Approximately $700 million in online revenue was lost to fraud in 2001, according to Dallas-based payment processor Paymentech. That sum represents 1.14% of that year’s total online sales. John Shirey, Paymentech’s group manager for product development, adds that some marketers lose $1 to fraud for every online order they accept.
“Fraud is higher online because consumers can more easily fake their identity by making up phony e-mail or physical addresses,” Shirey says. What’s more, “in the catalog business, you have the ability to select your buyers and mailing lists. You control who gets your catalog.”
Of course, catalogers encounter plenty of fraudulent telephone and mail order sales. Shirey estimates that 75% of all catalog chargebacks are due to fraud. And while 0.5% of online orders are fraudulent, so are 0.3%-0.4% of offline catalog orders.
“Some merchants don’t seem to get overly obsessed by fraud costs,” Shirey says. But those that do can save thousands, if not millions, of dollars.
PC Connection, for one, prevented — and therefore saved — about $4 million in fraudulent transactions through the first three quarters of 2002, estimates Stephen C. Baldridge, vice president of finance and corporate controller for the Merrimack, NH-based cataloger. Baldridge credits the savings to PC Connection’s 10-employee fraud-prevention team and the tools it uses.
A different type of customer database
One simple way in which PC Connection has reduced fraud is to require customers to provide their credit card’s customer verification value (CVV2), the three-digit number that appears on the front of the card along with the credit-card number and the expiration date. In many cases of fraud, the perpetrator will have the customer’s account information but not the card itself or the CVV2.
PC Connection also maintains an internal fraud file. The data enables the computer reseller to place “transaction holds” — in other words, to flag orders that are to be delivered to zip codes that have a higher-than-average rate of fraudulent transactions and orders of certain “high risk” merchandise.
“On a transaction hold, we do not wait for payment ‘to go through’ but instead perform additional procedures to ensure that the transaction is appropriate and not fraudulent,” Baldridge says. For example, the cataloger might try to contact the customer to verify that he placed the order or call the credit-card issuer to verify a ship-to address.
PC Connection’s internal fraud file is a type of negative database. Shirey suggests developing this sort of inhouse file with information about previous fraudulent transactions against which you can compare all orders. The negative database should include customer names, bill-to and ship-to addresses, home and business phone numbers, credit-card numbers, transaction dates (to track frequency of orders), mismatched zip and area codes, and chargeback information.
Speaking of databases, Julie Fergerson, cofounder of Austin, TX-based services provider ClearCommerce, says marketers should keep their customer databases and their Website infrastructures on separate servers. This reduces the likelihood of an Internet hacker being able to find his way into your customer files and subsequently steal the credit-card data.
“Marketers must always be building more secure mousetraps to stay one step ahead of fraudsters,” Fergerson says. Along the same line, use secure-socket layer (SSL) encryption for all card data files and databases accessible from the Internet.
Your employees are often your first defense against fraud. Investing time in their training can result in significant fraud reduction.
For instance, train order-takers to always request the name of the card-issuing bank for any sale over a predetermined amount. If the caller doesn’t know the bank’s name, he may be using a stolen credit card number.
Also have order-takers ask for the cardholder’s billing address and to flag orders with different bill-to and ship-to addresses. Yes, it’s common for customers to have bills sent to their home and merchandise sent to their office — but it’s not uncommon for credit-card thieves to know the proper billing address and to ask for the items to be sent to their own address. Orders with different bill-to and ship-to addresses should be compared against any previous orders you have from that customer on file, or at the very least against the mailing address you have for that name.
Paymentech suggests also being wary of orders placed after midnight. Have employees check the order history of these customers and if there are any aberrations, have them call the customer the next day to verify.
Other things you should teach order-takers and customer service reps to look out for include: “rush” orders from new customers, first-time customers placing very large orders, multiple transactions on one card in a very short period of time, and customers ready to order whatever merchandise is in stock, regardless of size, color, or style. As with orders with different bill-to and ship-to addresses, these sorts of transactions aren’t necessarily fraudulent, notes Dave Kerlin, founder of Portland, OR-based payment processor Amerinet, but they are riskier than typical orders.
