Online shopping has spiked in the last 5 years, crossing the trillion dollar threshold in 2012. Embracing the consumer preference for internet shopping, many new businesses are only available through the web. Yet a surprisingly low number of new merchants are taking measures to protect themselves from internet fraud. While many online business owners are convinced that any fraud activity on a card is largely the domain of banks and credit card issuers, internet retailers are simply unaware that in the world of ‘card not present’ (internet purchases), they are liable for bad purchases run through their stores.
For many people, the word ‘fraud’ can seem complex and overwhelming. ‘What is fraud?’ ‘How does fraud work?’ These are common questions that are actually very simple to answer. If an individual had cash stolen from their wallet, and that cash was then used in a purchase by the thief, that crime would be described as theft. The money doesn’t belong to the thief, it belongs to our victim. In fraud, this crime works exactly the same way. Only this time the thief takes the credit/debit card instead of the cash. The law states that only legal cardholders can use cards issued to them. When a thief steals a card and uses it, the thief is pretending to be that legal cardholder and racks up charges in their name. Every charge the thief makes with the stolen credit card is considered a fraudulent (bad) transaction.
If all merchants had to worry about was physical credit cards being stolen, then this wouldn’t be much of an issue. But with data breaches becoming increasing common, the financial information of tens of millions of consumers are now in the hands of cyber cartels looking to use their newly acquired information as quickly as possible. With the ability to purchase almost anything online, criminal are increasingly using their stolen data for online purchases instead of placing the stolen information on fraudulent cards to make “card present” transactions in retail stores.
With all of this fraudulent information floating around in cyberspace, it can be difficult to know what the best course of action is. Accepting credit cards is a sure fire way to expose a business to theft, but clamping down on card transactions will place a financial chokehold on a business that most likely would be fatal.
The key for businesses is to understand what they are liable for. When a business decides to accept payment from a card issuer or bank, they are accepting the terms and conditions passed down by them. What that entails is also accepting the established industry standards that are almost entirely uniform in the industry. Card issuers and banks have no ability to track if a card (or card data) has been obtained by unauthorized persons. The only way to know that an issue has arisen is when the card/card data is used in a purchase. Because a merchant has the greatest ability to stop a criminal in their tracks, card issues and banks place the financial liability on merchants for any fraudulent orders that they process.
To dig deeper into the issue, merchants need to understand the technical lingo that is written into merchant contracts. Many merchants take the assumption that if a transaction is authorized then it is a legitimate transaction. That is not the case. When a card processor runs a card and authorizes, it is simply verifying that the funds are available, the card is not reported as stolen or declined and the consumer’s credit limit has not been hit. An authorization is not running a report as to likelihood of the card being stolen or not, or if it is a risky transaction or good order. Once a merchants accepts funds, the liability now fully rests on them.
E-Commerce fraud is exploding for multiple reasons, but one simple yet major reason that it is exploding so fast is that many individuals simply do not check their credit card statements every day. While there are always going to be that subset of vigilant consumers who set mobile alerts for any purchases and check their cards daily, many consumers wait for their statement to be released before they look over their purchases. By then many weeks or months could have passed before they recognize the unauthorized transactions used on their cards.
Banks and card issuers do their best to look for irregular card activity by calling their customers to verify transactions they might have made. If someone goes on a road trip and suddenly makes multiple purchases in another state, a card is frequently frozen and the cardholder is typically contacted to verify if they did indeed make those purchases. But card issuers can only look for irregularities in a card holders account, and pending any drastic activity changes are powerless to know if a card is being used in a legal or illegal manner.
All merchants are accountable for and suffer chargebacks
To help account for this, and also to help deal with bad businesses, most card issuers offer card holders a 3 to 6 month chargeback grace period. For those not in the know, chargebacks are every merchant’s worst nightmare. Chargebacks occur when a cardholder contacts the card issuer to request a refund from a merchant. This would occur because the customer would somehow be unable to obtain a refund from the merchant or that the merchant is refusing to offer a refund to the customer. To read more about chargebacks and how to stop them read our series on chargebacks. Once a chargeback is initiated by the cardholder, the card issuer will deduct the funds from the merchants account and debit it to the card holders account.
The merchant can fight this process by providing evidence to the card issuer that the customer did in fact make a purchase, received the product intact, and is in the wrong. But in the case of a fraudulent purchase that causes the real card holder to initiate a chargeback against the merchant, ignorance of the card’s misuse by the merchant won’t stop the funds from being forcibly deducted. Many card issuers will hold a portion of the funds generated by sales through their cards in a reserve account that is held explicitly for the purpose of reimbursing card holders from bad transactions. The card issuers themselves cannot risk the liability that their merchants could run up thousands of bad orders and then not be able to pay the cardholders back. This reserve account is created because the credit card companies and banks only have a limited amount of money available to repay their customers at any given time from their own accounts. So by establishing a safety net between themselves and the merchant, they help prevent a shock withdrawal from the merchants account in the case of a large chargeback while guaranteeing that the card issuer can repay the card holder instantly.
