Fighting BOPIS Fraud in the Age of Quarantine

Matt Sergot
May 19, 2020 · 3 min read

As the quarantine caused by the Covid-19 pandemic carries on, fraudsters are continuously testing the waters to find new ways to exploit the situation.

BOPIS, which stands for “Buy Online Pickup In Store,” has long been of interest to fraudsters. Going back over a decade, these bad actors have sought to exploit “Click and Pick” orders as a different vector to steal items. The shipping aspect of conventional orders had long been a component that made fraud attempts obvious to merchants, and therefore, easier to prevent. This included relying on known bad shipping addresses, distance calculations, and other red flags that can be leveraged by rules-based fraud systems to prevent order completion. The ability to pick up fraudulent orders in person that were made online created a new channel to obtain items purchased with stolen credit cards and other compromised payment accounts.

Related reading: Retailers Beware: Omnichannel Fraud is on The Rise

BOPIS Fraud Prevention 101

Fraudsters were now able to try to leverage assets like fake identification and use social engineering skills to manipulate front end retail customer service into obtaining items purchased under the guise of the victim’s identity. As time went on, a chess match played out, with risk departments, loss prevention teams, and web operations groups collaborating to find the best recipe for preventing fraud by enforcing strict order retrieval practices while simultaneously not negatively impacting good customers with the burden of additional friction.

This led to fraud and risk teams feeling satisfied about having put into place reasonable fraud scoring upfront, giving them the ability to feel confident that their security controls would prevent the receipt of fraud purchases that got through with an order that looked acceptable to the rule systems.

Enter the New Normal: Quarantine Life

As the quarantine period we’re experiencing to combat the COVID-19 pandemic continues on, it has become increasingly clear that having an innovative fraud solution on the front end is more important than ever. Relying on traditional rules based schemes that focus on the small slice of user activity at the time of checkout, then relegating the responsibility of enforcing security measures to retail employees is too risky in the current environment. These essential workers, quite reasonably, are likely more focused on their personal safety when interacting with customers. The dangers of this stressful work environment make it difficult to concentrate on anything beyond doing their job, without putting themselves at risk.

Quite frankly, expecting these employees to risk their own safety during curbside pickups to confirm customer identification is not reasonable as a fraud prevention measure.

Related reading: Ecommerce Fraud

Rolling the Dice with BOPIS Fraud Attempts

Recently, our team has witnessed vulnerabilities from retailers who are not requiring or asking for any type of confirmation, providing the orders merely with the fraud victim’s surname stated at pickup. Seeking to find out if this was a known exploit, we monitored several IRC channels and prominent carding boards known to be locations where fraudsters trade information. Users anecdotally were sharing their experiences of success and failures while attempting to obtain their stolen items. It was apparent that many big box store front end employees haven’t been effectively enforcing their own customer service BOPIS requirements.

Fraudsters were having widely varying levels of success with an omnichannel company’s employees executing the expected policies in Milwaukee, while entirely disregarding the same norms for orders in suburban Atlanta locations of the same store.

Protect Your BOPIS Procedure and Your Employees

With the turbulent surroundings and even daily policy changes that retail employees are experiencing, it is now more important than ever before to remove the burden of reliance on these essential workers as a fraud control. The best way to execute this is by having a better fraud solution to evaluate the customer before and during the placement of the order. Utilizing behavior analytics and device identification in combination with machine learning to assess the purchase can give you the best decision to feel confident in releasing the goods to the cardholder or recipient while avoiding the added friction that comes with the pick-up process.

Get in touch with Precognitive to learn more about BOPIS fraud prevention, or schedule a comprehensive security assessment with one of our fraud prevention experts.

Written by: The Precognitive Team




ShopRunner’s unique membership makes it easy for shoppers to get everything they love from their favorite brands with benefits like unlimited free 2-day shipping, free return shipping and member-exclusive deals. Learn more at

Matt Sergot

Written by


ShopRunner’s unique membership makes it easy for shoppers to get everything they love from their favorite brands with benefits like unlimited free 2-day shipping, free return shipping and member-exclusive deals. Learn more at

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store