Editor’s Note: Many of the subjects discussed in this article are as valid today as they were when the content was originally presented, while other topics show additional insight into the e-commerce concerns and Internet fraud issues that we are currently dealing with today. The Merchant Risk Council still actively supports retailers dealing with the spectrum of cyber crime issues.
As e-commerce continues to grow exponentially, e-commerce risk management has never been more important. managing this risk is not just important to your business, it is crucial to the health of your organization.
E-commerce presents its own set of business challenges. On-line merchants do not have the ability to ask to see a driver’s license or match a signature, so they need to have systems and tools to review information to authenticate the customer in real time. Some of the tools used by on-line merchants include matching zip codes, or IP addresses, combined with advanced scoring systems.
One of the biggest obstacles facing e-commerce professionals is the ever-present and constantly evolving threat of Internet fraud. As soon as businesses and law enforcement identify a scheme, criminals are developing a new one to take its place. Ronda Sifford, loss prevention manager at Costco.com and board member of the Merchant Risk Council (MRC), likens the cycle to building a 10-foot fence to keep criminals out, only to have them show up with an 11-foot ladder.
Loss prevention does not have a one-size-fits-all solution. All merchants vary and loss prevention solutions need to be tailored to complement and not hinder the user experience. E-commerce risk management must also be tailored for each merchant to reflect business objectives and markets served.
On-line Fraud Survey
The Merchant Risk Council began as an informal group of merchants meeting to discuss the overwhelming increase of Internet fraud. The group evolved into the leading not-for-profit trade association for merchants, vendors, and e-commerce risk management professionals. Today the MRC has more than 7,500 members, including 120 of the world’s largest Internet retailers who account for approximately 15 percent of all e-commerce revenue.
The MRC Annual Fraud Survey, sponsored by CyberSource as part of its broader annual survey of Internet fraud, illustrates the challenges large merchants are facing. The combined results show MRC platinum merchants setting the pace for the e-commerce industry in controlling fraud and protecting valid customer orders. Platinum merchants are the largest on-line sellers in the U.S., and they share Internet fraud trends and best practices through MRC committees and conferences.
Revenue Lost. Platinum merchants in the survey report an average of 0.6 percent of their total revenue is lost to on-line fraud, compared to 1.4 percent for the overall sample and 1.0 percent for other large non-member merchants with greater than $50 million in e-commerce sales. Fifty percent of platinum merchants report a fraudulent order rate of 0.25 percent or less. Fraudulent orders consist of chargebacks, where consumers contact their credit or debit card issuing bank to reverse a fraudulent charge, and consumer credits granted directly by merchants. Merchants in the survey indicate about half their Internet fraud comes in the form of chargebacks, with fifty percent of the platinum merchants reporting chargeback rates of 0.15 percent or less.
Rejected Orders. Platinum merchants in the survey reject an average of 2.2 percent of incoming orders on suspicion of Internet fraud, compared with 4.1 percent in the overall sample and 4.8 percent for other large merchants. This means these merchants may be protecting another 2 percent of sales. In businesses like retail or travel, this is significant. The MRC platinum merchants surveyed represent $32 billion in sales so that protected 2 percent in legitimate orders adds up to $640 million additional potential revenue gained.
Internet Fraud-Fighting Tools. In achieving these results, the platinum merchants have integrated more Internet fraud-fighting tools and more automation into their order process than the average e-commerce merchant. The survey shows the platinum members use an average of 8.2 tools, versus 4.8 in the overall sample and 7.5 for other large e-commerce merchants.
The most notable difference is in order velocity monitoring. These automated systems, which flag suspicious patterns in the order flow, are in place at 88 percent of the platinum e-commerce merchants surveyed, compared with only 33 percent of the overall merchant base and 57 percent of other large merchants. Other tools most commonly employed by the platinum merchants are
• Address verification service (100 percent),
• Company-specific fraud screens (86 percent),
• Negative lists (81 percent),
• Card verification number (74 percent), and
• IP geolocation (74 percent).
In parallel with their higher commitment to tools and systems, the platinum e-commerce merchants enjoy lower rates of manual review of suspicious transactions, a process which can add cost and delay to order fulfillment. For the MRC platinum e-commerce merchants, 14 percent of their on-line order flow requires a manual review before acceptance—half the 28 percent average in the overall sample and consistent with the 14 percent among other large merchants.
Communicating Best Practices
The MRC educates businesses by disseminating information among members about the most effective Internet fraud-prevention practices and encourages connections between members within the industry. MRC members, even those who are competitors, share information with one another for the benefit of curbing Internet fraud. If cyber criminals are reaping the benefits of information sharing and doing so to exploit e-commerce retailers, it is crucial for e-commerce retailers to also share information in order to thwart cyber crime.
The MRC also educates law enforcement and the public about on-line crime and how to avoid it. The MRC works with federal and local law enforcement agencies, such as the Internet Crime Complaint Center (IC3), Federal Bureau of Investigation, Secret Service, U.S. Department of Justice, and U.S. Postal Inspectors to help investigate, apprehend, and prosecute cyber criminals.
To prevent Internet fraud, organizations should implement best practices built around three general principles:
Invest. First, merchants must continue to invest in Internet fraud solutions because cyber criminals continue to innovate and to invest in fraudulent schemes. As soon as one block is erected, they are one step ahead, finding the next way to commit the crime. Unfortunately, there is no magic bullet for solving this problem.