To add insult to injury, merchants who have multiple chargebacks against them risk ever compounding fee’s as well as being placed on a chargeback monitoring program. If merchants are unable to bring the chargeback rate down, they risk be blacklisted by the card issuer either temporarily or permanently, which can drastically cut revenues for that business.
So what is a retailer to do?
No matter what the purchase, or the volume of transactions that merchant may be accepting at any given month, all transactions paid for by credit card need to be vetted.
But verifying transactions can be difficult as tying an online identity to an offline real person can take a significant amount of research. But there are common steps that all merchants can take that will significantly reduce the probability that they will process a fraudulent order or accept business from someone who serially conducts chargebacks.
1. Always, always, always collect and examine CVV2 and AVS and examine them closely
CVV2 is the 3 digit code on the back of a credit card that is separate from the 16 digit number sequence on the front. The code is a secondary backup to ensure that the card is actually in the hands of the cardholder and is never stored on file in a transaction history unlike a credit card number.
AVS stands for Address Verification System. When entering in a billing address, all merchants need to ensure that the billing address entered into the checkout matches that of the address tied to the card. If a customer repeatedly fails AVS, that is a staggering red flag. There is no reason that a real customer would be unable to identify what the billing address is for the card unless the card was being used illegally.
2. Ensuring that billing and shipping match are critical.
Billing and shipping always go together, and if they don’t it is normally an issue. Merchants always need to carefully examine why a customer would not ship to their billing address. Are they shipping to family? Are they shipping to friends? What connection does the purchaser have to the recipient? Many merchants will cancel orders that have a billing/shipping mismatch, while others have a large amount of research that goes into verifying if the customer is the true card holder. In an instance of a billing/shipping mismatch, a merchant always wants to ensure that during the checkout the customer didn’t fail the AVS or CVV2. Additionally, it is recommended to merchants that they call the customer to verify the recipient of the delivery.
3. Always get a signature for delivery
When purchasing online, often times the simplest fraud ideas are the most effective. And nothing is simpler than claiming that you never received your package. For any kind of high value order, ensure that the customer who made the purchase is the one who signs for delivery. By getting a signature, you ensure that the customer can’t later force a chargeback against you and you ensure that fraud isn’t later claimed. A major source of fraud for merchants is reshipping fraud, where a fraudster will purchase a product on the web and have it shipped to a middleman who then mails the product to him. Requiring a signature from the cardholder stops reshipping fraud in its tracks as a fraudster would have no ability to get the real cardholders signature nor would any middleman be able to accurately forge a signature.
4. Always check IP
Internet Protocol, the location of the computer the customer is using, is normally a dead giveaway to the truthfulness of the transaction. Is your customers billing and shipping in Indiana, but the IP is from Egypt? Well, that’s probably a fraudulent transaction. While the IP address can fluctuate a few miles from the address of the customer, it should never be in excess of 50 miles. Any IP address that is far from the address of the customer indicates either three things. 1. The customer is away on business. 2. The customer is on vacation. 3. This is a bad transaction. Many fraudsters attempt to mask their IP location by going through regional proxy servers, but these are easily detected and are simply another indicator of an online criminal.
5. A customer with a bad user name or email is almost always a bad customer
According to surveys over the last couple of years, the vast majority of customers will reuse the same username for most websites, and only maintain 2-3 email addresses at any given time. What this means for merchants is that if you encounter an email that doesn’t contain the name of the customer, red flags should immediately be raised. If an individual consequently gives you a user name that is full of strange characters or numbers that is normally an indication that this customer doesn’t intend to be a returning purchaser. Many merchants require that a customer verify their profile by clicking on a link sent to the customers email address to verify if this indeed is a human and not a bot. If the email address entered in the creation of the profile is different than the email address stored on file by the card holder that additionally is an indicator that something suspicious is going on in the order.
6. Be on the lookout for multiple purchase attempts, and protect your store against attacks
Fraudsters rarely have a complete data set on the individual of whom they are impersonating when making purchases online. They may be able to fill in the card number, name and address but fail the CVV2. They might have stolen the wrong email address, or they could be trying to make a purchase from the other side of the globe. If there are instances of multiple attempts, with repeated failures in a critical field a merchant will want to permanently decline that customer and every data point associated with the transactions.
