True Fraud

Ecommerce fraud is inevitable, but it’s possible to mitigate your risk with the right resources. Join host, Pablo Torres, in this episode of True Fraud for expert insights into how you can protect your business from disastrous hits. Learn about the tools to use, and tips on what to look out for to ensure a balance between high approval rates, and low fraudulent charges.

What is True Fraud?

Payments fraud doesn't begin and end with stolen credit cards. There are sophisticated international networks of criminals who dedicate their entire lives to scheming and scamming merchants and consumers for every cent that they can extract. But there are also experts in the payments fraud field who are actively fighting back. True Fraud features real-life stories of the battles that are raging across the world, one transaction at a time.

Welcome to True Fraud. I'm your host, Pablo Torres. I'm the head of risk and Compliance at Reach. This podcast is to educate everyone about what's happening in the world, the new trends with fraud, and where we see things going. If you are a business, if you are in the payment industry, especially if you're kind of like a mom and pop shop, it's so important to educate yourself with what tools are available to you to protect yourself. This is not something that just happens to the bigger merchants.

Actually, more and more so these groups are targeting the smaller guys because they know that they don't have enough people to take care of this stuff. They're just kind of learning the ropes, and then when we tell them about fraud is real, they kind laugh at it and they're like, oh, no, there's no fraud and then they get the first chargeback and then they lose it because of course it was a fraudulent chargeback, and then they take the hit and it's $200 and they're like, wow, that's actually a lot of money that's really going to affect me. Okay, well then now that there are options out there that you should be using to protect yourself, fraud is real. Again, it's an industry, again, it's something that pays the bills for a lot of people, and so it's so important that if you're using platforms like Shopify, Magento, if you have a custom integration, whatever it is that you're using,and you have the access to more funds and you're able to hire a business that does this like a fraud engine, then use those tools Shopify has, while it's basic and it's very user-friendly, and you can use that to identify fraud or at least high risk payments.

Magento has something like that as well. If you're going with a payment processor, I'm 100% sure that that payment processor will have something that can offer to mitigate and combat fraud. Even if you don't want to pay for that service, ask, get educated, ask your account manager or your account rep what kind of services you provide, or are you able to give me a little bit of training on this so that I can have a little bit, at least a basic understanding of what is it that I'm looking at? So if you have somebody that's an expert and that's what they're doing every day and they're telling you, no, there's something and I can send you some examples and you still don't want to accept it, then you're going to pay for it eventually, or you can just pay for the expertise of these people and then focus on where you can actually create real revenue for your business. I think that's also from a business perspective, that's the best advice that I can give somebody that's running a website. Focus on what makes you money. Let the experts do their job. If you're a drop shipper, if you're one of the victims of the Instagram ads or the YouTube ads of, I make so much money from Amazon by buying a thousand dollars of inventory that I'll never sell.

If you are able to build a website that's successful or you're trying to get a business going, I don't want to be negative about it, but there's a lot of things that are involved in the process of going live with this. You need to be aware of, number one, what kind of product are you going to be selling? What does that mean for the type of clients that you're going to be getting? For example, you might be wanting to sell baby stuff, and if you don't know that maybe that is a hot item in the black market, you never know that you're going to get hit the moment that you go live and do you have money to cover that inventory the moment that you sell it because you're going to be losing the merchandise and you're going to be losing that money, and so things that are important is knowing what kind of product you're going to be selling, knowing the markets that you're going to be selling it to which countries, so what's the percentage of or the statistics around the credit card penetration in that country?

Are there alternative payment methods that you could be using that maybe are low risk? Because if you can enter that market with a low risk payment method that is widely accepted, hell yeah, do it. Don't go for the option that is maybe going to cost you more money, especially if you're going to be able to target more people with it. If you're going to be using a payment service provider to process your payments, then what kind of data do they require to process the payments? Are they happy with just the checkout data, which is the credit card information, the name, the address, the billing and shipping address? Is that all that they're asking? Then who is going to be doing your fraud and with that limited amount of data, whoever is going to be doing your fraud, are they going to be maximizing your acceptance rate in case of suspicious activity?

And so the more information that you are able to provide at the time of a checkout to that payment processor or the fraud engine that you're going to be using, then the higher your probability of accepting a payment. Recently, I heard of companies that are still rejecting payments where the billing and the shipping address don't match. Wow, we're not in the eighties anymore. Why? We are in the market of selling more. We want to accept as many transactions. We want to provide a seamless checkout experience. We don't want to flag as many transactions as possible, even less so reject as many transactions as possible. We want to maximize that because when you do that, then you're creating long lasting partnerships. I want to make sure that people are super happy with the services that we're providing.

If I can tell them what our review rate is, 0.3 and your acceptance rate, we were able to move it from 0.96 to 0.98, and that two left 2% is from repeated attempts from somebody that was trying to use a card that was stolen, reported, lost, or stolen. Awesome. You need to be asking these questions to who's going to be providing that service, because that's how you weigh their expertise. If they're asking for, if they're just going to tell you, you know what? Yeah, let's just do that, then they just want your money, but in the end, we want to establish that partnership. We want to benefit your business because growing your business means growing ours, and so if suddenly we tell you, you know what?

