Friendly Fraud – With friends like these, who needs fraudsters?

Friendly Fraud, Chargeback Fraud, First Party Fraud, Return Fraud; no matter what you call it, it’s turning into a big problem for online retailers.Friendly Fraud refers to fraud that is not perpetrated on a lost or stolen card, or through account compromise.Rather, Friendly Fraud can manifest itself in a number of ways:

1.“It wasn’t me (unintentional)” – In this type of Friendly Fraud, the cardholder charges back a transaction because they do not recognise the name of the merchant listed on the card statement.This is especially problematic for recurring billers that do not list the merchant name, for instance EziDebit in Australia appears on the statement without reference to the underlying “Badger Swim School” merchant name.Alternatively, where PayPal acquires online for merchants the statement reference may only show “PayPal” without listing the merchant’s name, leading people to believe that somehow their PayPal account and registered credit card information have been compromised.In yet another version of this type of fraud, the cardholder might not realise that his child or spouse used the card number to purchase something without permission.The most common incidence of this would be in-app purchase of game items by children deep in the frenzy of battle.


2.“It wasn’t me (intentional)” – The other side of the “it wasn’t me” coin is more malicious, wherein the cardholder claims that someone (an unknown fraudster) must have stolen their card information.If successful, the cardholder will receive a refund from their card issuer, as well as be able to continue to use the (now stolen) goods, a double benefit.


3.“I never received what I ordered” – Finally, true malicious intent arises when a customer claims that they never received the product (whether physical or digital), and demands a refund.In this case, the customer receives a refund from their card issuer and also keeps the goods, as in the case above.A variant of this scenario is “the goods arrived damaged (or defective)”.Customers may try this approach in the hopes that the merchant will send a new product, thus effectively granting the customer a two-for-one bargain.

Belying its name, in a vast majority of cases, Friendly Fraud is not at all friendly, as it is intentional rather than of the unintentional variety.A study by fraud mitigation company Chargebacks911 found that 86% of all customer chargebacks are pre-meditated and deliberate[1], indicating a large (and growing) problem for the industry.

So what, who cares if merchants lose a small transaction here or there?

The most recent statistics attempting to size losses from Friendly Fraud come from a Visa study, which cited $11.8 billion in Friendly Fraud losses in 2012 for online retailers in the USA.Visa further estimated that this figure is growing at over 41% annually.[2]The size of this aggregate loss is over four times the estimated $2.7 billion lost annually to identity theft, yet solutions fighting identity theft are much more prevalent in consumer marketing.A separate study by LexisNexis estimates that about a fifth of all online merchant fraud is Friendly Fraud. [3]

The impersonal nature of online sales makes it easier for consumers to justify defrauding the merchant in many cases. As the transaction happens at a distance online without any face-to-face interaction, customers may feel more justified in stealing from an online merchant that sent them a product they didn’t like.Whereas returning an item to a physical store requires a certain level of honesty, and usually a reason for the return, a chargeback to an online merchant through the card issuer requires no human contact, nor a reason other than a generic “I didn’t like it”.

Far from a victimless crime, this type of fraud results in a long list of outcomes that negatively impact merchants and customers.Merchants incur higher administrative and processing costs to fight chargebacks, not to mention the actual fraud losses themselves.As a direct result, merchants have to raise prices for all customers to cover fraud losses, thereby penalising the vast majority of honest customers.Large merchants have introduced restocking fees (most notably Amazon) to defray the cost of frivolous returns, and to deter would-be Friendly Fraudsters from benefiting from false returns.Some merchants have introduced more onerous identification requirements, which reduces flexibility in shipping gifts, in some cases, and inconveniences honest customers in all cases. Card issuers are becoming stricter about investigating chargebacks, questioning their legitimacy, which makes everyone jump through more hoops; hence honest customers have to accept more inconvenience from retailers and their issuing banks in order to purchase online.

What can be done about it?

Friendly Fraud is notoriously difficult to prove, and often devolves into a game of “he said, she said.”The cost to defend a chargeback for a small merchant heavily reliant on manual processes can quickly exceed $100 per case, limiting the expected return for chargebacks on small ticket items.However, each participant along the payments value chain can implement a few changes in order to reduce their susceptibility to Friendly Fraud, as described below.