7. Check the shipping address
If your customer is shipping to a Fedex store, or to a park P.O. box, that might be a red flag that they are trying to hide their location. If the location is a known drop ship address, or has a history of fraud associated with it, why take the risk of shipping to that address?. Using address verificaction services such as Whitepages.com to run the address is a crucial step in every transaction to ensure that a customer who claims the address is their own is not in fact using an illegitimate address to avoid detection while running bad transactions.
Fraud prevention takes time!
Criminals are drawn to online companies like gravity, the larger the business the stronger the pull. Fraud prevention is a difficult, time consuming process that only grows more and more important as a company increases its sales. With liability solely on the internet retailers, Signifyd finds that the vast majority of merchants take a cautious approach and tend to decline any suspicious orders as well as declining most international orders. Without having a data verification service to tell merchants if a customer is using a proxy to mask his IP or to verify his address, merchants can be at a loss to confidently decline or accept an order.
Signifyd provides the tools merchants need to quickly verify their orders.
Looking up 5 orders a day might not be an issue for company, but if your company finds itself suddenly needing to review 75, 100, 200+ orders a day it can quickly become an overwhelming and all day long task. And without a uniform way of doing each search a company can find it is simply approving or declining orders ” based on their gut”. Signifyd provides companies a way to quickly ensure that they don’t rack up huge losses by accepting payment from multiple stolen credit cards or get hit by numerous chargebacks. Signifyd runs reverse IP lookups to detect proxies, verifies a customers address, checks bin to verify the cards origin, looks through social media to double check a customer’s true identity, and gives merchants a customer’s shopping history to highlight any possible fraud or chargebacks that can be associated with them. Signifyd scores transactions at an average of 200 milliseconds and works with merchants from the largest on the web to merchants who have just set up shop. If you run a business and are concerned about chargebacks and fraud and want to learn more please reach out to us at firstname.lastname@example.org to learn more!
Signifyd Seeks to Upend E-commerce Fraud with First Technology that Analyzes Footprints of Fraudulent Customers
SANTA CLARA, CA – October 16, 2013 – Signifyd today announced the launch of the first e-commerce fraud platform that seeks to dramatically reduce a retailer’s exposure to chargebacks and fraud by analyzing data footprints to bridge the gap between online and offline consumer identities.
Signifyd’s machine learning algorithms use customer intelligence to evaluate the risks of an incoming order in real time. The company’s technology assesses 120 risk indicators and looks for footprints in online and offline data sources, such as the Social Graph, device fingerprints, IP geo-location, proxy detection, customer history, issuing bank data, cross-merchant blacklists, transaction velocity, search engines and public records to determine the validity of a transaction. For example, if a consumer is making a purchase from an IP address located in San Francisco but the consumer’s billing address is in France, existing fraud solutions will decline or manually review this transaction. Signifyd looks to see which country the card was issued and the strength of the consumer’s social profile. If the consumer’s Twitter account indicates they live around San Francisco and the issuing card bank was in France, Signifyd may approve this transaction. Signifyd assigns all transactions a score to notify retailers of fraud, and is the only top fraud vendor to guarantee payments in the case of chargebacks resulting from approved transactions.
E-commerce is estimated to be about $1.5 trillion in 2013. Merchants are estimated to lose 1 percent of revenue in fraud and lose an additional 3 percent annually in wrongly declined transactions. That means merchants are not only affected by losses, but are also losing billions in good revenue due to existing fraud solutions.
“E-commerce fraud detection has been one of the most critical and time consuming processes for online retailers, but most fraud detection tools aren’t suited for today’s cybercriminal who is becoming increasing adept and advanced,” said Rajesh Ramanand, co-founder and CEO of Signifyd. “We’re bringing much needed innovation to the fraud solution market. By using Signifyd, retailers can now make decisions in real time about the validity of a customer without worrying about a fraudulent transaction costing them money or a valid transaction being declined.”
For smaller retailers, e-commerce fraud is especially taxing, so much so that 57 percent of smaller merchants still do not screen for fraudulent transactions, despite SMBs losing millions annually in chargebacks and being least able to absorb the lost money and customers from inadequate or nonexistent fraud detection strategies.
“With Signifyd, we’ve been able to increase revenue by 15 percent by selling into markets that we were previously cautious about,” said Ahmed Khattak, founder and CEO of GSM Nation, who sells unlocked cell phones online. “We’ve done this while simultaneously keeping chargebacks very low and reducing manual reviews by 80 percent. Signifyd has been a terrific ally in growing our business.”
Integration with Signifyd takes fewer than 5 minutes to perform on partner platforms like Shopify and Magento, and its low price points for SMB retailers makes best-in-class fraud protection available to every online seller immediately. In addition to GSM Nation, Signifyd provides fraud detection and prevention solutions for many of the Fortune 1000 retailers including Build.com, Wayfair.com, MakerBot and Petflow.com. Signifyd was founded in 2011 by former PayPal and FedEx executives Rajesh Ramanand and Michael Liberty, and is funded by one of the largest, most respected VC firms, Andreessen Horowitz. Earlier this year the startup won the prestigious Merchant Risk Council Award for the Best Emerging Technology.
