In this episode of “To Catch a Fraudster,” Rafael Lourenco from ClearSale tells a wild story about fraudsters using fake uniforms to dress up like retailers’ delivery employees, show up at card holders’ actual homes, and steal packages straight out of their hands. Hear the incredible story of how ClearSale detected, and stopped, this brazen fraud attack.
Bradley Chalupski: Hey everyone. Thanks for checking out the podcast. This week, we’re going to be speaking with Rafael from ClearSale. ClearSale is an eCommerce fraud protection solution that works with more than 3,000 companies worldwide. They offer protection against false declines, chargebacks. They integrate with all the major eCommerce platforms. You definitely want to check them out on the web at Clear.Sale. We had a great conversation with Rafael. He told us crazy story about fraudsters showing up in person at people’s doors. Definitely don’t want to miss this episode. Check them out on the web. Thanks again for listening. And don’t forget also to visit MerchantFraudJournal.com for all the latest eCommerce news and fraud prevention tips.
Bradley Chalupski: So, Rafael, thank you, first, so much for joining us on the podcast. We really appreciate your time. So, why don’t you just tell us a quick overview of who you are and who you represent? And then we’ll take it from there.
Rafael Lourenco: Sure. Thanks, Bradley. And thanks to our audience for the attention and the interest. Well, I’m Rafael Lourenco. I’m EVP at ClearSale. We are a fraud prevention solution for eCommerce with a global presence. My background is in Data Science. So, most of my experience before working on the business side of the company was trying to stop the bad guys being successful.
Bradley Chalupski: So, that’s what we’re here to talk about. You gave me a couple of really great stories over email. So, why don’t you pick which one you want to start off with, but some of the craziest fraud attempts that you’ve ever witnessed personally?
Rafael Lourenco: Well, the funny thing here, or at least the interesting thing when it comes to trying to avoid those patterns from happening, is understanding that fraud can be anywhere. I mean, we often try to think about the data points and stuff that are on the integration, and especially people with IT background may be a little narrow on understanding what types of fraud can happen. And I think, hopefully, these couple of stories I’m going to tell, may open somebody’s eyes when it comes to where the fraud can come from, or where the solution for these kinds of issues can come from.
Bradley Chalupski: So, let’s dive right in. Why don’t you give me a scenario, give me a story of one of the craziest ones.
Rafael Lourenco: So, let me let pick up this story. It that happened like six years ago, so it’s not that that recent. But it’s still a trendy way of doing things and very creative. I always like to tell from the merchant’s perspective. What was happening at some point was chargebacks happening on a given region. So, there was a zip code that was specifically more attacked or the chargeback rates were higher than others. And when we try to dive in and investigate, we realized that those orders were being automatically approved because this person, in particular, they had at that time a manual review team. Actually, the manual review team was on our side, but they had the manual review as part of their process. And very likely, the transactions that are risky would be flagged, and then the manual review team would work on it. But in this case, there have been a lot of chargebacks on automatic approved transactions, and we tried to dive in and understand why. The first thing we realized was that the data was matching a lot. It was the very same credit card with the very same address and very same email, and a lot of data points were matching with previous transactions, which tends to be usually like 99.9% good orders when it comes to those patterns.
Rafael Lourenco: The first thing that we thought was it may be an account takeover, when somebody hacks somebody else’s login on a website. And that was actually the case. But we were trying then to understand what was going on. And what was intriguing us more was the shipping address. Because the shipping address with online retailers is the data point that you got to trust the most somehow because anything else can be faked but the good will be delivered to that address. And I could have other stories where that’s not true, but in this case was true. So, shipping address was matching with the shipping address from previous purchases from the same credit card. And that’s, again, one of those variables that you tend to believe that are perfect like a silver bullet of the same credit card, has delivered to the same address, and there was no chargeback; why can that be a fraud?
