (35%) and the ability to be able to shop and pay online (27%).
Take Janice for example. On Dec. 23 of last year, the 35-year-old bought 12 Sephora gift cards worth $250 each from at an online marketplace for discounted gift cards. Upon first look, one might think the purchase is odd. However, a review of our records shows that her $2,760 order is a relatively small purchase for Janice, compared to the $15,698 she spent two weeks prior on 27 JCPenney gift cards.
Our dynamic linking technology showed she is a serial shopper of discounted gift cards across multiple merchants and marketplaces. A quick Google search shows Janice makes her living re-selling various beauty products and homegoods on Facebook. For her, it’s critical to buy inventory on discount in order to maximize her margins re-selling them. It’s no surprise that she found the 5.7% discount on those Sephora gift cards worthwhile.
Leveraging discounted gift cards is not unique to online re-selling business owners like Janice. Consumers in general are getting savvier about ways to get value by shopping online and are increasingly purchasing open-loop prepaid cards or gift cards for self use.
Mercator Advisory Group predicts open-loop gift cards (those that can be used anywhere rather than with a specific merchant) will continue to grow by 3% through 2020, following an 8% growth in 2016. According to InComm, a prepaid and payment solutions provider, 50% of consumers are buying open-loop prepaid cards for themselves. In the case of InComm’s most popular open-loop gift card product, about half of the recipients were female,30% of whom had bought the card for themselves. Those who did purchase for self-use said they did so to reuse the product as a budgeting or a bank alternative.
The lesson for merchants here is simple: bulk purchases of gift cards aren’t necessarily risky. For more information on how to optimize your fraud review to successfully contextualize ever-changing shopper behavior, request a demo or read more on our blog and at our Resources Lobby.