In just a matter of months, this new e-commerce fraud has emerged to exploit weak or non-existent links between merchants’ online and physical stores.
If you’re a retailer, what’s not to like about offering consumers the option to buy online and pick up in-store?
Most customers who use the service make an additional purchase when picking up their goods. It provides an edge against the competition, including Amazon. It appeals to Millennials and Gen Zer’s, who favor self-service channels. And it engenders consumer loyalty by making the customer experience more pleasant.
Consumers are high on it, too. They save shipping charges and enjoy the convenience of having an item picked, packed, and waiting for them in a less than an hour. Plus, they can inspect the merchandise—something they can’t do when ordering online.
The convenience and flexibility of BOPIS (buy online, pick up in-store) explain why 67% of consumers said they used it during the previous six months, according to a 2018 survey by omnichannel platform provider Kibo.
For many merchants, that’s enough to make BOPIS a big part of their business. A survey by Signifyd, a provider of fraud-prevention solutions, says that among 83% of retailers surveyed, at least 20% of online sales comes from BOPIS orders.
Safe No More
But for all the plusses that BOPIS offers retailers, it comes with a potentially big pitfall—a significant risk of fraud.
Criminals are flocking to this channel, driven by myriad reasons. Foremost among these is that BOPIS is a card-not-present purchase, which negates the fraud-prevention benefits of chip cards at the point of sale.
Also, BOPIS gets around a key fraud-detection practice used by retailers for e-commerce purchases—vetting the customer’s shipping address. It’s common for online merchants to compare billing and shipping addresses as a fraud indicator. Some merchants will even go a step further by checking how many miles there are between the Internet Protocol address of the customer’s device, and the shipping address. If the distance is too great or the IP address originates in another country, the transaction may be fraudulent.
“The lack of a shipping address for a BOPIS order breaks the relationship between the billing and shipping addresses that retailers use to detect fraud for an e-commerce purchase, which BOPIS is because payment is made online,” says Stefan Nandzik, vice president of marketing for San Jose, Calif.-based Signifyd. “This creates a new problem that cannot be solved using existing e-commerce fraud-detection tools.”
Another problem is that the scope of this fraud has not been accurately measured, experts say. A key reason, according to the Washington D.C.-based National Retail Federation, is that it can take from 35 to 40 days for a retailer to determine whether an online purchase was fraudulent. That means BOPIS figures are often under-reported at any given time.
Nevertheless, the NRF estimates that fraud losses represent 3% to 5% of BOPIS sales. Some merchants, however, see losses as high as 10%, according to Signifyd.
Many experts also say this fraud is gaining momentum fast. “A year-and-a-half ago, BOPIS was a relatively safe transaction. That’s not the case any more,” says a spokesperson for Riskified, a New York City-based provider of fraud-detection and chargeback-prevention technology.
But the immediate fraud losses make up just one piece of the puzzle. A more vexing problem is that criminals are double-dipping by returning a BOPIS order to nearby stores immediately after pick-up and exchanging the item for cash or a gift card that can be resold through online exchanges. The problem is an extension of the buy-online, return-in-store scheme criminals use for e-commerce purchases.
Robert Moraca, vice president for loss prevention at the NRF, says return fraud is a loss that’s not always associated with BOPIS fraud.
With BOPIS fraud on the rise, retailers are scrambling to block it. The challenge they face is how to implement fraud-detection solutions that don’t degrade the experience for legitimate customers, experts say.
The option that’s gaining traction is a tool that takes into account data on customer behavior to search for patterns within BOPIS orders that can indicate dodgy intent. “This is the direction retailers are moving to fight BOPIS fraud,” Moraca says.
Signifyd, for example, has compiled a database of credit card transactions across more than 10,000 merchants containing consumer-order histories. In addition, the company uses behavioral analytics to track how a customer navigates a retailer’s Web site. For example, a shopper who conducts a search for more than one product, sorts the results by price, and chooses the highest-priced item in each category without looking at any of the other listed items, may be flagged as a fraud risk.
Other telltale signs can include whether the items being purchased are commonly targeted by criminals for resale, such as electronics, or are out of character for a consumer’s known purchasing habits. Riskified offers a similar solution.
Compiling a database across so many merchants also makes it possible for Signifyd to screen first-time customers for fraud, since it is likely those shoppers have order histories with other merchants in the database.
“If an item is flagged, there are actions we can take to verify the shopper without breaking the customer experience or we can deny the transaction,” says Nandzik.
Another step retailers can take that doesn’t complicate the order process is to require the customer, when he comes into the store, to present the card used to make the purchase. That determines that the card physically exists.
