One of the greatest challenges you face as an online retailer isn’t losing money to fraudsters. It’s losing money when legitimate customer transactions are incorrectly flagged as fraudulent and declined.
In fact, according to Riskified, a whopping 35% - 80% of declined orders are legitimate. To clarify, these are transactions that may, on the surface, appear to be fraudulent, but are actually real orders placed by good customers.
These false declines, also called false positives, hurt online businesses in many ways. When a customer receives notice about a declined transaction, the customer becomes frustrated, embarrassed, and aggravated. In fact, a report by Javelin found that as many as 39% of online shoppers who are falsely declined choose to not return to that store again. Worse, these disgruntled customers often vent their anger to their social media network. An American Express study found that consumers tell an average of nine people about their good experiences—but they tell 16 people about the bad.
All told, U.S. merchants lose nearly $118 billion each year to falsely declined transactions—more than 13 times the cost of credit card fraud.
Clearly, false declines are a major problem for online merchants—more so even than e-commerce fraud. But, few online businesses are even aware of the problem, much less prepared and able to do something about it.
The problem typically stems from an over-reliance on the basic fraud filters that are often part of e-commerce platforms or payment gateways. Because merchants may not feel they have the expertise to accurately identify fraudulent transactions, they turn on these fraud filters and let the filters do all the fraud detection heavy lifting.
Fraud filters work by analyzing incoming orders based on pre-determined “rules”. These rules assess the likelihood that a transaction is fraudulent. If any aspect of the transaction is suspicious, the fraud filter will raise a red flag and the transaction will be automatically declined.
And yet, what happens when a transaction might appear to be fraudulent, but in fact is a perfectly legitimate order from a perfectly legitimate customer? Therein lies the rub. The fraud filters typically cast a wide net, and legitimate transactions can easily get caught in that net and end up declined in error.
So, what to do? No merchant wants to turn down good orders. But, accurate e-commerce fraud detection won’t work well with a “set it and forget it” approach. Instead, separating good orders from bad orders requires a more hands-on strategy. This likely means manually reviewing transactions that are flagged as fraudulent before they are declined, so the merchant can validate that the transaction is in fact fraud—or possibly legitimate.
To do this, it’s necessary to first understand what to look for.
Here are seven of the leading reasons why a legitimate purchase might appear to be fraudulent. These reasons are often one of many possible indicators of e-commerce fraud, but in certain circumstances each of these reasons can be quite innocent. It’s the merchant’s unenviable responsibility to dig deeper into these questionable transactions to determine what’s really happening behind an order. Is an actual customer placing this order? Or is it a fraudster trying to complete a theft? Only a thorough review will uncover the real answer.
Let’s dive into these possible reasons why legitimate orders might look like fraud.
First-time customers who place a large order typically set off alarm bells for fraud prevention systems. Why? Because once a criminal has tested a stolen card number and verified that the information is good, that criminal wants to move fast and steal as much as possible, as quickly as possible, before moving on to the next unsuspecting store.
However, that’s not to say that all first-time customers making large purchases are fraudsters. This factor alone should not be enough to warrant automatically declining the order.
Certain countries account for a high volume of fraudulent online purchases. Overly cautious merchants may set their fraud systems to automatically deny all orders coming from these high-risk countries, particularly large orders (see #1 above).
And yet, not every consumer in these high-risk countries is a fraudster. Good customers in these countries will run into problems if a merchant’s system does not have a process in place to further analyze these transactions.
As we’ve said, fraudsters tend to make their purchases quickly: they get in, grab the goods, and get out. Legitimate customers, meanwhile, tend to spend time browsing on a website before making a purchase. For this reason, fraud filters don’t like impulsive shoppers.
However, what about the shopper who chooses a dress from an online store and completes the purchase, but then a few minutes later decides to go back to the store and purchase a pair of shoes to match the dress?
The session in which the customer purchased the shoes might look suspicious to a fraud filter, if the filter is only analyzing the current session. It’s therefore critical to look at the entirety of a customer’s traffic history—including past sessions and previous shopping patterns.
Shopping behaviors often change during Christmas, Black Friday, and other busy seasons. Customers tend to place larger-than-normal orders, at higher-than-normal volumes, and ship those orders to addresses that differ from the ones on the credit card.
This can cause problems for fraud detection systems when the fraud rules haven’t been designed to adapt to these peak seasons. If the fraud rules don’t change, this seasonal shopping behavior will cause the fraud filters to flag genuine orders as fraudulent, resulting in good orders—and good revenue—being incorrectly declined.
Fraudsters will often make a purchase with a stolen credit card and have the order shipped to an address other than the billing address on the card. To catch these fraudsters, most fraud filters will run a basic Address Verification Service (AVS) check to see if the billing and shipping addresses match. An AVS mismatch can cause an order to be flagged and declined.
However, there are legitimate reasons why the billing and shipping addresses might not match—such as when the customer is shopping for gifts. A too-conservative fraud filter may try to block these purchases without also reviewing other factors about the transaction that might indicate it’s legitimate.
A fraudster will typically place an order from a location other than the billing address. Therefore, if the IP address of the computer that generated the order does not match the billing address of the credit card used, this can be an indicator of fraud.
But similar to #5 above, there can be legitimate reasons for this mismatch as well—such as when a customer makes a purchase while travelling.
Even once a merchant’s fraud system has approved an order, the transaction must still go through multiple steps in the payment chain as it is processed—including a payment gateway, payment processor, card network, and card issuing bank. Each player in this payment chain will have its own methods for detecting fraud. Until the money has been safely deposited into the merchant’s account, the transaction can still be declined at any point in this chain.
Notably, because of the well-known data breaches that have plagued the payments industry in recent years, many vendors in the industry are actively tightening their approach to fraud detection. Even the smallest issue could cause a transaction to be rejected outright. The merchant may receive a response code that indicates the reason for the decline, but these codes are often vague—which can be frustrating for everyone.
Ultimately, it’s clear that when it comes to e-commerce fraud detection, there is more to it than meets the eye. Online merchants must be prepared to avoid falling into the trap of automatically declining every suspicious order their fraud filters catch—because a good portion of those suspicious orders are probably, in fact, legitimate. Turning down good orders based on false declines is like leaving money on the table. And, merchants are in business to generate revenue.
The most effective way to prevent false declines is to employ a multilayered fraud protection solution that includes a combination of automated fraud filters and manual reviews.
Yes, that’s correct: Fraud filters do still have a role to play in e-commerce fraud detection. But, they shouldn’t be the only tool in the merchant’s toolbox. The right solution will use an automated approach to scan incoming orders to detect indicators of possible fraud, so that these suspicious orders can be further investigated to verify whether the order is in fact fraudulent or legitimate. This one-two punch will enable the merchant to catch all the fraudulent orders without falsely declining the good orders.
If you suspect false declines are driving good customers away from your online store, read the free e-book, Understanding the E-Commerce Payment Chain, to learn more.