Headquartered in Palo Alto, CA, Signifyd was founded in 2011 by Rajesh Ramanand and Mike Liberty, a team of veteran risk and fraud experts from PayPal, to help online businesses prevent payment fraud. Signifyd’s full-service cloud platform simplifies fraud detection allowing businesses to increase sales while reducing fraud losses. Signifyd is in use by multiple companies on the Fortune 1000 and Internet Retailer Top 500 list. The Company is backed by top tier Venture Capital firms such as Andreessen Horowitz, Data Collective, IA Ventures, QED Investors, Resolute.VC and Tekton Ventures. For more information about Signifyd, please visit http://www.signifyd.com.
This is a repost from CoinDesk
Bitcoin sales service btcQuick says that it has achieved nearly $2m in sales.
Colorado-based CEO Jerrod Bunce started the company in November 2012, after trying to buy bitcoins and getting frustrated with bitcoin sales site BitInstant, a service that enabled customers to buy and sell bitcoin but which was criticized for its slow service.
“I thought to myself ‘I can build this to be better’,” he said. He then coded the site in PHP, using the Twitter Bootstrap front end.
When users request to purchase bitcoins using US dollars, btcQuick buys the equivalent amount in bitcoins from an exchange, which it then sends to the customer’s bitcoin address, or to their email address using Inputs.io.
The firm started slowly, growing with the help of $120,000 in funding from private investors and crowdfunding, says Bunce. It has grown substantially over the last few months, according to Bunce, who showed CoinDesk proof of his monthly sales figures. The firm is currently doing a little over $500,000 in business, he said.
BtcQuick’s model is to be among the fastest to provide bitcoins, if not necessarily the cheapest. It charges a 7.5% fee on transactions, but this can slide to as little as 3% given enough volume. Transactions made by credit card are settled in a couple of hours.
Most of its sales (70.5%) are from the US, said Bunce, who added that the company is also selling to users in countries including Canada, Australia, Argentina, China, Germany and the UK. On average, a single transaction is $175. Bunce said:
“We have mainly been spread around by word of mouth, but have recently started advertising on reddit, dailybitcoins and via Google CPC ads.”
Customers are expected to go through verification procedures by proving their identity, says the firm, which then allows them to purchase bitcoins using a credit or debit card. “I expect this to change as we work towards FinCen compliance,” he concluded.
The company doesn’t yet have compliance, but is working with US lawyer Marco Santori (the Bitcoin Foundation’s regulatory affairs committee chair) on this issue.
In the meantime, Bunce is contemplating pulling out of three US states – New York, California, and Texas – until the issue is resolved.
“California and New York don’t hold a large percentage of our business,” he says. Those two states have both hit bitcoin-related organisations with subpoenas or warning notices in the past few months.
In the meantime, btcQuick is doing its best to follow KYC rules and stop fraud on its network. It has a deal with miiCard, under which it uses the site’s identification hardware to verify customer identities. It gives customers who use Miicard a 1% discount from the original fee as part of a silver membership
The company also uses a fraud detection system from Signifyd, which Bunce says offers the firm greater assurance that malicious actors are not trying to game its network.
The site that inspired Bunce, BitInstant, which was operated by New York-based Charlie Shrem, shut down on 13th July to work on a service upgrade. The site, which would have been a competitor to btcQuick, has still not reopened. It was subsequently hit with a class-action lawsuit by angry customers.
If you are interested in learning more about Signifyd please reach out to us at email@example.com
Welcome back for another entry into our series, the top 10 phrases used in the fraud industry (and an explanation of what they really mean!). Today we are going to talk about a more business related fraud scheme, but still one with severe consumer and commercial implications. Affiliate fraud, alternately known as click fraud, is the act of fraudulently simulating web traffic to a web site.
What is affiliate marketing?
Affiliate marketing is a term that many people have at the very least heard in passing, but is still not the most widely understood term. For most people, the breadth of their online ad knowledge might be that they noticed their Facebook ads are now displaying advertisements for wedding venues now that they changed their status to ‘engaged’ or that the side panel ads on a random website are suddenly showing more ads for sports gear after their latest visit to ESPN.com. But behind these ads are sophisticated ad networks such as Google Adwords or Yahoo! Search marketing who track the viewing habits of web users and use complicated algorithms to drop the timeliest placed ads for users to click on so they can generate money from a subsequent sale. And for the webmasters (the owners of the websites), clicks can mean dollars so the more clicks the better.