Report. Second, merchants must encourage investigation and prosecution of cyber criminals. These criminals communicate with one another and if there is no action taken, they will share this information and that merchant will very likely become a target of other criminals. Also, it is much easier for merchants and law enforcement to go after one criminal versus twenty across one or more countries. Cooperation and information are the keys to a long-term solution.
Share. Finally, it is crucial for merchants to speak to their peers about Internet fraud. They are seeing many of the same individuals and trends. Sharing prevention techniques and best practices is critical to curbing Internet fraud and beneficial to all merchants.
Internet Fraud Schemes
Earlier this year, the MRC distributed a merchant fraud advisory regarding a scheme where cyber criminals were targeting business executives. In this scheme, a criminal typically steals the identity of a business executive at a publicly traded company where personal information, such as date of birth, address, and phone number, are easily accessible in public records. The perpetrator then applies for a new credit account at an on-line retail store in the name of the company and uses the executive’s information as a personal guarantee. The criminal then orders items, usually high-end ones such as computers, and quickly maxes out the credit line. The criminal moves on to his next target before the retailer moves the order to collections.
Internet fraud losses can be quick and substantial. Merchants should review all new business accounts with the same scrutiny they have always applied to extending consumer lines of credit. For new business accounts, the MRC recommends that merchants contact the company directly to verify the new account prior to extending any credit.
Reshipping is one of the most popular Internet fraud schemes. In this type of scheme, a cyber criminal convinces a victim in the U.S. to repackage goods ordered with a stolen credit card account and reship them to another domestic address thereby providing the criminal access to a known, good address for delivery. In a worst case scenario, the victim reships the package to another country. The victim is not only risking criminal prosecution, but may also be duped into paying the shipping expenses for the criminal.
Businesses selling luxury items in the range of $5,000 to $20,000 are well-versed in risk management and take extreme measures to secure e-commerce transactions. For example, on-line jewelry retailers will often have specialized delivery services requiring signature verification and identification upon delivery. Although highly effective, these precautions do not eliminate credit card chargebacks and financial losses. Nor are they practical or cost-effective for all merchants.
High-end luxury item retailers are only one segment of the MRC’s diverse merchant membership. Members represent nearly every product category. While not all merchants will require the same high level of risk management and fraud prevention as companies selling high-ticket items, any organization utilizing an e-commerce sales channel can benefit from the shared knowledge and experience of these member merchants.
Following are questions for merchants to consider when opening a business account for credit:
- Is the company real and in good standing with the state where the headquarters reside?
- Are the address, phone number, tax ID number, and other information actually registered to the company?
- Is the applicant an employee of the company and authorized to represent the company?
Has the company been in business for at least a year?
- Have there been significant changes in ownership of the company recently?
- Has the company recently dissolved, been on the verge of dissolving, or filed for bankruptcy?
As best practices, merchants should also be on the lookout for the following in establishing a business account in an employee’s name:
- An applicant may use a legitimate company name, but provide a false address and phone number on the application.
- An applicant may give the name of a company that does not exist.
One applicant may apply multiple times using different information over a period of time. Keeping track of unique information used many times is often a strong indicator of Internet fraud.
Information Sharing Is Working
Over the last five years the MRC has seen merchants sharing and getting organized…even among competitors. Sharing best practices, tips, approaches, and specific schemes is one of the most effective ways to combat the problem.
Risk management professionals can get a preview of how the large merchants are tackling Internet fraud by attending the MRC’s Annual Card-Not-Present Conference on March 4 – 6, 2008, in Las Vegas. This year’s conference theme, “Partners in Progress: Mitigating Risk,” will attract CFOs and risk management professionals from the retail industry, e-commerce payment and risk management vendors, credit card and alternative payment company representatives, as well as law enforcement professionals.
Keynote Speakers are Craig Newmark, craigslist founder, and Kevin Mitnik, a famous former hacker and computer security expert. Newmark will present information regarding scam and fraud prevention, and Mitnik’s presentation, “The Art of Deception,” will focus on the “social engineering” threat.
The conference includes breakout sessions with credit card representatives, merchants, vendors, analysts, and consultants for beginners to advanced risk management and payment professionals in three tracks:
• Global issues,
• Security and authentication, and
• Tools and solutions.
To encourage the information sharing so crucial to the health of e-commerce, the MRC has a category of no-cost membership for law enforcement professionals. Law enforcement membership allows access to protected sections of the MRC web site and access to timely information for Internet fraud prevention, including analyses of fraud prevention tools, information on the most up-to-date technological solutions for decreasing fraud, and reviews of fraud prevention software.
To qualify for this level of membership, perspective members must work for law enforcement, including police departments, Secret Service, FBI, the National White Collar Crime Center (NWC3), Internet Crime Complaint Center (IC3), U.S. Postal Inspection Service, Department of the Treasury, or the Department of Justice.
To curb and prevent Internet fraud and ensure a safer e-commerce environment, merchants must continue to share information. Becoming involved with an organization like the MRC allows merchants the benefit of learning from the collective knowledge and experience of many diverse merchants.
This article was originally published in 2007 and updated December 2015