The merchant's website made it seem like an ordinary seller of car washing equipment. But a closer look revealed it was a portal to crime, according to Melissa Andrews.
"After digging deeper and deeper, we found the site was connected to illegal drugs," says Andrews, a Web security specialist for Payza, an online payments and electronic wallet provider.
Put simply, Andrews surfs the Web for a living, using a wide range of tools to spot well-hidden criminal activity. Her team deploys a mix of analytics, Web tracking technology, keyword detection and behavioral monitoring to vet the company's users and their Web content. Payza also uses internally developed software and fraud analysis to flag suspicious content.
Despite the technology, the work still requires manual checks of websites, Andrews says.
"It takes a bit of time, and patience, to review content that may not always be the nicest, for lack of a better word," she says, "but it does help to know that I'm helping to weed out bad players. That's very rewarding."
Payza's risk and fraud group comprises 19 people, though all of the company's 140 employees are trained to detect and flag fraud or suspicious activities. Payza's menu of merchant services includes payments technology, processing, currency exchange, dispute resolution and risk management. It integrates with shopping cart programs such as ZenCart, OSCommerce, WHMC and OpenCart.
Web crime has become more complex as more commerce moves online, and a broader range of companies and entrepreneurs take advantage of open development techniques to offer payments directly on their websites, Andrews says.
"The threats are constantly changing," she says. "There are more people online now using the Web to sell their wares, and with the good comes the bad. You have people who are going to try to circumvent security requirements and sell illegal goods or put unethical content online."
The fraud risk is also increasing as Payza moves into more markets. Payza, which is headquartered in London, earlier this spring began offering European Union merchants its gateway and business payment module. These allow businesses to accept MasterCard, Visa and JCB card payments directly into a bank account.
This year, the company began offering U.S. merchants a service that allows them to accept e-commerce card payments into their business bank accounts. Payza is also expanding into Canada, Australia and Brazil, and currently operates in a total of 196 countries.
"The internet is a vast environment, so we see all types of things," Andrews says. "That's not to say that it's all bad, or even a vast majority is. Most of what we review is very legitimate merchants."
The company's Web security team also takes part in vetting potential clients. All merchants must submit their website to Payza, which inspects the site for content security and compliance with the local e-commerce laws that Payza's clients must follow. Once the company is onboarded, Payza can continue to monitor the client's website and online activity.
"This allows us to mitigate the risks moving ahead," Andrews says. "There are always going to be ways that crooks try to circumvent protections that are put in place."
There's no pattern or universal clue for what makes a "bad" e-commerce merchant, but there are some signs, Andrews says.
"Most of the bad sites will hide the true nature of what they are doing, they may offer a simple product like a way to pay for coffee or shoes or something very normal, but behind the scenes they are selling illegal content or promoting hate or racism," Andrews says.
Other e-commerce companies are using social networking as part of their merchant vetting. WePay's Veda, for example, uses information from Facebook, Twitter and Yelp, as well as pattern recognition and cross referencing to vet identity and expedite onboarding.
Andrews says social media can provide clues as to an e-commerce site's intention.
"The more you know through social media, the more useful information you have, it's all useful," Andrews says.