Fraud Prevention 101: A Q&A with Pat Maguire from SUMO Heavy

John Suder
Apr 13, 2020

The following is a transcript from an interview with Pat Maguire, Director of Technology at SUMO Heavy. Pat shares some insights on how merchants can keep their online stores safe.

When discussing with a client, what would you say is the overall definition of fraud prevention and what areas of the business would that cover?

When we discuss fraud prevention with a merchant, the overall goal is to put your business in the best position possible to minimize your risk with eCommerce operating in a "card not present" environment. That means simply that you have users entering their cards manually on your website.

There's always going to be a lot of malicious users trying to take advantage of your store, and there are two main ways we see merchants try to minimize their risks. The first one is by preventing a malicious user from placing an order in the first place. Example: They get to check out, attempt to make a charge and it won’t go through.

The second is by identifying fraudulent orders before they're actually shipped out of their warehouse. 

What's the best way a merchant can protect themselves from chargebacks? Is there a uniform solution or is this something you have to look at case by case, and what factors come into play when you're making these determinations? 

Chargebacks are obviously a very serious loss of revenue for eCommerce merchants because they can occur weeks or even months after an order is placed. Not only can the merchant lose the revenue from the order that's been placed, but they're also going to lose the inventory that's been shipped to the user. 

Merchants have a number of options to protect themselves with both automated and non-automated solutions. An easy example of a non-automated solution is as simple as having your warehouse staff manually audit your orders. A lot of times they'll look for customers that they know are blacklisted, or different countries that are being shipped to that your company has blacklisted.

There are also automated solutions. A lot of payment providers have security settings. These can be a mixed bag because they do allow you to reject charge attempts based on data that gets matched from the credit card companies.

Sometimes there is a risk of balancing fraud prevention with some false rejections. If your AVS settings –  your address verification settings or your CVV settings – which are your card verification code settings are set too strict, they can actually lead you to reject legitimate orders.

So there is a little bit of a give and take there.

If you have a false rejection, what's the best way for a merchant to handle that? Is that just a hands-on process or are there automated solutions? How quickly does that happen and how would a merchant know that a customer was just falsely rejected? 

If you're relying on AVS or CVV settings as your main fraud prevention filter, usually there's not a lot that can be done. Most merchants are going to automatically reject an order as soon as it's attempted to be charged.

There are some payment provider settings that will allow you to hold that order and review. You just need to make sure that your warehousing system syncs up with that and you don't accidentally ship out orders that haven't actually been authorized in the first place. 

Fraud protection systems sound very complicated. It sounds like there's a lot of steps involved. Is there a way that a merchant can do this incrementally, or is this an ‘all or nothing’ scenario? 

There are a lot of places to start. Having a manual solution in place where your warehouse staff or your customer service staff are taking a look at orders is a great first start.

When you start to have additional liability, making sure to fine-tune those fraud settings and your payment provider, the AVS settings, the CVV codes are a great solution. However, when even that won't prevent a lot of the fraud, a lot of times a third-party fraud solution can be a great choice for customers because they actually offset a lot of the liability in figuring out whether an order is legitimate or not. 

A lot of these solutions will actually allow you to submit your orders to a third-party service, which analyzes it with all the data they've collected, and it'll actually tell you whether to accept or decline the sale. 

The pitfall of that is that there's a cost involved, but I guess you would have to measure out the benefits of the fraud versus the cost of the solution, correct?

That's exactly right. And the benefit to some of these solutions can be that not only do you avoid shipping out fraudulent orders, which, as we've said before, not only loses the revenue of the sale but the cost of the merchandise that you've shipped out, you also tend to have a lot of situations where you're able to fulfill more orders because you reduce false rejections.

So while there is certainly an added expense with these fraud solutions, a lot of times merchants can come out better in the end because they're able to fulfill more legitimate orders.

So in the end, it's the cost, you have to weigh those factors. But, let's just say if you're shipping a t-shirt, it’s a little different than if you're shipping out a $1,200 bed. They have to weigh those options depending on what kind of money you're bringing in.

That's absolutely right. And a lot of times the cost of your goods is a big reason to choose what type of fraud solution you're going to use. If you're manufacturing something yourself and it doesn't cost very much to produce, it's probably not worth having an enterprise-level fraud solution because your risk isn't there. 

Like a digital product. But if you're talking about hard goods that cost multiple hundreds of dollars, now you're talking something that makes complete sense. Are there off the shelf services that you'd recommend?

There are a few that we've implemented in the past with a lot of success from merchants. Braintree has a built-in suite called Count that comes in a few different flavors that are pretty much baked in with a lot of the Braintree integrations and major platforms, and that can be very effective.

We've also implemented Signifyd for a few different merchants. There are cases where you actually submit all of your orders to Signifyd and they'll actually guarantee them or not guarantee them, based on their assessment of the order. And if you ship an order out to a customer that comes back in the chargeback that was guaranteed by Signifyd, they will actually handle the chargeback when it comes in, and if you lose the chargeback, they'll reimburse you for the order. 

That sounds like a pricier solution, but again, you have to weigh those cost benefits out, correct?

Exactly. And a lot of times doing the paperwork and keeping up on chargebacks can be difficult for merchants too. It can be a pretty serious full-time job for somebody when you're getting into, you know, hundreds and thousands of orders.

Cybercriminals are, if anything, crafty people and there are new types of threats that we hear of all the time. What are you seeing on the security horizon that merchants need to be aware of? Any new scams or anything that we have to keep our eyes out for?

I think one of the big things that people should really keep an eye out for is freight forwarders. It's one of the things that we run into a lot where we have users that are shipping orders to an address that's not affiliated with their credit card and they're getting shipped overseas to some other address. 

Someone buys something to have it forwarded to another address –  where does the fraud take place? 

What they'll do is they will actually use stolen credit card data and they will place an order to a freight forwarder. So that order will get shipped to a freight forwarding warehouse who will then send it somewhere else, usually an international address. And weeks or even months later, a lot of times a chargeback will get entered against that order and that merchandise will be long gone, all lose the chargeback case.

What's the number one thing that merchants can do right now on their own to protect themselves? 

I really think the number one thing a merchant can do pretty quickly is to understand the impact that chargebacks are already having on their business.

Some merchants don't have a lot of issues with chargebacks and can get away with mostly manual reviews. However, when they start to experience greater amounts of chargebacks, they should quickly understand what they can do to minimize their risk, to keep more of their hard-earned money in their pockets and to evaluate whether or not it makes sense to spend a little bit of money on a service. A lot of times, spending that money is really worth it in the long run. 

This interview is from our weekly podcast 'In the Ring with SUMO Heavy'.
The podcast is available on Apple Podcasts, Spotify, or wherever you listen to podcasts.

Photo by Jefferson Santos on Unsplash