Evan Schuman is a guest contributor to the Sift Science blog.
Online retailers know how fraudsters generally act: they conceal themselves behind bogus names and disposable IP addresses. Those HTML hoodlums are risking arrest by various levels of law enforcement, so they have to hide in the shadows.
But what if that’s not always true? What if some fraudsters are using their real names and aren’t hiding at all?
Consider what might be the most frightening concept in fighting online fraud: the thief who operates in the open, because they believe they’re leveraging a business loophole, not breaking a law. They’ll rip you off just as severely, without the threat of law enforcement on your side, so your counter-fraud tactics have to change.
In a fascinating profile, Entrepreneur magazine examined how one of those out-in-the-sunlight fraudster companies, DS Domination, functions – and specifically how they appropriate not merely products but marketing materials as well. For example, this is how DS Domination described how easy it is to steal an e-commerce merchant’s marketing descriptions: “Using our unique platform, any user can create an income within minutes, simply by copy-and-pasting product information from one company to another.”
But certainly this must be illegal – right? Nope. While sellers who use this technique are certainly exposed to a civil lawsuit, by securing products from a marketplace and then reselling them, they avoid violating criminal law.
Image: Public.Resource.Org
How it works
Here’s the essence of the technique from that Entrepreneur piece, describing how the author purchased a cat toy called a Ripple Rug: “I go to eBay and buy a Ripple Rug. There are five listings for the product on this day and I select one from a seller called AFarAwayGalaxy. The price is $49.51. On Amazon, [the manufacturer] sells it for $39.99. So how’d this listing get here? Almost certainly, the seller is using some kind of software – made by DS Domination or a competitor – that scans Amazon for its best-selling products.
“Then it copied everything in the Amazon listing and pasted it into an eBay listing. The price is usually set between 5 and 15% over the Amazon price. When I make the purchase, the person behind AFarAwayGalaxy simply goes to Amazon and buys a Ripple Rug. But instead of buying it for themselves, they designate it as a gift and have it shipped to me. Because I paid $9.52 above the Amazon price, that’s profit, which AFarAwayGalaxy can keep, minus Paypal and eBay fees.”
Ingenious. Hideously evil, but still ingenious. The best part is where the fraudster gets the original e-commerce merchant to even mail it for them, to the end-user.
Riding on reputation
For this technique to work, though, the bad guys have to charge more for their offering than the original merchant’s price. This is where pricebots are critical. If the product is presumably identical, most shoppers will gravitate toward the lowest price they can find.
So, how do the resellers win sales? Reputation. And no, not because anyone will have ever heard of them or their so-called “business.” These resellers are also unlikely to promise customer service/tech support that they can’t deliver. If they do say that and can’t deliver, the FTC can move against them, plus they’ll get criminal exposure courtesy of U.S. postal inspectors (mail fraud). No, these thieves must play by the rules.
How, then, can they win on reputation? eBay. If they—and I know this is galling—push it and sell more product than the original site, eBay users will vote them up. This assumes that you deliver quickly and well. That’s the galling part. They get points when the original merchant packs it properly, includes the right item and ships it quickly. Oh and they get more points if what the merchant makes is good quality.
Put yourself in the original merchant’s shoes. You’re being victimized explicitly by your attacker getting good points based on the quality of your shipping process – which then serve to bolster the attacker’s own reputation. If you ever run into these people in a dark alley, please compliment them on their ingenuity before you rip their heads off.
Your best defense: customer experience
Defending your e-commerce business against these types of attacks requires a different kind of fraud strategy. With “traditional” payment fraud, you might be able to look at the shipping address for clues as to whether a transaction is legitimate or not. But in this case, the legitimate customers—or, if you’d prefer, the witless ultimate victims—will be receiving the product. So, no clues there.
And what about the fact that the payment card address is different than the ultimate delivery address? First, this is not uncommon when someone designates an item as a gift. Second, these people will be giving you a valid payment card and they will correctly answer any and all questions. In short, the fraud flag may be raised, but the sale won’t be blocked.
What you are seeking, of course, are the same buyers repeatedly ordering but giving you different destination addresses each time. It could potentially be legit. It might be a company that is sending these items to their 100 best salespeople or something. Your systems can track and try and detect patterns, but these companies can use different people in different regions to place their orders. It is hard to block effectively. Not impossible, but very difficult.
So, what to do? The best defense is proactively courting buyers to purchase directly from your site, through marketing and great customer experience. Stress customer service, tech support, integrity, real people answering the phones – and all of this offered at the best price on the market. Those are convincing reasons to buy at your site instead of on a third-party marketplace.
Far too often, the only marketing you see on a merchant’s website is about how great the product is, which plays right into the hands of these kinds of revenue thieves. Remember that you’re selling a service and not just a product, even if the “service” is nothing more than a professional environment from which to buy this product.
Thieves come in all shapes and sizes. The one you may never expect is the thief who attacks you in broad daylight. Welcome to e-commerce in 2016.