Referral Fraud: Stop Fraudsters from Wasting Your Marketing Dollars

by Gergo Varga
The world’s situation in 2020 set the precedent for Buy Online, Pick up In-Store (BOPIS) sales to grow by over 100%, accounting for nearly 10% of all ecommerce sales in the US.
Customers who tried this click-and-collect model also usually dove in, using it frequently and often buying more, a clear benefit to businesses who offer it.
However, where booms of this magnitude exist, bad actors know there is also a boom in opportunity for fraud. In fact, the most recent data from ACI Worldwide shows that fraudulent behavior appeared in 7% of all BOPIS transactions, 2.4% more than in other legacy delivery channels.
Let’s take a look at the unique challenges BOPIS models come with – and how to deal with them efficiently.
Companies that offer a BOPIS model – commonly referred to as click-and-collect or curbside pickup – utilize their brick-and-mortar retail locations alongside their mobile and online marketplaces to sell and distribute their products.
Specifically, it’s a way to buy online and pick up in-store:
Customers have responded in cash to companies that offer this option. Avoiding shipping fees while also choosing the easiest time and place to pick up their purchase is a convenience that many shoppers now prefer.
Sometimes the BOPIS model is described as an omnichannel or hybrid model, as it demands attention from every sales channel of a company, and seamless integration is paramount for it to function as intended – a challenge for any business.
Retailers find out very quickly that adopting a BOPIS system involves much more than just adding another option to your storefront at the checkout screen. In a BOPIS transaction, a specific team will be needed for each element of the process:
This is compared to the much smaller circuit of a traditional transaction in-store, where the customer chooses a product that is already in the store, then pays for it. At most, there is some after-service follow-up in case of dissatisfaction.
A term closely associated with BOPIS is BOPAC, which simply stands for Buy Online, Pick up at Curbside. This sub-model is self-explanatory, yet can be argued to present a slightly higher risk to companies.
Because curbside pick-up in the buyer’s car is expected to be faster than in-store pickup, there is less opportunity to cross-reference the customer’s information or spot any suspicious patterns. Because of this, merchants who use the BOPAC model would be wise to take BOPIS-enabled fraud prevention seriously.
Any fraudulent activity that involves Buy Online, Pick Up In-Store transactions can be classed as BOPIS fraud. Applying to ecommerce, this type of fraud often takes advantage of the unique characteristics of the BOPIS buying model, as we’ll see below.
The integration of so many channels of a business is a huge undertaking for any enterprise. The communication and cooperation BOPIS requires present a very wide attack surface for a potential fraudster.
Connecting so many parts of a business together gives bad actors many different places to plant a malicious seed, including the weak points between departments in the BOPIS model.
Fraud associated with the BOPIS model takes advantage of these inherent security flaws within the model. Many of these flaws are also what make it popular among some customers, as they cut down on friction while boosting convenience and, indeed, customer loyalty. Naturally, finding the right balance between protection and friction is a headache for many a merchant.
An example of BOPIS fraud turning convenience into criminal opportunity is when a suspicious customer chooses a curbside pickup option in order to provide less identifying data. The customer will need to enter slightly fewer pieces of information about themselves than in a delivery option, where they need to include a valid address.
While this allows the customer to pick up their purchase when they want, potentially even on the same day (rather than arranging and waiting for delivery), it also gives the marketplace security team one less data point to reference, and a particularly valuable one at that.
Fraudsters with stolen credit card credentials, probably purchased in bulk, can first card test their numbers to determine if they have been canceled or not. With working card numbers, bad actors can easily get away with purchasing goods with someone else’s money.
They will usually create a new email address to match their stolen information. The goods are paid for (by their victim), and the fraudster picks up their ill-gotten goods in-store to (probably) resell them. In credit card BOPIS fraud, the victim will often request a chargeback, which means it’s the merchant who will ultimately suffer the loss.
A practice common among certain types of BOPIS shoppers – often shoppers of clothing brand Supreme – is to employ a sneaker bot. These are proprietary programs that target the fraud-prevention tools of a specific ecommerce marketplace in order to bypass imposed purchase controls.
In other words, when Supreme is about to drop a new product and limits purchases to two per customer, a customer with a sneaker bot might be able to purchase 20 or 30 items as the sneaker bot rapidly spoofs many different customer IDs. These purchases can then all be collected in-store at once.
This way, the bad actor will acquire coveted, limited-edition or low-supply items to then resell at a higher price. Sneaker botting isn’t explicitly illegal but is frowned upon and very common, and is something that can be prevented by a fraud prevention tool.
The complicated omnichannel structure of a BOPIS model allows for lower-tech fraudulent behavior as well.
For example, in a system with suboptimal integration, a malicious customer could:
A system running at less than instantaneous speed will likely be unable to catch up to the cancellation before it gets collected, so the scammer could keep both the item and their refund.
