Online Swindlers Shift Focus to Smaller Retailers

ONLINE retailers are accustomed to working overtime during the holiday season. So are criminals.

The holiday season typically brings a surge in the number of fraudulent orders, and thieves seem to have shifted techniques to combat tightened security practices among bigger merchants this year. The evidence so far is anecdotal, but industry leaders say smaller online retailers, and those with strong gift-certificate sales, are being especially hard hit.

“Certainly the frauds are trying to take advantage of the very busy times, and the volume that fraud departments are trying to process,” said Tom Sullivan, chairman of the Merchant Risk Council, a nonprofit antifraud group that represents about 100 online retailers. “They’re trying to slip more transactions through.”

Fraud against online retailers usually involves credit card numbers stolen offline or in e-mail scams, Mr. Sullivan said, rather than breaches of a merchant’s online systems. Criminals use the stolen card data to buy goods they can easily resell, or to simply prove the card data is valid before reselling that data to other thieves.

Mr. Sullivan, who is also the senior director of e-commerce risk for Expedia, the online travel service, said fraud rates for the biggest merchants had dipped in recent years because they had spent heavily to shore up their systems.

According to a recent survey of 350 online merchants by CyberSource, which provides payment processing and security services to retailers, about 1.4 percent of the average retailer’s sales turn out to be fraudulent, compared with 2.9 percent in 2002. Since online sales continue to grow, the overall cost of fraud will reach $3 billion this year, CyberSource said, compared with $2.1 billion in 2002.

Online merchants can suffer from those illegal purchases in two ways. They must pay back credit card companies for the purchase (which is why consumers are not charged when their cards are stolen and used to make purchases). And their sales may drop if, after news about such incidents spreads, prospective shoppers lose their appetite for buying online.

According to a recent survey conducted by Gartner, a technology consulting firm, nearly 15 million Internet users reject online shopping because of security fears. Avivah Litan, a Gartner analyst, said that translated to about $2 billion in lost sales.

“And it’s disproportionately affecting smaller merchants, because consumers are being more careful with the sites they’re going to,” Ms. Litan said. “If they do a Google search and find 10 sites selling purses, they’ll go to the known brands.”

Smaller merchants are being hit hard already. With frauds being thwarted by bigger online companies, Ms. Litan said, more thieves are focusing on merchants that have less security expertise, bringing their fraud rates up to 3 percent in some cases. And smaller retailers often unwittingly welcome bursts of sales for too long before recognizing that the purchases are from criminals.

One executive for a midsize e-commerce company, who requested anonymity because he did not want to expose his company’s security practices, said that last holiday season he saw a big jump in orders.

“Then we saw all the charge-backs, and it hit us,” the executive said, using industry shorthand for fraudulent charges that were rejected by credit card companies. “We were like, ‘Oh my God. What’s going on?’ It was definitely eating at the bottom line.”

The company had previously not been a big target for fraud and had maintained security practices that were substantially less rigorous than those of industry leaders. Fraud rates that had been negligible had by last season reached the industry average. Since then, the company has revamped the way its Web site screens orders and improved fraud rates, but at a significant cost.

Indeed, as a percentage of overall sales, security is considerably more costly for smaller retailers than bigger ones, said Ms. Litan of Gartner. “The Internet was supposed to level the playing field, but it’s basically meant the rich getting richer and the smaller getting smaller or going out of business,” she said.

Bigger merchants say that while they are never fully comfortable with their fraud prevention efforts, they are improving. “Every year our fraud rates are going down,” said Mark Vadon, chief executive of Blue Nile, the online jeweler. Mr. Vadon said stringent fraud prevention was a necessary evil for his business, since orders can sometimes top $100,000.

“It’s not like if we miss something we ship out a CD or an MP3 player,” he said.

The Merchant Risk Council (Blue Nile is a member) recently circulated a memo suggesting that gift cards had become a new target for criminals, with as many as 20 percent of all gift card orders for some merchants being fraudulent. Mr. Sullivan, the council’s chairman, said in some instances criminals would simply go into stores, where unused gift cards often hang by registers.

Criminals will, Mr. Sullivan said, write down the gift card numbers, wait a few days until it is more likely that someone has activated that gift card and then log into the retailer’s site and make purchases with the card number.

In other cases, thieves will use stolen credit card numbers to buy “virtual gift cards,” which are sent to an e-mail address. That can make it more difficult for some retailers to detect fraud, since the buyer does not have to disclose a physical mailing address. (Among other things, stores scrutinize transactions more closely when the credit card address and the shipping address do not match.)

The rise in gift card fraud could diminish the enthusiasm that online retailers have recently expressed for them. Among other things, such cards help companies increase their post-Christmas sales, since they are typically redeemed after the holidays.

Mr. Sullivan said some retailers were retaliating by covering the gift card numbers.

“But the number of techniques used in gift-card fraud is definitely growing,” he said. “The frauds are pushing the retailers all the time.”

Source: http://www.nytimes.com/2006/12/11/technology/11ecom.html?_r=1&ref=technology&oref=slogin