Crooks also like to buy online/pick up in store
The “buy online, pick up in store” sales model (BOPUS, as it’s commonly known) enables merchants to leverage their web presence to deliver a faster, more convenient experience. Customers, for their part, love in-store pickup. It seems like a win-win, right?
Unfortunately, inviting e-commerce elements into the brick-and-mortar experience means inviting in those problems endemic to the e-commerce space as well.
Fraudsters can employ a few different tactics to abuse BOPUS. One might use account takeover tactics to make purchases on a valid user’s account, then pick up the goods and vanish before the cardholder realizes what happened. That’s a clean-cut case of fraud, but other situations are less obvious.
Buyer’s remorse or simple misunderstandings lead customers to commit friendly fraud. In other cases, a buyer could engage in a practice known as cyber shoplifting, and file a chargeback to try and get something for free.
It’s hard to quantify fraud costs attributed to BOPUS, but evidence suggests there’s a clear link. Some merchandise categories reported almost no chargebacks in 2013. Five years later, after BOPUS became an integral part of the industry, 28% of merchants reported a chargeback rate between 0.5-1% of overall transactions and 10% had a chargeback rate above 1%. In big box retail, chargeback filings increased by 30% after BOPUS expansion, and most of those chargebacks are suspected to be fraudulent.
Fraudsters tend to be opportunistic. They’re constantly looking for new ways to abuse businesses and cardholders, making it difficult for security professionals to keep up. That said, the desire to provide a better customer experience presents its own obstacles. Requesting a photo ID at the time of pickup, for example, seems like a reasonable prospect for BOPUS, but many retailers don’t consider this a priority.
BOPUS is going to define commerce in the next decade; some estimates project that 10% of all sales conducted nationwide will be fulfilled through BOPUS by 2025. Merchants need to be proactive about this threat now and adopt a dynamic, comprehensive fraud prevention strategy with components targeted at preventing BOPUS abuse.
Refusing BOPUS pickups beyond a certain distance from the ZIP code associated with the credit card can prevent some attacks involving stolen cardholder data. Scanning a customer's photo ID can both verify users, as well as provide critical information in the event of a chargeback.
It’s hard to overstate the degree to which BOPUS is going to transform the market; in many ways, it’s like a second e-commerce revolution. Retailers can’t afford to get this wrong.