Scammed!-Web merchants use new tools to keep buyers from ripping them off

Con artists killed John Coffey’s Internet dream.

Three years ago, Mr. Coffey opened an online branch for his company, Coffey Sound & Communications Inc. of Hollywood, Calif. (www.coffeysound.com) But within a few months, his hopes of rapidly expanding his sales of high-end audio equipment were flattened by a wave of disputed credit-card charges.

By RIVA RICHMOND Wall St. Journal

According to Mr. Coffey, cardholders in one out of every five online orders in those early months claimed they didn’t authorize the charge or didn’t receive the ordered item. Though he suspects many of the claims were bogus, he got nowhere in his attempts to convince card issuers, which simply refused to honor disputed sales made without a signature. Faced with mounting losses of expensive equipment, and unable to overcome them with his narrow profit margins, he stopped taking most online credit-card orders.

Opening an Internet outlet "was thrilling, because it seemed like a way we could catch up with the big guys," Mr. Coffey says. "But we just got nailed."

*****************

• How to spot warning signs of fraudulent orders
WARNING SIGNS

Yahoo! Inc. offers online merchants these warning signs of fraudulent orders

1. Suspect ship address

Orders from Romania, Macedonia, Belarus, Pakistan, Russia, Lithuania, Egypt, Nigeria, Colombia, Malaysia and Indonesia have a very high incidence of fraud, and often have unverifiable addresses.

2. Untraceable e-mail address

In many fraudulent orders, the customer’s e-mail address is often at one of the free e-mail services, which are relatively untraceable.

3. Expensive items

Be wary of big orders, especially for expensive brand-name items.

4. Multiple items

It can be a bad sign, for example, if someone orders three watches or three Walkmen at once, especially where the items have a high resale value.

5. Express shipping

Most fraudulent orders specify expedited shipping.

6. Shipping address differs from billing address

If you are selling valuable items, it can be a good policy only to ship to the billing address of the card.

7. Suspicious billing address

If the billing address is 123 Main St, New York, the order is probably fraud. You can use an online map tool to see whether the address can be verified.

8. New Site

Newly opened sites are more often targeted, perhaps in the belief that the merchants will be inexperienced.

9. Leave at door

If someone placing a very valuable order says just to leave it at the door, it could be a sign that a crook is using some unwitting person’s house as a drop-off point. (Solution: Require a signature.)

**************

• What consumers should do to guard against fraud

TIPS FOR CONSUMERS
Companies take numerous steps to protect themselves against fraudulent orders. But Web retailers aren’t the only ones who should be concerned with swindlers. Consumers should also take steps to guard against fraud.

1. Familiarity Should Breed Contentment

Consumers are more likely to return to an e-commerce Web site if they have previously had a successful shopping experience. Seek recommendations from friends, family or colleagues.

2. Checkout the Merchant Before You Check Out

If you’re not familiar with an online store, make sure you’re dealing with a legit merchant. Research the site and make sure that there is an address and telephone number listed on the site where you can contact the vendor if there are any problems. Also, check the URL. A typo could lead you to a knockoff site hoping to capitalize on human error.

3. Read the Fine Print

Be sure you understand the e-tailer’s policies before it’s too late. If you need the item within a certain timeframe, make sure you’re aware of shipping policies. If you aren’t sure if the item will fit, make sure you can return, refund or exchange the item. If it’s electronic equipment, make sure there is a product warranty or guarantee.

4. Plastic Makes Perfect

Using a credit or debt card provides you with a record of your transaction. Plus, using plastic can also provide you with protection against fraud. Try to avoid paying with cashier’s checks, money orders or cash. These payment options don’t offer fraud protection and are difficult to trace.

5. Don’t Be Demure, Think Secure

Be sure to use a secure browser when entering credit card information or any other personal data. This is especially important if you’re using a public computer. A secure browser is supposed to keep away unauthorized users away.

6. Save Trees and Receipts

Keep a record of all your online transactions. Most e-tailers will email you a confirmation that summarizes your order. This will come in handy if you have a question about your order or if you need to return anything.

**************

Sadly, his experience isn’t unusual. Online fraud is rife, enormously damaging — and getting worse. Top merchants in the U.S., the world’s biggest e-commerce market, report transaction fraud as a percentage of sales is 15 times higher online than the overall rate for retailers, according to a survey by the research firm Gartner Inc., based in Stamford, Conn.

