Linda Punch
So-called friendly fraud is hard to detect, hard to prove, and rising for some merchants. What are merchants, acquirers, and tech companies doing to reduce it?
It may be one of the most frustrating types of fraud encountered by a merchant. So-called friendly fraud—also known as ‘I-didn’t-do-it’ fraud, repudiation fraud, and first-party fraud—is almost impossible to detect using normal risk-scoring and fraud-detection technology. It’s also harder to prevent and prove after the fact than other types of fraud.
That’s because friendly fraud has none of the characteristics of the typical so-called rogue fraud committed by criminals. “It is their customer, it is their card, it is their address. Everything matches,” says Ori Eisen, chief information officer and founder of 41st Parameter, a Scottsdale, Ariz.-based provider of online, cross-channel fraud-detection and prevention software. “Nothing other than the true intent of the person is bad.”
Generally, friendly fraud is defined as occurring when a consumer purchases an item and receives the product but claims not to have received it, asking for a refund or chargeback from the merchant or delivery of a duplicate item.
But friendly fraud also can involve family members, ex-spouses, friends, or acquaintances with enough knowledge of the cardholder—including Social Security number or mother’s maiden name—to pass basic security screens. In those cases, while the cardholder didn’t commit the fraud, he often suspects who did.
“It’s a tough, tough thing to define,” says Julie Fergerson, vice president of emerging technologies for Ethoca Ltd., a New York-based provider of fraud-prevention services for e-commerce and other card-not-present merchants.
‘The Biggest Problem’
Not only is friendly fraud hard to detect, it is difficult to prove because it most often occurs in the card-not-present environment of an e-commerce merchant or a telephone/mail-order retailer. It also often involves digital goods or services. That means merchants have no signature to verify the cardholder’s identity or other confirmation of receipt of the purchase.
Fraudsters also use a wide variety of payment methods to commit friendly fraud, including credit and debit cards, prepaid cards, installment plans, and alternative payment vehicles such as PayPal.
While friendly fraud is a small percentage of overall fraud losses, it can prove costly to individual merchants, especially e-commerce and other card-not-present merchants.
“In the grand scheme of things, it’s probably fairly small, but for e-commerce merchants it is the top concern of most of the merchants I’ve talked to,” Fergerson says. “In the e-commerce continuum in the world of fraud, my guess is it would be at least half at this point.”
The 2010 LexisNexis True Cost of Fraud study attributes 20% of merchant fraud losses to friendly fraud. Only 10% of all merchants reported an increase in friendly fraud in 2010, compared to 19% in 2009. However, there was a significant difference in the losses reported by specific merchant segments, LexisNexis says (chart, page 22).
One in five large merchants reported an increase in friendly fraud, compared to 7% of small merchants and 16% of medium-size merchants. Twenty-three percent of large e-commerce merchants reported an increase in friendly fraud, accounting for 23% of fraud losses in this merchant segment, according to LexisNexis.
Eisen estimates that friendly fraud can account for between 1 basis point and 15 basis points of total fraud suffered by a merchant.
While it’s difficult to put an exact number on how much friendly fraud is increasing, merchants are reporting it is on the rise. And for merchants struggling with smaller staffs and lower budgets in a still-soft economy, it is becoming a big issue. “It continues to be the biggest problem for the majority of merchants,” Fergerson says.
Although friendly fraud is not new, economic hardships brought on by the recession appear to be exacerbating the problem, observers say. “People are just a little more desperate,” Fergerson says.
‘Tough Place To Be’
The increased use of debit cards also is contributing to friendly fraud, since consumers often charge back purchases when funds in their bank accounts run low, says Jennie Verduzco, director of compliance for Lowell, Mass.-based merchant acquirer Litle & Co., a processor of card-not-present transactions.
She says merchants have seen an increase in friendly fraud over the past 12 to 24 months, as there has been “a huge shift” in transactions from credit-based to debit-based.
“Consumers don’t typically use credit cards to pay their bills, they use their checking accounts,” Verduzco says. “So they’re more tied to their bank accounts and are more concerned about the available dollars or available open-to-buy in their bank account than they are on their credit card. When it cuts into a consumer’s ability to pay a bill … they instantly turn around and go to the bank.”
Among Litle’s merchants, recurring billers such as credit-monitoring services and fitness clubs are experiencing the highest level of friendly fraud, Verduzco says. That’s because consumers short on cash to pay basic bills such as electric or water often will claim they canceled services for non-necessities, such as a health-club membership.
Up to 25% of some recurring merchants’ chargebacks were classified as “canceled recurring,” a category where customers claim they were charged for a service they previously canceled, Verduzco says.