Once your staff is trained to know what to look out for, teach them how to follow up. Your reps should always ask for the customer’s daytime and evening telephone numbers, “in case there is a problem.” Then, should an order seem suspicious, they should make sure at least one of these telephone numbers does not belong to a cellular phone — such numbers are difficult to verify or may be connected to “disposable” phones with limited talk time. Toll-free telephone exchanges (800-, 888-, 877-, and 866-numbers) and 900-numbers may also signal potential fraud.
For some types of suspicious orders, you should instruct your staff to call the phone number listed on the order, even if it’s a legitimate number, to verify the transaction. The party you speak with may never have heard of the “customer.”
You should also advise your Web service staff to follow up on Internet orders from e-mail addresses at free services such as Hotmail or Yahoo!. Since there is no billing relationship between the service and the consumer, there is no way to track the user. According to Paymentech, more than 50% of orders placed from free e-mail addresses are fraudulent.
Such alarming statistics can lead some marketers to go overboard when it comes to guarding against fraud — causing them to turn away valid sales. Paymentech’s Shirey says that while screening for fraud, merchants reject an estimated $1.2 billion in valid sales each year — nearly twice the amount that is lost to fraud.
If your fraud rates are below the industry average, you probably don’t need to take additional actions. And, Kerlin adds, if you sell products that aren’t easily fencible — sellable by thieves — your fraud-prevention guidelines need not be as stringent as those for companies selling items such as computers and electronics, which are easy for thieves to resell.
According to Shirey, fraud rates for computer marketers are about three times greater than those of apparel mailers. Jeff Parnell, vice president/general manager for e-commerce for Blair Corp., a Warren, PA-based cataloger of apparel and home products, agrees with that assessment. “Because apparel is not as easily sold underground as, for instance, electronics or high-end jewelry, online fraud is not a significant problem at Blair.”
Credit-Card Issuers Shift Fraud Liability
No doubt you’ve seen the commercials from credit-card issuer Visa featuring consumers claiming to be Dallas Cowboys running back Emmitt Smith, with each declaring “I am Emmitt Smith.” The ad touts Visa’s new password-protected system, Verified by Visa, which enables consumers to enter their password after hitting an online “submit order” button. Because the password does not appear on the credit card, the system makes it more difficult for those in possession of a stolen card or credit-card numbers to make fraudulent purchases. If a consumer tries to defraud the merchant and doesn’t know the password, Visa blocks the transaction; the merchant doesn’t even “see” it.
To encourage Web merchants to build the extra step into their checkout process, beginning in April, Visa will not hold marketers liable for fraudulent Verified by Visa transactions. If a Verified by Visa transaction is fraudulent, the card-issuing bank, rather than the marketer, is liable for any fees and chargebacks.
The Visa system is similar to Mastercard’s SecureCode, which was introduced last November. Like Verified By Visa, SecureCode users select a password via the Internet or the telephone, as directed by their card issuer. The code is managed by the card issuer and is never shared with any merchant. And the card-issuing banks, not the marketers, are liable for any fraudulent purchases.
The new Visa and Mastercard systems may help Web catalogers win over consumers who won’t shop online for fear of fraud. According to the Federal Trade Commission, merchants will lose $18 billion this year from consumers unwilling to purchase online because they are fearful of being victims of cybercrime.
International orders account for 17% of all online credit-card fraud and 42% of all Web chargebacks. To help online marketers identify overseas orders, services provider ClearCommerce recently unveiled the Geolocator. The software identifies the country of origin of the consumers’ Internet providers and allows merchants to filter orders for review if they come in from regions with high rates of fraudulent purchases, such as Eastern Europe.
In December, Framingham, MA-based office supplies cataloger/retailer Staples began using ClearCommerce’s fraud protection service, including the GeoLocator, for its Website. “Online fraud is random, dynamic, and increasingly sophisticated,” says Robert McGrath, Staples’ director of loss prevention.