Preventing Fraud in Buy Online Pick Up in Store (BOPIS)

By Amador Testa, Chief Product Officer - Emailage May 01, 2018


It wasn’t long ago that fraudsters would have to visit a physical location to buy goods using a compromised credit card. In more recent times, fraudsters began to use compromised credit card numbers to buy online, to then have items shipped to a forwarding address.

This approach brought on a large amount of risk, as fraudsters would need to have the goods shipped to a customer, and then contact the carrier to have these items held in order to later pick them up.

Very crafty fraudsters would try to send these deliveries to a different location, or try to have them delivered to a PO Box. However, this approach is very complicated and requires a certain savviness on the fraudster’s end in order to ensure success.

A huge risk liability for merchants

As these previously physical purchases transitioned to the card not present (CNP) side, the liability in these cases also shifted, from the credit card company to the merchant.

We’ve continued to see these trends in BOPIS orders within our network. After all, every online transaction, be it shipped goods or pick up in store, require an email address. A competent fraudster is incentivized to use a real, valid email address, as he will need to be able to track their purchase.

More importantly,  when a customer buys an item online and picks it up at the store, confirmation email will often be their proof of purchase, a frictionless way of proving they’ve purchased the item they are trying to claim.

Since we see a higher risk level on items that are picked up in store, we deploy specialized controls to tackle these trends, including delivery type, delivery speed, product SKU(s) and product category. This is similar to how we tailor our controls affecting our customers who deal with digital goods.

These variables include:

  • Delivery Type
  • Delivery Speed
  • Product SKU(s)
  • Product Category

Since digital goods do not need to be delivered or picked up, they are easy targets with immediate benefits, all while keeping risks minimal. BOPIS allows fraudsters to reduce the risk involved in shipping directly to a physical address, making it a new “flavor of the moment” fraud type—a reliable and relatively riskless method of committing fraud.

About the Author

Amador is an industry expert in online fraud, identity theft and cybercrime. He was the head of fraud for card acquisitions at American Express and later led global fraud prevention divisions at Citigroup. Amador enjoys playing tennis, running marathons and traveling with his family.