Merchants’ vulnerability varies from country to country depending on factors including liability laws, the popularity of various payment options and the ability to verify customer information with banks. But no one is immune.

"There are more and more attacks, and they’re getting more sophisticated," says Avivah Litan, an analyst at Gartner.

Now e-tailers are fighting back, using a range of behind-the-scenes strategies to combat fraud. Some of the tactics seem basic, but they’re crucial — like checking billing and shipping addresses against card issuers’ records whenever possible. Many merchants then add sophisticated software to identify suspicious buying patterns and flag potentially fraudulent orders. Often on-staff investigators check some or all suspect orders, to salvage as many legitimate purchases as possible. Many companies also aggressively dispute their liability for some unpaid charges. Some also take out e-business insurance to cover remaining risk.

The stakes are high, as Mr. Coffey’s experience attests. If a company can’t reduce fraud, it may have no chance of survival. In part that’s because credit-card policies can make fraud more damaging for online merchants than it is for conventional retailers. Cardholders in the U.S., as in some other countries, are protected by law from fraud liability beyond $50, and credit-card companies have absolved their customers from even that responsibility. Under rules set by the card companies in the U.S., the onus for fraudulent sales falls entirely on merchants when a credit card isn’t physically present for the transaction. That makes fraud more costly for e-tailers than it is for brick-and-mortar stores, because the credit-card issuers assume liability for purchases when a card changes hands.

And e-tailers’ fraud-related losses go well beyond stolen goods. They include the cost of shipping goods to the thieves, the administrative expense of dealing with fraudulent sales, and the so-called chargeback fees that banks demand to offset their own administrative costs for disputed sales — the equivalent of a bounced-check charge.

Then there are the orders online merchants reject in their determination to prevent fraud. Gartner estimates about a third of these blocked orders in the U.S. could be legitimate purchases, suggesting e-tailers turned their backs on scores of customer relationships and some $1.82 billion in real sales last year — on top of the $1.64 billion Gartner figures they lost in fraudulent sales.

Above-average fraud rates can also lead the banks that handle credit-card transactions for merchants to label an e-tailer risky and impose higher fees for processing sales. Indeed, companies with particularly high rates of fraud risk losing their accounts with these merchant banks altogether, and thus their ability to make any credit-card sales.

Fighting Back

The most drastic response is to refuse credit cards for most sales. This is Coffey Sound’s approach. It insists that new customers and those making large orders send in money orders or bank checks before items are shipped. For some online merchants, this approach is "a very sound decision," says Ori Eisen, former antifraud director for VeriSign Inc. and now president of Original Ventures Inc., a consulting firm that helps high-volume online merchants cope with fraud. It’s better to lower your sales volume than lose your business. But the choice is rarely so black-and-white, he adds. Antifraud programs can enable many merchants, even small ones with tight margins and limited resources, to take credit cards online and keep losses to a minimum. They can also help merchants avoid rejecting large numbers of legitimate orders.

A common basic merchant rule is to require that shipping and billing addresses match card-issuing banks’ records. The Merchant Fraud Squad, a nonprofit group based in New York and dedicated to helping merchants fight Internet fraud, with member e-tailers from all over the globe, says some 70% of online merchants that responded to a survey on its site use card companies’ centralized address-verification systems. But such systems are still lacking outside the U.S., where credit-card systems are more decentralized. Also, while such systems can block many attempts by fraudsters to use stolen cards or card numbers, they are subject to glitches and inaccuracies, and don’t help much during the high-volume gift-giving seasons, when many customers are shipping goods to other people.

About half of all merchants also require customers to type in the three- or four-digit security code that’s printed, but not embossed, on their cards, the Merchant Fraud Squad says its survey found. These codes are effective in preventing fraudulent charges in cases where the card number, but not the actual card, was stolen.

Some online merchants hold fraud down by knowing their customers. Take Virgin Money Ltd., which sells financial products like mutual funds and offers its own MasterCard to customers in the U.K. Only Virgin cardholders can shop at Virgin Money’s online Members’ Shop (www.virginmoney.com), which offers everything the parent company, London-based Virgin Group, sells in the U.K., from compact discs to mobile phones to plane tickets, often at a discount. The system keeps credit-card fraud low by limiting the shop’s risk to the company’s own cards and to customers it has vetted. In addition, shoppers must enter a six-digit password at checkout, a step that hedges against the use of stolen cards — and a form of protection the major credit-card companies are warming up to.