Subscription video companies are a perfect example of the type of company that might be at risk for affiliate fraud. Netflix and Hulu drop ads all over the web on countless websites, where they frequently advertise free trials to incentive users to click on the ad and sign up. Once a user signs up, a ‘cookie’ is placed in that persons browser and lasts for a certain duration of time but usually no longer than 6 months. The owner of the website gets a few cents for each click on the advertisement, but they can get relatively large payouts ($30 to $40) from Hulu and Netflix if during the duration of the cookie which was placed after the user first clicked on the advertisement that same user went back and became a paying user.
How do fraudsters abuse affiliate marketing?
For fraudsters, this is an obvious gold mine. Depending on the greed of the criminal, they might simply be content to create a ‘bot’ ( a computer program designed to click on ads ) to generate phony traffic to a website so they can get revenue from clicks all the way to using stolen personal information to get larger payouts from advertisers. In both of these situations, not only do the advertisers lose money but the consumers lose as well.
I always knew catvideosultrasuperfunny.com would rake in the big bucks!
At first glance it might not be readily apparent to say a school teacher how some advertiser suffering from click fraud could affect him in any way. But keep in mind that to create the sense of authenticity these clicks have to originate from different sources. If 2,000,000 clicks were shown in the ad analytics to have originated from one computer even the most rookie of online detectives could tell you that something looks seriously off.
To solve this problem, fraudsters utilize what is known as ‘zombie computers’. In this recent article by The Wall Street Journal, ‘zombie computers’ are computers that have been infected with a program that allows an outside user to manipulate it. Fraudsters write malicious programs and release them to computers all over the world, infecting millions of devices. With a zombie army so to speak now at a fraudsters command, they can set up fake websites and command millions of remotely controlled computers to click on these ads.
Even worse, compromised computers can offer up valuable personal information that fraudsters can use to fill out web forms, trials and anything else that they please to rake in more cash from advertisers.
How do companies protect themselves from affiliate fraud?
Much like a government agency investigating a hidden wire transfer, the core mystery is finding out where ultimately the command is given to click on these ads or fill out these forms. The FBI and other law agencies use their power to arrest hackers and other criminals the world over to shut down these online criminal syndicates, but business can have to rely on software and services to protect themselves.
This is where a company like Signifyd can fit in. Signifyd finds patterns in the mountains of data that exist online and point them out to our customers. If a company receives a suspect web form, Signifyd can tell that company instantly if say a foreign number was listed or if that email is real or not. Signifyd can show if a proxy IP was used in an attempt to disclose the originating location of a device, and if a device currently used has a fingerprint. With over 120 different data points, including velocity checks and reverse address look ups Signifyd is the ultimate fraud investigation tool. Even the best criminals leave their mark, and making sense out of raw data is where Signifyd succeeds.
So if you are a company who advertises on the web and you want to learn more about why countries on the other side of the globe have suddenly decided to click on your ads, or if your business has received lots of phony free trial signups and your affiliate marketing is paying out for dead end leads, Signifyd can help you determine the authenticity of your data. Reach out to us at firstname.lastname@example.org and we would love to chat! Thanks for reading.
Welcome back for another entry to our series, “The top 10 phrases used in the fraud industry (and an explanation what they really mean!)” Today we are talking about ‘Return Fraud’, which is a form of theft that utilizes several other forms of fraud in our list so far.
Return fraud for businesses is the ultimate double whammy. An individual first steals from a company, either by using a stolen credit card to obtain a good from them, perpetrating shipping fraud by claiming to have never received a good when they actually received it or by receiving a good and then obtaining a chargeback from them by claiming the product was broken or defective. The thief then takes the product that they stole from the merchant online and then goes into the same merchant’s brick and mortar store and tries to return it for cash or store credit. For merchants, not only are they out the money the first time from the chargeback or stolen credit card, they are now paying this thief money for a second time to return the product.
What kind of return fraud is most likely?
Clothes, plain and simple. Almost everyone has heard of the prom dress swap. A girl buys a dress on Friday, wears it on Saturday and returns it on Sunday never having any intention of ever keeping and paying for the dress. For retailers with both web and brick and mortar stores the abuse can be near identical and it is so common that it even has its own phrase, ‘wardrobing’. A customer buys clothes from the web, wears them for a certain period of time and then returns them when those clothes have ‘worn’ their purpose. While certain retailer like L.L. Bean and Patagonia maintain a happy customer base by maintaining a no questions asked return policy, those returns still hurt the bottom line severely. Now combine the used merchandise with the fact that the merchandise is stolen, and retailers have a serious financial threat to be on the lookout for.
“Time to make me some easy money!”
How do I stop return fraud?
