Fighting Organized Card-Not-Present Fraud

Rafael Lourenco


April 1, 2020

Card-not-present (CNP) fraud, a type of credit card scam in which criminals make fraudulent transactions without possessing the physical card, is a persistent, growing problem for all businesses that sell online or by phone. According to a 2019 study by Juniper Research, the retail industry alone was expected to lose $130 billion to CNP fraud between 2018 and 2023. The problem has been exacerbated by two factors: the increased organized criminal involvement in these schemes and the fact that most widely used anti-fraud tools are not built to look for organized fraud at scale.

These days, fraud is rarely committed by lone criminals shopping for themselves with stolen card numbers. Instead, when major fraud attacks hit merchants, the culprit is almost always an organized group of criminals who specialize in CNP fraud. These criminals place massive numbers of fraudulent orders with multiple merchants using dozens of stolen card numbers purchased on the dark web.

These groups do much more damage to merchants than individual fraudsters because they operate at scale. After all, if an individual commits CNP fraud to get a certain product, they are only going to buy the product they want. Organized fraudsters, on the other hand, aim to buy in bulk for resale. Fraud is a business for them, not a one-time scam.

Screening Challenges

Even though they are both committing the same type of fraud, the difference matters because traditional fraud prevention tools and solutions are designed to assess and score the risk of each order one by one. Orders with higher risk scores may be automatically rejected or manually reviewed. Manual review of flagged orders separates actual fraud from legitimate orders that are singled out because a customer shopped while traveling or ordered high-value items from a new phone, for example.

This kind of order scoring is a standard CNP fraud-prevention practice that works well for stopping fraud one order at a time. But it may not be enough to identify some of the fraud patterns of criminal gangs.

That is because organized fraudsters have developed their own techniques for stealing as much merchandise as they can as quickly as they can. Placing multiple orders is standard operating procedure for these groups, and they often take over accounts to make their fraud harder for order-screening systems to detect. These criminals will hack victims’ bank, credit card and online retail accounts and use their payment and personal data to shop incognito. Because they appear to be good customers with established accounts and validated shipping and payment addresses, their orders are likely to slip past traditional risk scoring tools.

The sophistication of organized CNP fraudsters does not stop with account takeover. Often, these groups will attack in waves using hijacked accounts of several victims. To save time and maximize the number of orders they can get through before their fraud is discovered, they may use botnets to automate their fraud attacks.

Then there is the matter of getting the stolen goods rerouted to the fraudsters, instead of to their victims’ addresses. This can involve calling merchants to change delivery destinations after the orders are approved. Some gangs even place people inside shipping companies to physically intercept fraudulent orders and redirect them to a collection point for resale.

This type of fraud can devastate small merchants. Often, the fraud is only discovered when the cardholder reports the purchases, and the merchant is left to absorb the loss and pay a costly chargeback fee on each fraudulent transaction.

Because organized fraudsters behave differently from individual scammers, different patterns emerge. With large-scale fraud, companies typically see an unexpected increase in order volume, combined with other unusual patterns. For example, as criminals try to build up their stock for resale, a merchant might suddenly see many orders for the same product or many different items all going to the same region. There might also be a sudden uptick in the number of orders made with cards that have the same bank identification number (BIN), indicating that a group has managed to break into several customer accounts at the same financial institution.

Why not simply include these indicators in the traditional order scoring program? The problem is that doing so would likely result in many false declines,  a bottleneck in the manual review process, or both. A merchant that wants to survive and keep good customers cannot simply decline or manually review every order that originates from the same ZIP code or that has the same BIN, for example.

Moreover, it is hard to detect large-scale fraud attacks in advance. In hindsight, when fraud-related chargebacks pour in, a merchant can review the orders and see what they have in common. But identifying waves of fraud as they come in is not easy with traditional tools.

What individual order scoring tools lack is context. A system that validates the elements of each order individually cannot spot 10 orders in a row made with the same combination of city, product and BIN. On their own, each order looks valid, earns a low risk score and gets approved. Clearly, assigning a score for each order is not enough to identify risky groups of orders.

New Fraud Fighting Tactics

One solution to this problem is to use anomaly detection tools to evaluate orders in context. By adding group analysis to the fraud screening process, companies can check the combined characteristics of multiple orders to look for different kinds of fraud-related patterns. When group analysis detects an anomalous pattern in a group of orders, they can be manually reviewed in the proper group context to decide if they are organized fraud activity and should be rejected.

Companies should be aware, however, that group analysis may detect patterns that play out over hours, days or weeks. This means that orders may have already shipped by the time an anomaly is found and manual review confirms that it is due to fraud activity. In that case, companies will need to know whether and how they can recall the shipped orders to limit losses.

By layering anomaly detection and individual order scoring, merchants can better protect themselves against both organized fraudsters and lone scammers. This is not the only method to combat organized fraud, however. For example, some banks now use advanced graph analytics to uncover hard-to-discern relationships among devices, phone numbers and other data used to open fraudulent accounts using stolen or synthetic identities. Many banks are also working with Visa’s Issuers’ Clearinghouse Service database to spot stolen Social Security numbers, which fraudsters often use to construct synthetic identities to open accounts. As more organizations add stronger analysis and data-sharing capabilities, the entire ecosystem will become more effective in the fight against organized fraud.

Rafael Lourenco is executive vice president and partner at ClearSale.