Merchants

Merchants have the highest vulnerability to Friendly Fraud of all the value chain participants.In most cases, ultimate fraud liability rests with the merchant, even if all required data was captured correctly.Merchants who have more than 1% of charges reversed as chargebacks can have their merchant account shut down by Visa or MasterCard – basically a death sentence for an online merchant heavily reliant on card payments (as all online merchants are).Some safeguards that merchants can employ are as follows: 

Install and use 3D Secure.Transactions routed via 3D Secure (variously branded as American Express SafeKey, MasterCard SecureCode, and Verified by Visa) have a major advantage for merchants in that they offer liability shift back to the issuer in cases of verified fraud.Moreover, 3D Secure is especially useful in combatting Friendly Fraud where the cardholder tries to claim “it wasn’t me” (either intentional or unintentional) because to get through the 3D Secure challenge the user would have had to enter in a passcode delivered to the cardholder through one-time-messaging.In the past, merchants have been reluctant to install 3D Secure because they believed it increased cart abandonment.Recent improvements to 3D Secure, however, allow for iFrame rendering within the website and one-time-passwords delivered through SMS messaging on registered mobile phones, greatly improving the customer experience and avoiding the cart abandonment problem.

Maintain a Hot List, a Warm List, and a Positive List 
     o Hot List (or Negative List) customers are those who have previously submitted a chargeback, or have committed fraud on your site in the past.For all lists, the typical information captured includes street address, state, postal code, phone number, email address, and payment card number[4]
     o Warm List customers are those who have made non-delivery claims, or are frequent returners.New orders can then be screened against this list (name, shipping address, and phone number) to identify repeat behaviour.After all, “Fool me once, shame on you; fool me twice, shame on me.”

     o Positive List customers are those who you know are legitimate repeat buyers.New orders from these customers can be fast-tracked through the approval process without increasing fraud risk in order to reduce cost and speed order execution.In a merchant environment where suspect orders must be manually reviewed, knowing which orders can be expedited saves valuable time and money.Positive list matches must present a 100% match across all captured data elements in order to ensure validity – partial matches are susceptible to false positives.

- Ensure fraud mitigation efforts look across all channels.With the push toward omni-channel retailing, it is imperative that the lists are collated across the available customer channels (e.g., online, MOTO, and card-present in-store).A customer buying online may now easily return goods in-store, and it is important to have a consolidated view across the organisation to identify all forms of potential fraud.Note that the refund for any returned goods should be credited back to the same payment device/method used to make the original purchase, as it is a common technique of real fraudsters to get refunds onto a different card to that used to make the payment on the purchase.

- Share fraud lists where possible.Some markets around the world have established fraud sharing forums or databases.To the extent possible, the sharing of Hot and Warm lists across merchants dramatically increases the ability to stop Friendly Fraud.

- Only ship to the address registered to the payment card.This policy has the benefit of reducing claims that the goods never arrived, as they will be forced to ship to a verified address (as per their card issuer).However, this restriction prevents shipping of gifts directly to recipients, and thus be of limited utility to sites that rely heavily on gift purchases.As a corollary, some merchants also limit the ability to reroute a package directly with the shipper in the time period between order submission and delivery.

 - Require signature upon delivery or use delivery confirmation. Delivery confirmation should include the time, date, and location of the delivery.Additionally, some shippers are able to include the name and even the signature of the recipient.Armed with this additional information, merchants are able to more easily defend against the customer who claims to have never received the (physical) goods.However, this increases shipping costs for customers (or the merchant), and may not in any case be enough to successfully fight a chargeback.

 - Include an electronic “kill-switch” for digital goods.For goods delivered digitally, providers can include a requirement for the software to check-in with the supplier to ensure a valid usage license, which can be revoked at any time.Customers who claim to have not successfully downloaded the software will find their download inoperable without a valid license.

  • Set a threshold below which chargebacks are not challenged.Although it is a difficult concept to internalise, for many low value transactions, the cost of investigating and successfully defending a chargeback exceeds the benefit of recovering the fraud.Depending on your own organisation’s internal processes, defending a single fraud chargeback can cost between $50 and $100 per item.Setting a minimum transaction amount for chargeback processing will save fraud analysts’ time, and allow you to more quickly clear the fraud review queue and focus more attention on the major fraud cases.