When accepting a return at a physical location that was purchased from the web, always require a receipt. Not only does a receipt stop the acceptance and payout for a stolen good, the procedure will help stop many looking to abuse liberal return policies to begin with. A receipt also helps stop cross merchant returns. For example a customer might try to return a similar product like a white t-shirt purchased at a low end retailer and then return it at a luxury retailer and pocket the difference. Even for small ticket items, most web retailers will send a receipt not only to a customer’s email but also include a printout with the shipped package to cover both bases in case a customer claims they never received a receipt.
For higher ticket items, always require a signature upon delivery. When a customer signs, they acknowledge that they received the promised product and are taking delivery. This prevents a customer from receiving a package that most likely would contain a receipt, having them claim they never received it and then going to that company’s physical store with receipt in hand and walking out with cash.
Lastly, always use fraud detection software. Using tools to detect fraud prevention can help stop the cycle to begin with by refusing to ship in the first place. And no tool is more powerful than Signifyd. Signifyd can tell merchants if a customer has a history of chargebacks, is blacklisted by other merchants or has a history of fraud. Signifyd can also instantly score every online transaction, telling you if a credit card is stolen or if an order is likely fraudulent or not based on over 120+ indicators. Preventing a shipment to a risky individual in the first place can stop return fraud before it even happens.
If your business has suffered ‘wardrobing’, return fraud or your team is canceling so many online orders to prevent fraud that your business is inadvertently blocking good customers in the process, we here at Signifyd would love to speak to you about how we can sort out the good customers from the bad. Reach out to us anytime at email@example.com
“Can I get a refund?”
A question that no retailer wants to hear, the automatic guarantee of a refund by a merchant has become ingrained into 21st century America. From expensive jewelry to small ticket items, purchased in person or over the web, the ability to return goods to merchants in exchange for a customer’s money back goes almost unquestioned. But many merchants do not wish to offer refunds over frustrations of the costs involved. When a customer cannot obtain a refund directly from a merchant, they begin the process called a chargeback. In a perfect business world there would be no refunds, no chargebacks. But we are inhabitants of an imperfect world working in an imperfect marketplace, and chargebacks happen all the time. Why they happen, how they happen and what to do about it is going to be covered in this three part series.
Chargebacks and Refunds Defined
What is a chargeback, and how does it differ from a refund? To answer this question, let’s first define what is a refund and then what is a chargeback. A refund is a remittance of funds from a merchant to customer most commonly defined as the returning of cash from a merchant in exchange for the return of goods by the consumer. A refund can be for any purpose, from non-shipment of goods to a defect in the product. But regardless of why a refund is initiated, it is always between the business and its customer.
A chargeback by nature is a far less desirable route for a merchant in an already frustrating ordeal. A chargeback is defined as when a consumer contacts its credit card company or bank to complain about a merchant and ask the credit card company or bank to issue them a refund directly. If a refund is issued by the credit card company or bank to the consumer, the funds are forcibly taken from the merchant. To add insult to injury, the merchant is then hit with a chargeback fee on top of the lost goods by the merchant.
Before we continue with more definitions of what is and is not a chargeback, laying out exactly what the chargeback procedure steps are is an important development. On average, a chargeback has about 6 to 8 different steps on its path from customer initiation to bank/merchant resolution. Below is a well written chargeback path from the website Dalpay.com that helps illustrate how the typical chargeback develops.
Step 1: The cardholder files a complaint by contacting his or her issuing bank about the erroneous transaction.
Step 2: The issuing bank checks whether the dispute is valid. If the bank finds the request invalid, the dispute is simply declined and the customer is charged with a processing fee.
Step 3: If the issuing bank sees a potential error, a provisional credit is provided to the cardholder. The bank then initiates the usual chargeback process, to obtain credit from the merchant’s sponsoring bank.
Step 4: The merchant bank sponsoring the account then checks whether the chargeback is valid or not. They usually send you a notification to inform you of a pending chargeback request.
Step 5: The merchant’s sponsoring bank then does some research on the validity of the chargeback claim. If the chargeback is found to be invalid, they will decline said chargeback and inform the card-issuing bank.
Step 6: Assuming the chargeback is invalid, the amount of the chargeback is removed from the merchant’s account and the merchant’s bank will notify the merchant about the outcome.
Step 7: If a processing error has indeed occurred, the corresponding correction is then sent to the card-issuing bank for re-presentation.
Step 8: The merchant will be asked to provide the needed documentation and proof to remedy the chargeback. If the documentation provided is satisfactory, the claim for chargeback is denied and the customer will be charged once again for the sale. If the documents seem to be unsatisfactory, the chargeback amount will be provided to the customer.
What is the legality behind a chargeback?
