BOPIS Fraud: What Is It & How To Stop It

by Gergo Varga

The world’s situation in 2020 set the precedent for Buy Online, Pick up In-Store (BOPIS) sales to grow by over 100%, accounting for nearly 10% of all ecommerce sales in the US.

Customers who tried this click-and-collect model also usually dove in, using it frequently and often buying more, a clear benefit to businesses who offer it.

However, where booms of this magnitude exist, bad actors know there is also a boom in opportunity for fraud. In fact, the most recent data from ACI Worldwide shows that fraudulent behavior appeared in 7% of all BOPIS transactions, 2.4% more than in other legacy delivery channels.

Let’s take a look at the unique challenges BOPIS models come with – and how to deal with them efficiently.

What Is BOPIS? How Does It Work?

Companies that offer a BOPIS model – commonly referred to as click-and-collect or curbside pickup – utilize their brick-and-mortar retail locations alongside their mobile and online marketplaces to sell and distribute their products.

Specifically, it’s a way to buy online and pick up in-store:

Customers browse, select, and pay for items online.
The order is stocked at a physical retailer – shipped there or already available in-store.
The customer picks up their order at the chosen location.

Customers have responded in cash to companies that offer this option. Avoiding shipping fees while also choosing the easiest time and place to pick up their purchase is a convenience that many shoppers now prefer.

Sometimes the BOPIS model is described as an omnichannel or hybrid model, as it demands attention from every sales channel of a company, and seamless integration is paramount for it to function as intended – a challenge for any business.

Retailers find out very quickly that adopting a BOPIS system involves much more than just adding another option to your storefront at the checkout screen. In a BOPIS transaction, a specific team will be needed for each element of the process:

fraud and cybersecurity – checks your customers as they arrive and before they pay, compliant with KYC mandates
digital – will have designed options in your digital marketplace for a curbside pickup or click-and-collect option
supply logistics – checks to see if the customer’s purchase is in stock at the chosen location, supplies it if not
distribution/supply chain – a network of physical distributors has to deliver the purchased products to specific locations in large numbers
in-store distribution – employees at brick-and-mortar locations deliver the right products to the right customers as they arrive
HR – companies cite staffing the stages of a BOPIS model as one of the greatest difficulties with integrating the system

This is compared to the much smaller circuit of a traditional transaction in-store, where the customer chooses a product that is already in the store, then pays for it. At most, there is some after-service follow-up in case of dissatisfaction.

What Is BOPAC?

A term closely associated with BOPIS is BOPAC, which simply stands for Buy Online, Pick up at Curbside. This sub-model is self-explanatory, yet can be argued to present a slightly higher risk to companies.

Because curbside pick-up in the buyer’s car is expected to be faster than in-store pickup, there is less opportunity to cross-reference the customer’s information or spot any suspicious patterns. Because of this, merchants who use the BOPAC model would be wise to take BOPIS-enabled fraud prevention seriously.

What Is BOPIS Fraud?

Any fraudulent activity that involves Buy Online, Pick Up In-Store transactions can be classed as BOPIS fraud. Applying to ecommerce, this type of fraud often takes advantage of the unique characteristics of the BOPIS buying model, as we’ll see below.

The integration of so many channels of a business is a huge undertaking for any enterprise. The communication and cooperation BOPIS requires present a very wide attack surface for a potential fraudster.

Connecting so many parts of a business together gives bad actors many different places to plant a malicious seed, including the weak points between departments in the BOPIS model.

Fraud associated with the BOPIS model takes advantage of these inherent security flaws within the model. Many of these flaws are also what make it popular among some customers, as they cut down on friction while boosting convenience and, indeed, customer loyalty. Naturally, finding the right balance between protection and friction is a headache for many a merchant.

What Kinds of BOPIS Fraud Exist?

An example of BOPIS fraud turning convenience into criminal opportunity is when a suspicious customer chooses a curbside pickup option in order to provide less identifying data. The customer will need to enter slightly fewer pieces of information about themselves than in a delivery option, where they need to include a valid address.

While this allows the customer to pick up their purchase when they want, potentially even on the same day (rather than arranging and waiting for delivery), it also gives the marketplace security team one less data point to reference, and a particularly valuable one at that.