Issuers

In their (noble) quest to service customers and assert that “the customer is always right,” card issuing banks often are quick to refund a customer’s money and penalise the merchant without appropriate substantiation.With the rise of Friendly Fraud in recent years, some issuing banks have begun to require a signed affidavit from the customer that the fraud was indeed third-party fraud, in order to address the “it wasn’t me” fraud type.

Almost all Friendly Fraud claims begin when a customer files a chargeback directly with their card issuer without attempting to first contact the merchant in question.Customers find it easier to simply file the chargeback online with their bank rather than going through the effort to talk to someone at the merchant about their dispute.Many incidents of Friendly Fraud, especially those where the customer legitimately does not recognise a transaction, can be cleared up with a simple conversation between the customer and the merchant.In order to stem the increasing tide of Friendly Fraud chargebacks, some card issuers are requiring customers to first directly contact the merchant before the bank will consider processing the customer chargeback.

Acquirers, Gateways, and Payment Service Providers

Acquirers and other providers of payment services often act only as the interface between the merchant and the issuer, and as such can sometimes be thought of as mere bystanders in the transaction flow.However, it is important to note that in the event of a merchant default, where for instance a large fraud incident causes a merchant to go out of business, it is the acquirer who is ultimately on the hook for the losses on behalf of the merchant, if the merchant is unable to pay.Therefore, it is in the acquirer’s best interest to help to reduce fraud incidents and assist merchants, who after all are their customers.

- Provide a state-of-the-art 3D Secure experience.As mentioned above, 3D Secure has come a long way since its early (clunky) implementation 15+ years ago.Payment acquiring providers should ensure that they have enabled iFrame presentation for 3D Secure challenges (rather than suspicious-looking pop-up windows), are able to present and pass through a one-time-passcode challenge either through the 3D Secure system or via an out-of-band channel (e.g., through the card issuer’s online banking platform), work to reduce or eliminate static passwords, and avoid in-line registration for 3D Secure on merchant check-out pages.

Fraud Mitigation Solution Providers

Merchants are on the frontline for the detection of fraud at their own online websites.However, being so close to the coalface means that merchants are unable to see the broader picture, and spot fraud trends across a network or geography.

Fraud mitigation solution providers often focus on reducing fraud for each of their individual merchant customers, fine tuning their algorithms to identify specific fraud incidents and types.However, we find that few fraud solutions provide a sharing mechanism back across their merchant customer base.While fraud solution providers may keep centralised hot and warm lists across their own customers, rarely is this shared so that merchants can perform their own analyses on a broader data pool.Fraud providers often cite confidentiality concerns when probed about data sharing, but surely there is some level of data that can be shared with merchants in order to help identify potential cases of Friendly Fraud and decrease the burden of detection and remediation.

“Friends are like stars.You don’t always see them, but you know they’re always there”

In conclusion, Friendly Fraud is an unfortunate by-product of a customer-friendly chargeback system.Friendly Fraud is difficult to spot, and aggressive pursuit runs the risk of false positives and customer insults.In a slightly Orwellian-twist to the adage about friends resembling stars, you might not always be able to see them, but Friendly Fraudsters will always be there, ready to steal your trust (and your money!).

Sources:

http://fraudpractice.com/gl-lists.html

http://fraudpractice.com/News-Friendly-Fraud-Chargebacks.html

http://www.dailyfinance.com/2014/03/20/friendly-fraud-costs-retailers-billions/#!slide=976871

www.chargebacks911.com

https://usa.visa.com/content/dam/VCOM/download/merchants/visa-risk-management-guide-ecommerce.pdf

http://www.cbsnews.com/news/friendly-fraud-an-enemy-to-everyone-in-the-e-commerce-chain/

http://www.csmonitor.com/Business/Saving-Money/2014/0311/Friendly-fraud-Yes-it-exists

[1] www.chargebacks911.com

[2] http://www.csmonitor.com/Business/Saving-Money/2014/0311/Friendly-fraud-Yes-it-exists

[3] www.lexisnesis.com/risk/downloads/assets/true-cost-fraud-2014.pdf

[4]Note that storage of payment card numbers will require PCI-DSS compliance if the card details are not tokenised at the merchant level.Name is not usually recommended for matching, as there are many similar common names that can reduce accuracy.Matches against street address should look for partial matches to capture fraudsters who change only a single digit or letter to avoid detection.