As the quarantine caused by the Covid-19 pandemic carries on, fraudsters are continuously testing the waters to find new ways to exploit the situation.
BOPIS, which stands for “Buy Online Pickup In Store,” has long been of interest to fraudsters. Going back over a decade, these bad actors have sought to exploit “Click and Pick” orders as a different vector to steal items. The shipping aspect of conventional orders had long been a component that made fraud attempts obvious to merchants, and therefore, easier to prevent. This included relying on known bad shipping addresses, distance calculations, and other red flags that can be leveraged by rules-based fraud systems to prevent order completion. The ability to pick up fraudulent orders in person that were made online created a new channel to obtain items purchased with stolen credit cards and other compromised payment accounts.
Related reading: Retailers Beware: Omnichannel Fraud is on The Rise
BOPIS Fraud Prevention 101
Fraudsters were now able to try to leverage assets like fake identification and use social engineering skills to manipulate front end retail customer service into obtaining items purchased under the guise of the victim’s identity. As time went on, a chess match played out, with risk departments, loss prevention teams, and web operations groups collaborating to find the best recipe for preventing fraud by enforcing strict order retrieval practices while simultaneously not negatively impacting good customers with the burden of additional friction.
This led to fraud and risk teams feeling satisfied about having put into place reasonable fraud scoring upfront, giving them the ability to feel confident that their security controls would prevent the receipt of fraud purchases that got through with an order that looked acceptable to the rule systems.
Enter the New Normal: Quarantine Life
As the quarantine period we’re experiencing to combat the COVID-19 pandemic continues on, it has become increasingly clear that having an innovative fraud solution on the front end is more important than ever. Relying on traditional rules based schemes that focus on the small slice of user activity at the time of checkout, then relegating the responsibility of enforcing security measures to retail employees is too risky in the current environment. These essential workers, quite reasonably, are likely more focused on their personal safety when interacting with customers. The dangers of this stressful work environment make it difficult to concentrate on anything beyond doing their job, without putting themselves at risk.
Quite frankly, expecting these employees to risk their own safety during curbside pickups to confirm customer identification is not reasonable as a fraud prevention measure.
Related reading: Ecommerce Fraud
Rolling the Dice with BOPIS Fraud Attempts
Recently, our team has witnessed vulnerabilities from retailers who are not requiring or asking for any type of confirmation, providing the orders merely with the fraud victim’s surname stated at pickup. Seeking to find out if this was a known exploit, we monitored several IRC channels and prominent carding boards known to be locations where fraudsters trade information. Users anecdotally were sharing their experiences of success and failures while attempting to obtain their stolen items. It was apparent that many big box store front end employees haven’t been effectively enforcing their own customer service BOPIS requirements.
Fraudsters were having widely varying levels of success with an omnichannel company’s employees executing the expected policies in Milwaukee, while entirely disregarding the same norms for orders in suburban Atlanta locations of the same store.
Protect Your BOPIS Procedure and Your Employees
With the turbulent surroundings and even daily policy changes that retail employees are experiencing, it is now more important than ever before to remove the burden of reliance on these essential workers as a fraud control. The best way to execute this is by having a better fraud solution to evaluate the customer before and during the placement of the order. Utilizing behavior analytics and device identification in combination with machine learning to assess the purchase can give you the best decision to feel confident in releasing the goods to the cardholder or recipient while avoiding the added friction that comes with the pick-up process.
Written by: The Precognitive Team