How Thieves Get Past Your Fraud Filters

When ecommerce merchants want easy strategies to stop fraudulent orders and flag questionable orders, fraud filters are a popular solution. And yet, this trust may be misplaced: Fraud filters are by no means foolproof.

In fact, it’s far too easy for fraudsters to mimick legitimate customers, circumvent the filters and score big orders.

That leaves merchants struggling to manage the heavy burden of expensive false declines and chargebacks.

Before merchants rely on fraud filters as their primary source of fraud protection, it’s important to understand the risks they’re still exposed to. Below, we’ve identified six of the most common fraud filters, and we’ve explained how savvy fraudsters can navigate around them to defraud customers and businesses.

1. Address Verification Systems

Address verification systems (AVS) compare the numeric portions of billing and shipping addresses a customer enters with those on file with the card-issuing bank. If they don’t match, the transaction may be declined or flagged for further review.

Unfortunately for merchants, AVS isn’t infallible. If the fraudster knows the correct billing address, it just takes a few easy tricks to satisfy the AVS filter and still ensure the merchandise will be shipped to a different address:

1. First, the fraudster enters the correct address as the billing address.
2. For the shipping address, the fraudster enters the same address number but a nonsense street name. For example, if the billing address is 123 Main Street, the fraudster will enter “123 Asdfjkl” as the shipping address. Because the numbers still match, AVS will approve the order.
3. If the space for the shipping address includes a second address line, the fraudster will enter the actual address to which they want the order delivered. While this format would raise suspicions with human reviewers, an automated AVS filter will ignore the text in the second line and report the address is valid.
4. The package is then delivered to the fraudster at the location entered in the second address line.

2. Card Verification Values

Many ecommerce merchants require customers to submit the three- to four-digit card verification value (CVV) that’s printed on most credit cards before their orders can be approved. Typically, credit card data available on the dark web does not include this number, so merchants believe that this step will deter anyone but the legitimate cardholder from using the card.

What merchants often forget is that fraudsters in possession of a stolen physical credit card have that CVV in hand and can easily make legitimate-looking purchases.

Other fraudsters have found their way around this requirement even when they don’t possess the physical card. Criminals can use web-based keyloggers to capture keystrokes (including CVVs) as customers make online purchases, and then use that data to defraud businesses. Other fraudsters simply test different CVVs on small orders until they find the one that works, and then they proceed with their large-scale fraud.

3. Age and Quality of Email Addresses

Merchants have also long thought that the older an email is, the more likely the account holder is legitimate. Email addresses coming from a paid domain have traditionally been the most trustworthy, with .edu email addresses the next-most preferred, followed lastly by free email addresses (e.g., Hotmail, Gmail, etc.).

But now, fraudsters are buying established email addresses or using account takeover methods to acquire aged, paid domain addresses, so they can pose as legitimate customers. This leaves merchants unable to identify the true account owner and eliminates e-mail validation as a way of confidently evaluating transaction risk.

4. Velocity Filters

When fraudsters get their hands on credit card numbers from the dark web, they often rapidly test those numbers on a merchant’s site, looking to see which cards work. If a transaction goes through, the fraudsters try to max out the card with more (and bigger) purchases.

Velocity filters can help prevent these rapid-fire tests from doing any financial damage, by monitoring the usage of specific data elements, such as email addresses, phone numbers, or billing/shipping addresses, and preventing the number of times transactions that include the same data elements can be processed in a certain time frame. For example, the velocity filter may be set to allow no more than three transactions with the same email address from being processed on the same day.

But all fraudsters need to do to circumvent these filters is place one large order and then change the “customer” data on subsequent orders — or even simply move on to another ecommerce website for their next purchase.

5. Purchase Amount Filters

Purchase amount filters let ecommerce merchants set upper and lower limits for transaction amounts. Any purchase that falls outside that range can be flagged and held for further review, processed as usual but trigger a report, or automatically declined. Because most merchants know their typical transaction size, setting this filter alerts them when transactions of an unusual size occur.

Fraudsters can easily circumvent these filters through some old-fashioned trial and error, starting with larger purchases and reducing them in value until they go through. So if fraudsters discover a merchant flags only transactions of more than $1,000, they’ll keep their orders to less than $999 so the orders are automatically approved.

6. "Blacklists"

Some e-commerce merchants implement "blacklists" — a list of e-mail or IP addresses or other transaction details that belong to known fraudsters — that prevent these cybercriminals from buying from a merchant in the future.

Unfortunately for merchants, cybercriminals don’t generally hang on to stolen information for long. So by the time one card number, physical address or IP address lands on a merchant’s "blacklist", the cybercriminal has frequently moved on to a new set of fraudulent data.

Combating Savvy Fraudsters With a Managed Services Solution

While fraud filters are useful at preventing some amount of fraud, they’re too vulnerable to creative fraudsters and expensive chargebacks and false declines to offer a comprehensive solution. Plus, these filters don’t give merchants the opportunity to look beyond the superficial transaction details for the broader patterns at play, putting them at an increased risk of missing evolving fraud patterns.

Instead, fraud filters are best used as part of a robust program that includes other fraud controls, including advanced artificial intelligence and skilled human review.

To prevent false declines and expensive chargebacks, merchants must implement a strategy that can keep pace with fraudsters’ evolving strategies. A managed services solution is perfect for this detail-oriented approach — ensuring merchants can approve more legitimate sales and retain more customers over the long term, while still protecting themselves from fraud.

Learn more about how a managed fraud solution helps protect your business and customers against credit card fraud by downloading our “Is a Fraud Managed Services Solution Right for Your Business?” e-book today.