It would be great if we could collect the device fingerprint because that's not just going to give us the checkout data, but it's also going to give us a little bit more information on the client and maybe even some of that data. You could use it to target some other clientele by measuring what is the demographics that you're getting by looking at the type of devices that they're using, how are they accessing it? Who is buying from where? Are they buying mostly from a phone or is it from a laptop or is it from an iPad? What is the age demographic of it? Is the billing and the shipping address different? Who is it in the shipping address? Is it the daughter? Is it the son? There's things like, and even with the device fingerprint, we're able to collect more information and more data points that give us a better picture of who is trying to commit the fraud.

And so, if you're getting somebody that's processing your payments and they're trying to access as much data as possible, they're likely trying to maximize your conversion rate, which is amazing. The new trend, which is so scary right now actually, where we're going into this world of artificial intelligence where it's not just chat GPT, it's not just a deep fakes as we're seeing on the web right now, we're in a kind of like an inflection point in the industry where, let's put it like this. All of these payment processors that exist in the world or the banks, everyone has kind of their own fraud engine and they're dealing with it the best they can, and they have their tools and then maybe they develop new ones or they hire third party companies and they're mitigating the fraud. So this is exactly what's happening right now, but then all of these are silos of data.

They're not communicating with each other because why would I share my secrets with you? Whereas then there's this world of a network of criminals or fraudsters that are trying to gain access to bypass this section that this work that these people are doing here. If this network of criminals are all connected and they're all working on the code and they're all working on the artificial intelligence and they're all trying to set up the perfect tool to get bypassed this, we're talking about, let's say, let's put a number to it. Let's say that it's 10 different bubbles or silos of data and 10 different groups that are trying to combat fraud versus 2 million fraudsters that are working together across the world, who do you think is going to win the one bubble against the 2 million or the 2 million against the one bubble? And so we're moving into this direction where artificial intelligence is accessible to everyone, and so these people, what they're going to end up doing is create an artificial intelligence engine that will place transactions that will go past the security protocols or the controls that these companies have deployed, and it's going to be so easy for them to get bypassed them because these people are just doing it as their job and it's these small bubbles, and so at some point this group is going to win over that because this is artificial intelligence, but then artificial intelligence will catch up and we know that that will require some time and of course, funding and there's going to be some new business or some new fraud company that's going to come up with a new engine that it's AI based.

Then when that happens, then that's going to be fighting this. Then it'll evolve from that. But right now, when this is ready and the payment industry is not, that's going to hit hard and that's pretty scary. When you're going into the payment industry, there are simple protocols that exist within the authorization flow of a transaction that allow you to identify or that kind of give you an in or flags as to if a transaction has a higher risk. There's the AVS checks, which in the industry, basically they're checking of your postal code, the name of your street and your name, what is the percentage of that matching with the one that the record that the issuing bank has, and then if that's positive, then there's a percentage that the bank says, yeah, this matches up to X, and then the authorization may go through.

Then there's also, depending on where you are in the world, then there's the 3DS or 3D secure protocol, which basically what it does, it lets you authenticate your own purchase. How by when you're trying to check out, and this probably has happened if you bought something from a European website, you're trying to buy something with a credit card, and then they'll send you a notification that's saying that we're going to send the challenge to you or a code and you need to verify it to complete your purchase. Then you get a text on your phone and you enter that code on the time of checkout and off you go, because that phone number is associated with your account, your bank was able to send that challenge to you, and at the same time, there's other protocols that are happening in the background. There's more data that is being checked compared to the first version of the 3DS. We're on the second one now, and so having access to this is super important.

There are a lot of people right now that think that by having this protocol available to them or this tool in their pocket, it means that there's not going to be any fraud. No, this is just the same way that we have 3DS2 now. We had at some point CVV was created or the AVS check, so all of these different checks that the banks are doing right now at the time of request of authorization, at the time, they were kind of like brand new technology. We're using this to mitigate fraud, and then the moment that they went live, the people that were trying to commit the fraud, they already knew how to circumvent it. So I think it's important that while having that is important as a tool, not the tool, and right now we're dealing with a lot of not just straight up fraud.

That's kind of, I want to say it's become easier to identify, but then now we have friendly fraud, which is a whole different world, and we can talk about it maybe in another occasion that's just going deep in the mud. Yeah. If you're going to be doing this, and if you're a merchant, if you're looking for options out there, see who you're establishing this relationship with, switching providers is not fun. Especially if you're getting close to Black Friday and Cyber Monday and you're kind of in a pinch. You're like, oh my God, I want to maximize my sales, but these guys can't accept a billing & shipping mismatch. Holy smokes. That still honestly blows my mind when I heard that today. I'm like, wow, okay. That seems so old school. So I think when you establish that relationship with somebody that truly cares and that wants to help you grow your business because he helps them grow theirs, I think you hit the jackpot.
Reach has that we approach fraud from many different perspectives. We have different types of engines looking at data from different perspectives. We're not someone that's just looking at the transactions and trying to stop the logical stuff, the basic, we've been around this. We've been doing this for a long time. We have the experience. We know where these groups that are trying to target these accounts are. We know their model. We know the way that the data is going to transition as they try to get through the controls that are deployed. If you don't understand or if you don't have a full understanding of what fraud does to your business or how it might affect you, reach out to Reach.