Credit Card BOPIS Fraud

Fraudsters with stolen credit card credentials, probably purchased in bulk, can first card test their numbers to determine if they have been canceled or not. With working card numbers, bad actors can easily get away with purchasing goods with someone else’s money.

They will usually create a new email address to match their stolen information. The goods are paid for (by their victim), and the fraudster picks up their ill-gotten goods in-store to (probably) resell them. In credit card BOPIS fraud, the victim will often request a chargeback, which means it’s the merchant who will ultimately suffer the loss.

Sneaker Bots

A practice common among certain types of BOPIS shoppers – often shoppers of clothing brand Supreme – is to employ a sneaker bot. These are proprietary programs that target the fraud-prevention tools of a specific ecommerce marketplace in order to bypass imposed purchase controls.

In other words, when Supreme is about to drop a new product and limits purchases to two per customer, a customer with a sneaker bot might be able to purchase 20 or 30 items as the sneaker bot rapidly spoofs many different customer IDs. These purchases can then all be collected in-store at once.

This way, the bad actor will acquire coveted, limited-edition or low-supply items to then resell at a higher price. Sneaker botting isn’t explicitly illegal but is frowned upon and very common, and is something that can be prevented by a fraud prevention tool.

Omnichannel Fraud

The complicated omnichannel structure of a BOPIS model allows for lower-tech fraudulent behavior as well.

For example, in a system with suboptimal integration, a malicious customer could:

choose and pay for their product online
go to the store after they know their purchase has been stocked
cancel their order as close to pick-up as possible

A system running at less than instantaneous speed will likely be unable to catch up to the cancellation before it gets collected, so the scammer could keep both the item and their refund.

As companies increasingly look to their competitors with BOPIS, see the profits, and transition to their own click-and-collect systems, more weak points emerge in the model. Companies that are suddenly bearing the weight of a large mass of new employees, recently or currently training to deal with BOPIS specifically, frequently report experiencing an uptick in losses, as well customer frustration that can even lead to abusive behavior.

When it comes to your human resources, it’s important to be mindful of certain circumstances which might arise in a BOPIS model more often than in a traditional one. For instance, for a rookie staff member tasked with cross-checking an order manifest while a long line of impatient customers forms, what is the appetite for being yelled at? How easy is it to bully such a staff member into handing over products an aggressive customer didn’t pay for but insists they did?

These are some of the modern issues with BOPIS experiences, and more are sure to develop as the strategy becomes more popular.

How Do You Detect BOPIS Fraud?

The most important factor in precluding bad actors in a BOPIS model is an actively maintained fraud management solution to monitor customers at all digital stages of the click-and-collect journey.

Fraud that employs stolen credit data will make up the majority of cases, and the aforementioned vulnerabilities will only be obvious through custom risk-analysis checks and the collection of as much information about each shopper as possible.

Some typical data anomalies associated with BOPIS fraud that your fraud prevention solution should be tuned for include:

Order/payment velocity checks: Fraudsters generally want to operate in large volumes of stolen data and transactions, both to maximize their return and obfuscate their behavior by sheer numbers. Orders that use the same credentials, billing address, or email in an unreasonably short amount of time are surely assisted by bots that help fraudsters work at scale. Similar warning flags include the same payment credentials requesting fulfillment at several different locations, or the same email or phone number using several different payment methods or identities.
Reverse phone lookups: A home phone or mobile number is often associated with an identity, and so are good anchors to a customer’s valid identity. Orders that list less substantial phone numbers – voice over internet protocols or prepaid mobiles – should be checked carefully, as such identifiers are more likely to belong to bad actors.
High-risk IP characteristics: A quick fix for bad actors who want to hide their identity is via a program that obscures their actual IP and thus their actual location. Customers with IP addresses of particular provenance should be siloed away, at least for manual review. These are IP addresses that changed while coming through a VPN or Tor client, from a list of previously black- or gray-listed countries, or are simply anomalous in their origin. Some anti-fraud tools will even provide an IP fraud score after weighing in all these factors.
Device fingerprinting: Some fraudulent behavior can be caught by profiling the devices used to access the website. If many orders come from the same device with different apparent users, fraud detectors know something bad is afoot. Keeping records of positive and negative user interactions will also help to discourage repeat offenders, and can also be used to look for patterns in malicious behavior.
High-visibility purchases: Though obviously lucrative for the company, rules should be in place to hand purchases of particularly risk-prone items – luxury goods, gift cards, baby products – over to a dedicated security team for a manual review.
Reverse email checks: Fraudsters attempting to exploit stolen credit card data will very likely use a tool to auto-generate email addresses that appear to be associated with their stolen card identities. By taking advantage of reverse email checks, you can analyze the digital footprints of users to catch very new, potentially automatically generated accounts; these are markers like no social media registrations or having no historical data breaches in an email address.