As companies increasingly look to their competitors with BOPIS, see the profits, and transition to their own click-and-collect systems, more weak points emerge in the model. Companies that are suddenly bearing the weight of a large mass of new employees, recently or currently training to deal with BOPIS specifically, frequently report experiencing an uptick in losses, as well customer frustration that can even lead to abusive behavior.
When it comes to your human resources, it’s important to be mindful of certain circumstances which might arise in a BOPIS model more often than in a traditional one. For instance, for a rookie staff member tasked with cross-checking an order manifest while a long line of impatient customers forms, what is the appetite for being yelled at? How easy is it to bully such a staff member into handing over products an aggressive customer didn’t pay for but insists they did?
These are some of the modern issues with BOPIS experiences, and more are sure to develop as the strategy becomes more popular.
The most important factor in precluding bad actors in a BOPIS model is an actively maintained fraud management solution to monitor customers at all digital stages of the click-and-collect journey.
Fraud that employs stolen credit data will make up the majority of cases, and the aforementioned vulnerabilities will only be obvious through custom risk-analysis checks and the collection of as much information about each shopper as possible.
Some typical data anomalies associated with BOPIS fraud that your fraud prevention solution should be tuned for include:
Enter someone’s email address in the field below to see how much information SEON can find starting with only this:
SEON has tools available to determine and maintain risk rules that monitor and enrich these data points, amounting to in-depth intel on each shopper’s real identity and intentions. A sophisticated fraud prevention platform is the first and most important step in beating fraud in a BOPIS ecosystem.
Pictured is an example of a custom velocity check set up on the SEON platform. Every aspect of this is customizable, including how many fraud points this rule will add when triggered (top right highlight), the time frame it looks at (middle highlight), and the different values the system can look for.
There are ample templates and pre-set rules as well, for merchants who prefer a set-and-forget approach, as well as machine learning suggestions.
Leveraging a comprehensive fraud prevention tool like SEON against incoming BOPIS traffic is the first step in minimizing your losses to fraud. When you are lacking key data points such as a delivery address and touchpoints include the hustle and bustle of a physical store, anomalies are unlikely to be detected by human scrutiny without the aid of software.
As well as this, in a traditional transaction in-store, the main vulnerability is only at the point of sale: Will the customer’s payment go through? Will there be some other attempt at theft? No? Yes? End of transaction, either way.
But, as we’ve seen, the BOPIS model offers a much larger attack surface for fraudsters to poke holes in. There could be issues at POS, or at nearly any point prior. This creates a much larger space in your company that needs to have resources allocated to it – and anti-fraud tools are the solution.
After determining the weak points where fraud losses are accumulating, fraud prevention such as SEON can be tuned to focus on problem areas, while also covering the customer journey with a safety blanket. For example, rather than only checking a customer’s data upon arrival and clocking their info, why not check again at the POS, and note if there are any discrepancies, escalating to a manual review if there are?
Beyond sending cases for manual review, the software can be used to automatically request more solid proof of card ownership or of their real identity from medium-risk shoppers, thus giving legitimate buyers a chance to go through instead of becoming false positives. As well, it can simply blacklist repeat offenders (or even first-timers) with obviously suspicious buying patterns – say, 30 of the same product, paid for within a few hours by different persons who all seem to have the exact same software and hardware configuration.
Equipped with real-time customer insights and unique digital footprinting, SEON helps merchants find fraud quickly and stop it securely.
Ask an Expert
Another source of problems can be the pick-up point. Staff who are untrained in providing a consistent BOPIS experience inevitably open themselves up to be taken advantage of. When designing an onboarding process for new click-and-collect hires, consider the logistical weak points at the end of the supply chain and train employees around them.
For example, new employees should know to:
However, it is of great importance to find the most efficient medium between securing the BOPIS process and keeping friction to a minimum.
Analytics may help companies to determine where they can add a little bit of dynamic friction and, thus, security to the process, where the fraud prevention software allows for this – such as SEON.
The opportunity that BOPIS sales present is undeniable to the point that certain companies will be compelled to adopt the model or face being left in the dust. Studies indicate that by 2024, BOPIS transactions in the US will amount to over $140 billion, and companies that can’t keep pace with fraudsters will be unable to take away their slice of the pie.
However, because of the BOPIS model’s inherent vulnerabilities, there are also above-average instances of fraud inside the system.
To balance profit margins from the adoption of a working BOPIS model against the losses to fraud inside the same model, a strong fraud prevention strategy is paramount.
Sources
Showing all with `` tag
Click here
Gergo Varga is SEON’s Product Evangelist. With more than 10+ years of experience in the Hungarian and international risk management sphere, he has developed an astute knowledge of RiskOps and Open Source Intelligence. He is the author of SEON’s Fraud Prevention for Dummies guide.
The top stories of the month delivered straight to your inbox