Trade online? How we reduced fraud – you can too
I hope you find this article interesting, we’re sharing how we have learnt to spot online fraud attempts and in the process, develop a way to stay one step ahead of criminals. Depending on your online model, you might learn something from it that can protect your business too.
Imagine a criminal, in his right hand holding stolen credit card details, in his left, bad email addresses that will let him create a false account and buy from you online. Hold that thought.
Internet retail sales are marching upwards. The Office of National Statistics reports a 21.5% increase in Great Britain in online sales in the last twelve months. As of May 2016 consumers spend £963.8 million per week online, with non-food items and household goods leading the growth. Consumer expectation is that pretty much anything can be bought by click, and it’s fair to say that businesses not trading online will lose out to competitors that do.
Where there is money changing hands there will be people cheating. No surprise that online fraud is also on the increase, with a rise of 19% in e-commerce fraud during 2015, meaning that businesses lost £261.5 million through online fraud reported on UK issued cards.
Online fraud is now almost zero
If you have been hit by online fraud, probably as a chargeback, you might be interested to hear how we have reduced our online fraud to almost zero.
All our trade is online. We operate worldwide, through different time zones, offering Software as a Service (SaaS), delivered by cloud technology in data centres on almost every continent, so we are vulnerable to online fraud. Our product is validating emails; we basically help businesses keep their databases clean.
We’re a growing company, privately owned and funded entirely by our results. We don’t have deep enough pockets to not feel the pain when we get hit by criminals. In our case, it’s people using our services, paying with a stolen credit card or PayPal account details, then leaving us with a chargeback or card claim.
Like all online traders, we adjusted our gateway settings to try to stop the bad guys and keep the good guys, but it was time consuming, unscientific and it wasn’t enough. Fraudsters were still getting through and we kept getting hit by chargebacks. It bugs us because our business model is to help keep databases clean and prevent spam. We filter out millions of emails every day. When people steal from us they are likely to be selling email addresses and creating spam. It’s a double whammy; they cost us money and smack us in the face at the same time.
We have an advantage over fraudsters as we can check their email addresses so they don’t get into our system. In time we have learnt new ways to spot a fraudster and now apply a layered anti-fraud system that hinges around an email address check that typically takes less than a second.
Bad people use bad email addresses
Generally speaking, fraudsters use bad email addresses. They are either fake, or disposable – created to exist for just a few minutes. When we stopped bad email addresses in our sign-up forms, fraud levels fell dramatically. If you allow any-old email into your system at sign-up or checkout you are leaving the door open for fraud. Take it from us, Peter3456789@outlook.fr is a bad email; but if you sell to consumers, you will see all sorts of weird and wonderful email addresses. How do you know which are bad and which are good? You could lose business if you make your rules too tight.
We added another layer, recognising the age of an email address and the domain it comes from. That was important because fraudsters use websites that seem legitimate but are in fact just temporary or even hacked websites that make them seem OK, even though their intentions are bad. Domains that have just become unregistered are a magnet for fraud as they can still seem live.
Criminals are innovative and they adapt to new security levels. So we’ve adapted too. We now check the digital footprint of an individual, whether they are in the same country the card is registered in, whether they are using a computer that is where they say it is. For example, recently, at 3am someone tried to defraud us by over £1,000 using a real email address, but with a card that was registered in Germany, from a computer that was in France in a block of flats (thanks Google Earth), but pretending to be at an office block in Berlin… We trapped all this data just from an email. We’d never say we are 100% fraud-free, but we are certainly >98% clear.
Back to the criminal
Imagine that criminal again. We have taken away what he’s holding in his left hand. He no longer has a route to market. He can’t use a bad email address to create an account on our site.
This is all very well, but if you can’t write your own code and build security layers how can you use our example to prevent fraud on your site?
Work with your gateway but beef things up too
Most small and medium businesses rely on their payment gateway for anti-fraud measures. We are involved in anti-fraud and it’s quite surprising to find out how gateway systems aren’t as robust as you’d like to think. Set your filters with your gateway, but add other layers of anti-fraud measures too. Solutions are available at different price points, with different levels of effectiveness. You need to work out which one suits your budget and will pay for itself by saving you money. Take time also to work on your processes. Maybe you can call people to verify they are real before an order is shipped?
We have learnt to consider an email address as a fingerprint. If someone tries to conceal their email address they are wearing gloves so they don’t leave a trace.
Our anti-fraud project has left us with a product that we are introducing into the online retail sector, as we know we can help good businesses beat the criminals.
Would you like our anti-fraud system?
We’re currently looking for a local partner to work with us on a Beta version of our anti-fraud software. If you trade online, are in Cornwall and would like to work with us to reduce your online fraud, please get in touch.