Many merchants also are wary of international orders, particularly those from certain countries. Disputed-transaction rates are 10 times higher for international sales than for domestic sales, says Philip Yen, executive vice president of e-Visa International, a unit of Visa International. Gartner says about half of U.S. online merchants don’t take international orders at all. Others block all orders from countries they consider high-risk, which in many cases include Belarus, Indonesia, Pakistan, Romania, Ukraine and Yugoslavia. Organized high-tech fraud rings have been known to work out of these countries and have pushed fraud levels there sky-high, analysts and retailers say. For instance, some merchants claim 80% to 90% of orders originating in Indonesia are fraudulent, Gartner’s Ms. Litan says.

One of the first orders online store eHobbies (www.ehobbies.com) took when it opened in 1999 was a $20,000 sale to a customer in Indonesia. The elation wore off soon after the shipment was made. "We never heard from them again," says Seth Greenberg, an employee then who is now co-owner.

Today, eHobbies, a unit of Hobby Hub Inc., based in La Mirada, Calif., doesn’t take any international orders, because of fraud concerns. It also has an aggressive, multilayered system for blocking and reviewing suspect orders, because, with tight margins and products that thieves love because they find them particularly easy to sell, eHobbies can’t afford many mistakes.

EHobbies uses software from its hosting service, Yahoo Inc.’s Yahoo Stores, called Order Processor, which stops, at least temporarily, about 10% of the roughly 500 orders the site gets each day. Mr. Greenberg estimates only 3% of each day’s orders are fraudulent, so his staff checks many of the suspicious orders, which keeps the loss of legitimate sales to about 1% of overall orders, he says. Order Processor has a fraud-screening feature that eHobbies can customize based on what it knows about suspicious buying behavior around its specific products.

Taking a Broad View

Yahoo Stores itself also flags suspect orders for eHobbies and the rest of its 20,000 merchants. Placed at the top of customer order forms, the warnings provide no specific information about why a given order was flagged. Yahoo didn’t make an official available to discuss its system. But according to the Yahoo Stores Web site, the system watches for activity that crosses the stores it hosts, and flags things like large orders made by the same person on five sites with five different credit card numbers.

EBay Inc.’s online marketplace, home to hundreds of thousands of individual sellers and 45,000 online stores, also has developed software to identify buyer-fraud trends within its network. It’s now fine-tuning a merchant-alert system that will be available sometime this year, says spokesman Kevin Pursglove. EBay (www.ebay.com) already alerts sellers to individual buyers who have had complaints lodged against them for failure to pay. Companies also can cut their fraud risk considerably by using eBay’s Paypal payment service — whether they sell through eBay or not — because it assumes liability in sales to buyers whose addresses eBay has verified.

For those who want more-extensive protection, software that collects and analyzes transaction data to detect patterns in fraudulent behavior is available from companies including SAS Institute Inc., based in Cary, N.C., SPSS Inc. of Chicago and Israel’s WizSoft Inc. The information they generate can then be plugged into separate software that identifies potentially fraudulent transactions as they arrive. Makers of such so-called rule engines include CyberSource Corp. of Mountain View, Calif., and ClearCommerce of Austin, Texas. This proactive software considers multiple factors associated with potentially fraudulent purchases, because "the last thing you want to do is block every order from New York because 90% of your fraud is from there," says Jeff King, director of risk-product management at CyberSource.

Warning signs these programs can detect might include unusually high numbers of orders involving a given credit-card number or Internet-protocol address, or orders where the IP address and billing address are from different countries.

A number of large merchants build their own software for identifying suspicious buyer-behavior patterns and flagging or stopping questionable transactions. Tom Sullivan, director of e-commerce fraud protection at online-travel company Expedia Inc., says a tailored program, though more expensive to build and maintain than generic software, allows Expedia (www.expedia.com) to use more-precise rules for scoring transactions’ risk levels. That means Expedia’s software flags fewer suspicious orders and misses fewer cases of fraud.

"It boils down to how effectively you model it," Mr. Sullivan says. "You can dial down the knobs very tight on what you’re looking for" to home in on fraud and trigger fewer false alarms.

