Preparing to Fight Online Holiday Fraud

During the 2016 holiday season, online purchases jumped nearly 150 percent for merchants who use the Kount technology platform to manage fraud, versus the same period in 2015.

But at the same time, attacks on merchant websites increased 122 percent, said Don Bush, Kount's vice president of marketing, during an American Society of Travel Agents (ASTA) webinar entitled “Prepare for Holiday Fraud in Travel, Ticketing and Leisure.”

Travel agents need to be on guard, Bush said.

Already, fraudsters are pinging websites, making small purchases to see if the stolen credit card numbers they are using will allow them to make large-value purchases during the Black Friday and beyond online sales season. They know that when transactions increase, entrepreneurs like small travel agencies are too overwhelmed to monitor diligently for fraud.

“Orders are vetted less stringently during the busy holiday season,” said Paul Ciganek, a sales executive for Kount. Cyber Monday had the biggest increase in website holiday season attacks, said Ciganek, at 134 percent.

During the ASTA webinar, attendees were polled on what their greatest fraud concerns are. The number one concern is getting updated on the latest fraud strategies, at 33 percent. “Learning what abnormal behavior to plan for” and “managing the anticipated high volume of orders” both came in tied for second at 27 percent of the attendees.

When standard vetting rules no longer apply
Brett Goldberg, co-CEO and co-founder at TickPick, a Kount customer selling tickets for things like sports events and concerts, said managing risk while dealing with high volumes of transactions is daunting. He said that during the Dodgers/Astros World Series, his average order was in the thousands of dollars.

“Your standard rules for vetting and approving transactions fall apart because you’re processing so many transactions, and at dollar levels outside your rules the rest of the year,” Goldberg said.

With orders regularly topping $2,000, “we had to look at some of our best indicators so we weren’t manually reviewing 20 percent of our orders,” Goldberg said. Too many manual reviews would slow down purchase approvals and push his customers to competitors like StubHub.

“What would be a normal [non-fraudulent] purchase during the holidays may look like it isn’t rest of the year, so you may have to make adjustments to your rules so you don’t stop someone from purchasing from you,” said Bush at Kount.

According to Kount, two-thirds of your clients might never return to your website if you reject a purchase due to an incorrect fraud assessment.

“We just had a false negative,” said Goldberg. “It was a $5,000 order. They bought their tickets on a competitor’s site. Your heart sinks when you hear that.”

Start planning now for holiday fraud
Bush said it is a good idea for agents to make purchases on their own sites now, to see whether there are holes in the credit card verification process. “Fraudsters tools are pretty sophisticated these days, and you need to see what they are seeing and patch holes in advance.”

It might be a good time to review your email database as well, Bush and Goldberg said. If someone has hacked a client’s email address, they might use it in coordination with a fraudulent purchase to increase the likelihood that you assess it as real.

Sophisticated verification tools are using artificial intelligence to link and analyze different digital footprints, like email addresses and credit card numbers, to assist online merchants in approving purchases more quickly and accurately.

Precautionary actions for merchants
Monica Eaton-Cardone, COO of Chargebacks911, offers the five following precautions merchants should take to identify and prevent credit card testing and related fraud:

• Use CAPTCHAs to deter bots. Order forms that use a CAPTCHA (a type of challenge-response test used in computing to determine whether or not the user is human or a bot) can help protect eCommerce sites against credit card testing.

• Validate the billing address via AVS. Use the Address Verification System (AVS) to ensure the address on the order matches the cardholder’s billing address. A mismatch generally indicates card testing or a fraudulent order.

• Confirm the CVV code. Always require a card verification value (CVV) code for all credit and debit card purchases, and flag any orders with an incorrect CVV. Not only should these orders be rejected, but the IP address should be added to fraud filters.

• Flag multiple order attempts from the same IP address. If an IP address is linked to multiple orders or transaction failures with different credit card numbers over a short period of time, it is likely a case of card testing or fraud.

• Review orders from foreign IP addresses. In addition to confirming the cardholder’s billing address, merchants should verify that the IP address is from the same country. Orders that have a non-U.S. IP address and/or shipping address should prompt further review.