Most everyone has seen the waiver issued by merchants when an individual partakes in any kind of semi-dangerous activity from swimming to skydiving that ask customers to sign a release form that frees them from legal liability, and thus from being sued should an accident occur by that customer. In the same manner, it would seem logical that many merchants might try to pass along a type of chargeback waiver to its merchants to protect themselves from later having money taken from them during a chargeback.
This however is illegal, as consumer protection acts over the years have cemented in law the ability for a consumer to obtain a refund of money from a business. There are two separate laws passed legalizing the ability for a consumer to begin the chargeback process, and they are split depending if the consumer paid with a debit card or a credit card.
The ‘Truth in Lending Act’, informally known as Regulation Z, is a stipulation in this 1968 piece of legislation that enables a consumer to challenge credit expenses on their bill and gives them the legal right to reverse a charge.
For debit purchases, Regulation E in the ‘Electronic Funds Transfer Act’ that was passed in 1978 gives consumers the right reverse charges by disputing debits from their accounts by their bank.
What is the industry average for a chargeback?
According to Optimized Payments consulting, the average chargeback rate varies depending upon your line of business. They created this nifty graph here in which we see that a chargeback rate under 1% is good by industry standards.
A standard chargeback rate of around 1% is the median across all industries. As merchants start accruing 1% or above for chargebacks, we begin to see either higher margin industries/products or low levels of customer service or goods delivered.
Are all chargebacks the same?
It doesn’t take a rocket scientist to realize that chargebacks can easily be abused by consumers. While Regulation Z was setup to protect consumers from shifty businesses, fraud has become rampant among consumers looking to easily rip off businesses. There are different types of fraud and chargebacks that businesses need to be on the lookout for to ensure that these legal protections afforded consumers aren’t abused against them.
- Friendly Fraud
Though its name suggests that perhaps this is a type of accidental fraud, it is really anything but. Friendly fraud is defined as when a consumer makes a purchase, and then after the consumer has received the product from the merchant, attempts to have the charges removed from their bill.
- Customer will not sign for delivery.
Another instance of friendly fraud arises during shipping. Requiring a customer to sign off on a delivery is standard for high end deliverables. Fraudsters knowing that a signature will complete a transaction cycle will often refuse to sign, then claim that they never received their product, all the while having possession of their purchase in the attempt to obtain a duplicate for free.
- Digital Goods
Digital goods and services are an especially ripe area for consumers looking to rip off businesses. Because there is no shipping and the good is delivered immediately, a consumer (or fraudster) can make multiple purchases (checkout our section on velocity checks) and then call up a bank to claim that they were not the ones who authorized this transaction. Overlapping with friendly fraud, chargebacks are especially rife in virtual currencies as well as online social networks where children make unauthorized purchases on their parents’ credit cards.
Do merchants get banned for too many chargebacks?
For consumer protection, every card issuer has their own chargeback monitoring program. These are the links for the Visa chargeback program as well as the link for MasterCard’s. For a comparison of the two programs this pdf helps to show the differences between the two .
The answer though to the question above is an absolute yes. According to Chargebacks.com, 1% is a merchant industry maximum for card issuers when it comes to chargebacks. In a snipit from the attached MasterCard document, one can see how MasterCard tracks and defines it’s merchants applying different categories to them based upon the volume and the longevity of their chargebacks.
If a merchant stays above 1%, they will enter into the world of the above mentioned chargeback monitoring programs.
If a merchant during this time either fails to bring their chargeback rate down or is unable to successfully dispute and win chargebacks against them a card issuer will terminate their relationship with a merchant.
Do merchants get hit with fee’s for multiple chargebacks?
The first time a merchant gets hit with a chargeback, the fee can vary depending on the credit card processor. PayPal charges $20, Stripe charges $15 and Google Checkout will charge $10.
According to chargefellow.com, the average credit card chargeback fee ranges between $5 to $15 dollars, and this fee is paid regardless if the merchant wins their chargeback dispute or not. The real pain comes if a merchant is placed in their chargeback monitoring program. $5,000 dollars is the fee for being inducted into this dubious club, with high levies based upon chargeback volume.
Do the banks ever side with the merchants?
Banks can side with merchants, but be prepared to work for your money. The burden of proof lies on the business, not on the consumer, to prove that they should keep their revenue. According to paymentsviews.com, the process of re-reversing a chargeback which is task known as a retrieval request only happens 10% to 15% of the time. This goes to show the uphill battle merchants face when battling the banks who themselves do not wish to lose any customers. The key to all of this is precise documentation of every order, which increases the likelihood of winning a dispute charge with a bank.
After one chargeback, can I block customers from future transactions?
