The Emailage office is growing. For that reason, I found myself in the market for a new pair of headphones. After forgetting my Airpods a few too many times, I decided to purchase a backup pair.

Because it’s 2019, I hopped online and looked up pricing at my preferred electronics retailer (an Emailage customer of course, because that’s how we roll in marketing). In minutes, I was able to select, buy and arrange pickup at the local brick-and-mortar presence.

At the store, it was a simple process.

I showed up, produced my ID and was out the door within minutes. For the regular Jane, this seems like a dream come true. In my case, it certainly was. My wife and I have a two-year-old and a five-month-old. I don’t exactly have time to hop from store to store looking for the perfect pair of headphones.  

In my time working alongside fraud experts, I’ve learned a lot. For example, I’m aware of the complex equation involving risk and revenue that lies behind the veneer of the consumer convenience.

Because let’s be real, as consumers with jobs and obligations it’s very flexible, convenient —and awesome — to buy stuff online and pick it up in store (BOPIS).

BOPIS: a huge competitive differentiator.

Even in the era of same-day delivery, a brick-and-mortar presence still attracts convenience-minded customers.

People want things and they want them now. But, at what cost does BOPIS convenience come?  

This experience came up during my weekly meeting with Amador Testa, our Chief Product Officer. He’d had a recent conversation with a customer about the lack of common ground or industry best practices for BOPIS orders.

It seems everyone is taking a slightly different approach and there is no real best practice borne out of long-term experience. In the remainder of this article I’ll relate the insights gleaned during that conversation.

BOPIS: The big risk factor

BOPIS ameliorates a lot of the risk involved in shipping directly to a physical address, making it a new “flavor of the moment” fraud type—a reliable and relatively riskless method of committing fraud.

For BOPIS to exist, key control points —such as delivering goods purchased online to a physical address that can be matched against existing information—must be removed.

This reality has opened the floodgates for fraudsters to try their hand at creating their own best practices for BOPIS fraud.

Today’s fraudsters are brazen.

The customer Amador spoke with caught an organized fraud ring using valid customer information to buy items online and pick them up in store.

The kicker of this story? Fraudsters were actually inside the store. Items were bought and picked up minutes later, gone forever.

This scenario shows that BOPIS fraud has major implications for merchants, as it is essentially a CNP transaction where the goods are delivered directly to the consumer within the store.

Additionally, the removal of these key points to support BOPIS and a seamless experience opens the door to fraudsters “get around” restrictions put in place by EMV and commit CNP fraud on physical premises.

How can fraud pros replace key control points removed by BOPIS?

Take it from us—meeting the needs of customers is a good thing. Amador related to me that fraud pros have to consider convenience and determine new control points to “cover” the removal. It’s also common for BOPIS initiatives to be pushed by another department.

This is a difficult position, as it forces a very serious conversation about balancing the needs of fraud prevention against those of business growth.

Though these conversations may be difficult (and Amador assures me they are), it’s never bad to be discussing friction and flexibility. Amador did offer some insights here as well.

Basically, if you are allowing anyone else to pick up, you can’t rely on CC details alone to transact. And what, exactly, would that prevent? The physical credit card could be fake. The same holds true for ID checks. Fake identities aren’t exactly rare and the required documentation isn’t hard to find on the black market.

So, what’s the path forward?

For BOPIS to be an effective engine for customer satisfaction and growth, Amador feels that “silent authentication” is the way forward. Basically, trying to confirm who is behind a transaction with minimal friction to the customer. This includes validation of non-transaction details, such as email address, phone number, IP address or even a one-time password.

At Emailage, we’ve continued to see these trends in BOPIS orders within our network. After all, every online transaction, be it shipped goods or BOPIS, requires an email address. A competent fraudster is incentivized to use a real, valid email address, as he will need to be able to track their purchase.

More importantly, in a BOPIS case, that confirmation email will often be their proof of purchase, a frictionless way of proving they’ve purchased the item they are trying to claim.

Since we do see a higher risk level on those items that are picked up in store, we deploy specialized controls to tackle these trends, just as we tailor our controls affecting our customers who deal with digital goods. These variables include:

  • Delivery Type
  • Delivery Speed
  • Product SKU(s)
  • Product Category

Digital goods do not need to be delivered or picked up, creating easy targets with immediate benefits, all while keeping risks minimal.

At Emailage, we’re now developing a digital identity verification based around the email address, which can provide the same level of confidence without asking for additional information. The goal is to deliver accurate, intelligence-based around behavior and history associated with an email address to provide that layer of “silent” authentication that will block fraudsters and allow customers to take advantage of convenience.

I invite you to follow me on LinkedIn.

Follow Emailage on LinkedIn and Twitter (@emailage)

Click here to discover how to get secure, intelligent risk assessment using just an email address.