“I know for a fact it is quite easy to get out of a recurring situation with these folks, so it leads me to believe that consumers are claiming they canceled because they’re too lazy to call in or are embarrassed and just trying to get their money back,” she says.
The difficulty of detecting friendly fraud is matched only by the difficulty in proving fraud occurred after the fact, and recovering goods or funds. “That’s a really tough place to be for a card-not-present merchant,” Verduzco says, noting that merchants often aren’t able to dispute chargebacks (“More Anti-Chargeback Firepower,” April).
“The merchant may or may not have the option to re-present or basically dispute what the consumer is saying because they don’t have a signature for the purchase,” she says.
Fear of Cart Abandonment
Yet, many merchants are finding ways to trip up at least some friendly fraudsters. In one case, a company that sold events tickets used social media to expose a customer’s attempts to score free tickets, says Phil Levy, vice president of e-commerce solutions for processor First Data Corp.
One way to fight the chargeback was to prove the customer had attended the event, Levy says. “The merchant actually used Facebook,” he says. “The perpetrator had all sorts of pictures of herself at the event, and sent it around to all her friends saying what a great time it was.”
When the merchant referred the customer to her own Facebook page, she withdrew the chargeback request, Levy says.
New technology also offers a means of detecting friendly fraud, particularly software that can identify the device from which an order is placed. At 41st Parameter, merchants are advised to deploy its device-identification technology on the order or checkout page and on a “refund-request form” page. “Every order you have, you have the fingerprint of the device and information about the device that placed it,” Eisen says.
If the computer used to request the refund is the same as the one used to order the product, the merchant has “a good argument” to fight the chargeback request, according to Eisen.
“The merchant has a very good leg to stand on by saying, ‘Our records show that the very same computer that ordered is the requestor,’” he says. “‘How do you explain that?’”
Merchants also can use cardholder-authentication technology, such as Verified by Visa and MasterCard SecureCode, as evidence of the customer’s identity. Such technology requires the cardholder to enter a secure password before completing the purchase. For merchants using VbyV and SecureCode, liability for any chargebacks on transactions approved using the technology shifts from the merchant to the card issuer.
But First Data’s Levy says many online merchants still are reluctant to deploy authentication technology because they fear it slows down the checkout process.
“Many merchants are afraid of implementing it because they’re afraid of cart abandonment,” he says. “They’re afraid of losing customers.”
A ‘Graceful’ Exit
Instead, merchants often rely on one of the oldest methods of detecting fraud: lists of cardholder and account numbers previously used in fraud. While this method won’t detect a customer’s act of friendly fraud, it can be used to prevent any future occurrences, Levy says.
“If I feel as a merchant that someone made a fraudulent transaction, I may decide to add her card to my negative list so the next time she decides she needs concert tickets or baby formula, she will be declined automatically,” he says.
But negative lists, even when shared among merchants, aren’t always helpful, Fergerson says.
“The challenge with first-party fraud is just because they committed fraud against one merchant doesn’t necessarily mean they’re going to charge it back against another merchant,” she says.
Some merchants, particularly recurring billers such as health clubs and credit-monitoring companies, are tracking the online activity of customers. “You know the last time they logged in, you know the last time they accessed the services,” Verduzco says.
Based on their use of the services, the merchants contact customers to remind them of the value of the services provided, she says. In other cases, they remind the customers how often they are charged for the services, giving them an opportunity to cancel before they run up more charges.
“Merchants will send out a reminder three months in advance, two months in advance, and one month in advance, saying ‘your renewal is coming up. You can access our Web site here and if you need to contact our customer service, here’s the phone number,’” Verduzco says.
Contacting the customer under the guise of customer service, for example, checking on the accuracy of the order or a shipping address, can deter friendly fraud, especially in cases where a family member or friend is involved, according to Levy. “I’d know right away that I didn’t make the transaction,” he says.
In cases of friendly fraud involving the actual cardholder, “the person might think twice about what answer they want to give when called,” Levy says. “It gives them a simple but graceful way to exit.”
‘Suck It up’
But even if friendly fraud is detected, merchants have few options. In cases of providers of digital goods or travel services, there are no products to recover. And for many merchants, the expense to collect payment far outweighs the actual cost of the products or services.
“It’s not worth spending $50 to $100 with a collections agency to collect $19, $20, or even $90,” says Verduzco. For e-commerce and other card-not-present merchants, friendly fraud always will be a “pain point,” she adds.
“It’s always a frustration,” she says. “Unfortunately, many of them have little-to-zero rights from a payment-processing standpoint to dispute these chargebacks. So they suck it up and look at it as a cost of doing business.”