The answer to this is yes, online retailers can block customers. In what is known as merchant blacklists, online retailers can add a customer’s name to an internal list to block future transactions listed by that individual. Many merchants prevent costly chargebacks by allowing only one chargeback per customer, and subsequently placing that customer on a blacklist which bans them from shopping on their site. Many more merchants will ban a customer for life after a single chargeback. Some merchants go even further and will purchase industry blacklists of customers who have initiated a chargeback claim against another merchant to block that customer altogether from making a purchase.
How do I prevent chargebacks?
The answer is easy but can be time consuming without tools like Signifyd to help your company. Merchants need to screen every transaction to ensure that they are not about to process an order for a high risk customer. Previously, merchants would screen their questionable orders by manually calling up a customer to verify their identity and that they have the card in hand. This would go a long way in stopping a fraudulent transaction plus a chargeback. But there is only so much information a person can extract from a quick phone call. Signifyd can pull complete customer profiles for every order that passes through your system. This includes checking the email, phone number, billing and shipping addresses as well as their credit/debit card for any chargebacks the customer may have initiated in the past. With Signifyd’s complete order verification service, merchants worried about chargebacks can simply pass their orders into our system and instantly be advised as to whether they should accept or decline an order as well as an explanation behind that decision. If you have any specific questions about chargebacks, fraud prevention or how Signifyd works please reach out to us at firstname.lastname@example.org or at email@example.com. Thanks for reading!
Welcome back to part 7 of our series, “The top 10 phrases in the fraud industry (and what they really mean!)”
What is Reshipping Fraud?
Today we are tackling a big one that predates the Internet. We are talking about reshipping fraud. Reshipping fraud has many names, such as delivery address fraud and fake address fraud. Reshipping fraud works directly hand in hand with identity theft. Reshipping fraud operates on a basic premise. Person A is an online criminal and can live anywhere on the globe. Person B is an innocent individual and most likely unaware of what reshipping fraud is and its penalty. Person A has the financial and personal details of Person C, an identity theft victim of Person A. Person A intends to make purchases with Person C’s money, but this individual cannot ship to their own address out of fear of being tracked down by the authorities. So Person A needs an intermediary (Person B) to receive the online goods at their address and reship them to their (Person A’s) address.
So how does Person A and Person B meet? Well, they almost always meet under false pretenses, to start with. There have been a variety of methods that Person A has used to trick Person B into accepting the illegally purchased goods on his behalf. The USPS has posted an online PSA highlighting the top 3 lies used by Person A to get Person B to accept the goods. 1. Work-at-Home Scams. 2. Sweetheart Scams. 3. Charity Scams. All of these scams involve individuals A and B meeting through the internet, and through one method or another involve Person A sending a good to Person B with instructions for Person B then to send it to Person A.
Reshipping fraud naturally is a major concern for the USPS, shipping companies such as FedEx and UPS, as well as any business that ships goods to its customers over the internet. Whether we know it or not, almost all of us have encountered measures to prevent this type of fraudulent activity. Have you ever signed for a package? Well then you have interacted with a preventative measure to stop reshipping fraud. Businesses that have concerns about shipping will normally pass along the ‘sign for the package’ measure to prevent fraud from occurring. But there are a variety of methods that retailers take to stop reshipping fraud.
How have merchants been fighting Reshipping Fraud?
Some merchants will point blank refuse to ship to a customer that enters a different shipping address than the billing address. Some merchants call the customer, while other merchants do address lookups in an attempt to draw a connection between person B and Person C. There are other measures that merchants can take, such as proxy server detection or velocity detection but these effective techniques are not universally utilized by all merchants. The most effective way to stop reshipping fraud in our scenario is to determine that in fact Person C (the cardholder) knows Person B (the delivery recipient). Short of calling person C, merchants have had sporadic success in stopping reshipping fraud using online tools. So, is there an effective way to establish the relationship between Person B and Person C?
One of the most effective fraud prevention tools in a merchant’s arsenal is the litany of social media sites available. With LinkedIn, Facebook, Twitter and many other social networks as well as data bases of public information, merchants should be able to draw a verified connection (if there is any) between a buyer and the recipient. Lack of a verified connection doesn’t mean it’s bad, it just means that the merchant will have to do more checks to validate the data provided. Things like the IP address of the purchasing computer, pattern detection to detect if this order is consistent with Person A’s shopping behavior as well as dozens of other checks that fraud solution providers like Signifyd provide in real time to verify every purchase.
Reshipping fraud is just one of many different forms of fraud online merchants have to deal with. From users with multiple email addresses trying to take advantage of an offer to consumers committing friendly fraud with chargebacks, knowing who to ship to and who to decline can seem at times an unsolvable question. Signifyd can answer these questions for you on every order in real time. If you have any questions about reshipping fraud or are interested in Signifyd’s services please reach out to us at firstname.lastname@example.org or at email@example.com ! Thanks for reading!