But really weeding out false alarms means involving people. Expedia has a 12-person team that checks every order its software highlights. They usually contact the customer or the card-issuing bank to ask a few questions. Original Ventures’ Mr. Eisen says the size of such an investigative squad is less important than the individuals’ training. His consulting firm trains investigators for three months on what fraud looks like and how to handle fraud investigations. A small company may be able to make do with one good set of eyes that checks 4% or 5% of orders, he says.

Companies with an acute fraud problem that lack the resources to create a system on the scale of Expedia’s can hire an outsourcing firm to handle it for them. A leader in the field is Internet Billing Co., a unit of InterCept Inc. of Deerfield Beach, Fla. The company, better known as iBill, processes all transactions, handles customer service and assumes all fraud risk for its clients. For this, it takes a 10% to 15% cut of sales, depending on transaction volume.

The overwhelming majority of iBill’s customers, which include Sony Music and more than a few pornography sites, are high-margin vendors of digital content. Such sites tend to attract high rates of fraud, and some struggle to hold chargebacks low enough to keep merchant-bank accounts. IBill says its prevention system — which includes software that detects fraud patterns, databases with information about repeat offenders, and a team of investigators — keeps fraud and fraud-related chargeback levels below average. But this may not be the answer for companies that already have experienced a lot of trouble holding down fraud on their own. IBill lets credit-card companies vet its global client list and terminate iBill’s service to businesses to which the card companies have denied service because of high chargeback levels.

Merchants should also prepare to fight chargebacks they believe are illegitimate. Mr. Eisen says many merchants don’t know their rights or the rules for challenging chargebacks. Many also don’t capture the information needed to support successful disputes, such as shipping records, anything with a signature and transaction histories. Mr. Eisen estimates that 30% of chargebacks can be fought, and that 80% of those are recoverable.

E-tailers should also continually match chargebacks to their original transactions to unearth any new fraud patterns, Mr. Eisen adds. Then they should reprogram their antifraud systems to find similar cases in the future.

Password Push

While online merchants are scrambling to build antifraud systems that are more effective and efficient, the ultimate solution to their problems appears to lie with credit-card companies. Visa is leading an effort to short-circuit fraud by providing an online variation on the in-store signature, through a program called Verified by Visa, which authenticates consumers with a password.

Visa sees online fraud as a growing threat to its bottom line, as rapid growth in online transactions makes e-commerce more and more important to its business. Visa USA says that its e-commerce volume is growing at a rate of more than 50% a year, and that e-commerce represents 5% of its sales volume but accounts for 10% of the fraud it sees. As the business grows, the cost of online fraud could become prohibitive, says Jim McCarthy, Visa USA’s senior vice president of new market deployment.

Visa is even encouraging its competition to adopt the technology, and licenses it royalty-free, in hopes of spurring its broad adoption by merchants, who want a standard system that works for all cards. MasterCard International Inc., based in Purchase, N.Y., has adopted the Visa technology as part of its SecureCode program, and New York-based American Express Co. has said it is exploring the possibility of using similar technologies. American Express has a number of other programs for merchants, including a new proprietary system that checks whether an individual’s shipping address is valid.

Verified by Visa, now a year old, and MasterCard’s SecureCode, launched in September, are in the painful phase of winning converts. To encourage online merchants to participate, both Visa and MasterCard are promising to shift liability for fraud to the card-issuing banks.

The programs require merchants to install software that generates a pop-up window during a sale, where cardholders who have signed up for the service enter a password. Once a password is established, the card will be rejected without it. Customers can decline to sign up and continue to make purchases without verification.

Some merchants think the additional step of entering a password might discourage customers from embracing the service, but the prospect of shedding fraud risk is encouraging retailers to give it a try. Forty e-tailers in the U.S. are using the system already, and another 40 are implementing it, Mr. McCarthy says. Visa’s Mr. Yen says 24 large Asian merchants and 25 big European retailers also are using Verified by Visa, along with two European companies, WorldPay PLC of Cambridge, England, and Bibit Internet Payments BV, based in Bunnik, the Netherlands, that process transactions for hundreds of smaller merchants.

To encourage more to join in, Visa said in April that issuing banks will be held liable for all fraudulent purchases a merchant tries to authenticate through Verified by Visa, even if the cardholder in question hasn’t signed up for the program. The move was also designed to push more issuing banks to participate and to bring in their cardholders. Some 6,000 of Visa’s 14,000 issuing banks now participate in the program.

— Ms. Richmond is a staff reporter for Dow Jones Newswires in New York.

Write to Riva Richmond at [email protected]