Enter someone’s email address in the field below to see how much information SEON can find starting with only this:

SEON has tools available to determine and maintain risk rules that monitor and enrich these data points, amounting to in-depth intel on each shopper’s real identity and intentions. A sophisticated fraud prevention platform is the first and most important step in beating fraud in a BOPIS ecosystem.

Pictured is an example of a custom velocity check set up on the SEON platform. Every aspect of this is customizable, including how many fraud points this rule will add when triggered (top right highlight), the time frame it looks at (middle highlight), and the different values the system can look for.

There are ample templates and pre-set rules as well, for merchants who prefer a set-and-forget approach, as well as machine learning suggestions.

How Can BOPIS Fraud Be Stopped?

Leveraging a comprehensive fraud prevention tool like SEON against incoming BOPIS traffic is the first step in minimizing your losses to fraud. When you are lacking key data points such as a delivery address and touchpoints include the hustle and bustle of a physical store, anomalies are unlikely to be detected by human scrutiny without the aid of software.

As well as this, in a traditional transaction in-store, the main vulnerability is only at the point of sale: Will the customer’s payment go through? Will there be some other attempt at theft? No? Yes? End of transaction, either way.

But, as we’ve seen, the BOPIS model offers a much larger attack surface for fraudsters to poke holes in. There could be issues at POS, or at nearly any point prior. This creates a much larger space in your company that needs to have resources allocated to it – and anti-fraud tools are the solution.

After determining the weak points where fraud losses are accumulating, fraud prevention such as SEON can be tuned to focus on problem areas, while also covering the customer journey with a safety blanket. For example, rather than only checking a customer’s data upon arrival and clocking their info, why not check again at the POS, and note if there are any discrepancies, escalating to a manual review if there are?

Beyond sending cases for manual review, the software can be used to automatically request more solid proof of card ownership or of their real identity from medium-risk shoppers, thus giving legitimate buyers a chance to go through instead of becoming false positives. As well, it can simply blacklist repeat offenders (or even first-timers) with obviously suspicious buying patterns – say, 30 of the same product, paid for within a few hours by different persons who all seem to have the exact same software and hardware configuration.

Plug Your Network’s Vulnerabilities with SEON

Equipped with real-time customer insights and unique digital footprinting, SEON helps merchants find fraud quickly and stop it securely.

Ask an Expert

Another source of problems can be the pick-up point. Staff who are untrained in providing a consistent BOPIS experience inevitably open themselves up to be taken advantage of. When designing an onboarding process for new click-and-collect hires, consider the logistical weak points at the end of the supply chain and train employees around them.

For example, new employees should know to:

request ID at point of pick-up and cross-reference it with the manifest
be aware and capable with any mobile apps you might be using to streamline the process, such as product or customer trackers
review products delivered by transit team to make sure they are correct
secure physical pick-up location, potentially with security contractors
spot potential BOPIS fraud after being trained to do so
use a list of complete transaction details to manually cross-reference at pick-up, particularly to avoid pick-up “mules”

However, it is of great importance to find the most efficient medium between securing the BOPIS process and keeping friction to a minimum.

Analytics may help companies to determine where they can add a little bit of dynamic friction and, thus, security to the process, where the fraud prevention software allows for this – such as SEON.

Growing Your Company with BOPIS Without Risk

The opportunity that BOPIS sales present is undeniable to the point that certain companies will be compelled to adopt the model or face being left in the dust. Studies indicate that by 2024, BOPIS transactions in the US will amount to over $140 billion, and companies that can’t keep pace with fraudsters will be unable to take away their slice of the pie.

However, because of the BOPIS model’s inherent vulnerabilities, there are also above-average instances of fraud inside the system.

To balance profit margins from the adoption of a working BOPIS model against the losses to fraud inside the same model, a strong fraud prevention strategy is paramount.

Sources