“That technique is one jewelers’ will use,” Nandzik says. “Some retailers that question a purchase may also notify the shopper they can’t designate another person to pick up the order.”
Nonetheless, many retailers that offer BOPIS allow shoppers to designate someone else to pick up the item. To cover their tracks in case the retailer attempts to verify the identity of the designated pick-up person by validating their driver’s license or a photo ID, fraud rings will use straw buyers to pick up an item on their behalf. A straw buyer gives criminals cover because they can produce a legitimate ID to collect orders.
But criminal rings have become so proficient that straw buyers aren’t always necessary. “It’s not hard to make a fake ID that passes a screening test, and many retailers have not trained their staff on how to spot a fake ID,” says Julie Conroy, research director for Boston-based Aite Group’s retail-banking practice. “Plus, ID-screening technology is not cheap, so there are retailers that won’t spend the money on it.”
Rather than request additional steps to verify a customer’s identity during the online checkout, some retailers will opt to manually review a flagged BOPIS transaction in the hope they can approve it before the customer picks up the item. But that approach poses a serious problem for the many retailers that guarantee BOPIS orders will be ready within an hour.
A scenario in which a consumer expects to pick up an order on her way home from work, gets to the store, and is told the order is still awaiting approval, or worse, has been denied, is not good for the merchant’s brand, particularly in the age of social media.
“Manual reviews take much longer to approve or deny transactions, creating added friction for legitimate consumers and often leading to cart abandonment and changed brand loyalties,” says Michael Reitblat, chief executive and co-founder of Forter, a Tel Aviv, Israel-based e-commerce fraud-prevention company. “As BOPIS sales increase, this approach alone is unable to keep up with the growing consumer demand and resulting fraud implications.”
‘A Sticking Point’
What retailers need to effectively combat BOPIS fraud is fraud-detection technologies that combine artificial intelligence software that learns as it goes with continuous human research of fraud trends, Reitblat says. The combination of the two, he argues, makes it possible for retailers to stay a step ahead of criminals’ evolving fraud tactics.
“Retailers must be able to leverage all of their offline and online data to properly understand their users, accounts, and ecosystem,” says Reitblat. “Many retailers view their data in silos, not connecting information from online shopping with in-store information, which creates a vulnerability with BOPIS.”
Applying real-time fraud-screening technology to the returns process can help cut down on returns fraud, says Erik Morton, senior vice president for product and strategy at CommerceHub, an Albany, N.Y.-based provider of dropship-fulfillment technology for multichannel merchants. “The more (customer touch points) this technology can be deployed the better,” Morton says.
The popularity of BOPIS with consumers has prompted some retailers to expand their offering by installing lockers where consumers can pick up their items at the store without having to go to the customer-service desk. Walmart and Home Depot are two retailers that have begun deploying pick-up lockers at their stores.
While shoppers must have a four-digit code or barcode to open the locker, fraud experts warn that this BOPIS channel is not immune to fraud.
“If a criminal is in possession of someone’s credit card data, chances are they can present an email address or mobile-phone number that will pass a fraud screen to get the codes needed to open the locker,” says Nandzik.
So far, at least, BOPIS fraud does not appear to be a huge problem with orders picked-up at in-store lockers. “Our customers tell us they have less than 1% of fraud on BOPIS orders,” says Georgianna Oliver, chief executive of Package Concierge, a Medfield Mass.-based provider of automated package-locker systems.
One of the fraud-prevention technologies that could come into play is biometrics. Requiring facial recognition or a fingerprint scan at the time of purchase online or at pick-up is one way retailers envision stronger customer validation.
The stumbling block is making consumers comfortable enough with the technology that they will put their biometric data on file. Offering a discount or coupons is one possible solution.
“The registration phase is the most time-consuming part, so it can be a sticking point with consumers,” says Moraca. “The technology is available and consumers do use fingerprint scans to unlock their mobile phones, but right now retailers are only talking about using this technology.”
Indeed, Oliver says Package Concierge has facial-recognition software it can deploy to compare a real-time photo of a consumer picking up at a locker against a photo on file, but, she adds, retailers aren’t asking for it yet.
‘A Balancing Act’
While retailers understand the tremendous opportunities BOPIS offers, they are also keenly aware of the fraud challenges it poses. That’s creating optimism they can fend off the bad guys.
“Retail loss-prevention and asset-management executives have a balancing act between loss prevention and maintaining the customer experience,” says the NRF’s Moraca. “They are essentially building the plane as it moves down the runway, but they are making progress.”