Rafael Lourenco: And that was what was interesting. Then when we investigated a little bit more, again, we realized there was a high concentration in a given region of a given city. So, it was not only a city but specifically a region, a neighborhood. But it was all on the same version. So, ClearSale works with several merchants, and we can cross different data from these merchants. But in this case, it was a specific merchant. When we try to investigate more, what we found out was that the fraudsters were actually doing an account takeover, meaning they were hacking into the customer’s accounts. They were delivering, let’s say, a TV or high-value items to the actual shipping address of those good customers. So, let’s say, you, Bradley, you have your login information, you have your profile on some merchant’s website, and they got your shipping address, your credit card, and many other things. And that was it. And they were delivering to the right shipping address. And that’s not common for account takeover because people hacking into people’s accounts so that they can deliver to their own address. And obviously, not the owners, the card-holder’s address.
Bradley Chalupski: I think I know where this is going but it’s blowing my mind just listening to it.
Rafael Lourenco: I’m telling you and I’m feeling again the sensation of not knowing where to go and where this can come from. But then turns out that what they were doing was delivering the goods to the right address, to the shipping address that was used before without a chargeback. So, it was the card-holder’s address. And then they went there to this address, to a house or to an apartment. The fraudsters were dressed using the uniform of the retailer. So, let’s say, it was Walmart, then I use, as a fraudster, Walmart’s uniform – I stole or I created myself, something like this – and I knocked on the person’s door and I say, “Did you receive a TV that you did not buy?” And the person would say, “Yes, I thought it was a mistake.” And then I said, “Oh, yes, it was a mistake. Our logistic company made a mistake. Let me just grab it and take home.” And that was what was happening. So, they were faking to be employees of the retailer using their uniform. And obviously, the cardholder would give the goods. So, you got a TV on your house and you don’t know that you didn’t buy it, so what else would you do?
Bradley Chalupski: Well, they’ve never met my mother, because my mother would probably have argued with them and said, “No, I got a TV.” I thought they were going to be porch pirating as it’s called – waiting for it to arrive and just taking it after it was delivered because the people wouldn’t notice. So, tell me about that chess match that goes on between you and the fraudsters.
Rafael Lourenco: That’s exactly what you just described. It’s a chess match, it’s a mouse and cat game. They are usually one step ahead, so you got to follow them and try to avoid new stuff from happening and implement. So, every time that you catch some new pattern, you put it back on your toolbox, and hopefully, you’re gonna have it on your toolbox for the future cases. But they will come up with new patterns and new ideas. And you should never take it for granted. It’s not because you’ve been six months or even three years without a fraud spike, that doesn’t guarantee future safety.
Bradley Chalupski: So, I really want to get into this idea of when you’re going back and forth with you and the fraudsters of where you’re thinking about how to approach the problem. So, obviously, when you have a problem like this, what’s really wild is that you have these people who are going to such great lengths, and they’re obviously understanding everything that’s going on. So, how do you try to combat that? What are you trying to do to improve what you’re doing?
Rafael Lourenco: Well, the first thing is being able to have a good diagnosis to understand what’s going on. And to understand what’s going on, I like an approach where you bring different perspectives, different points of view. And then, in this case, for online fraud, that’s what we fight the most. We’re talking about a perspective where a software engineering team will bring up their point of view, data science or statisticians team will bring a different point of view, and even the manual reviewers – people that are on the last mile of the fraud prevention – they will also bring a different perspective. So, the secret sauce, in my opinion, is not on any of those elements, but actually on the combination of them, where you’re going to then put together all the impressions and the possibilities. And usually, the solution will be a combination of the ideas that people brought up to the table in a situation like this.
Bradley Chalupski: So, I also wanted to get at the idea of when you’re going through something like this, obviously, you’re dealing with a problem that you need to solve. I want to understand when you’re in the middle of working through this and you see what’s going on, and obviously, I think it has to be frustrating. And I don’t know, maybe it’s frustrating. Is it fun? When you see this and you know that something is going on but you’re not able to put your fingers on it and you have to really try to figure it out, what’s that process like internally between your team members?
Rafael Lourenco: Well, in case of ClearSale, we are a solution provider, we are not the merchant. But the way we built our solution and our business model makes the incentives, the financial incentives specifically, very similar, so that we behave very similar as a merchant would behave in a situation like this. And what I mean by that is that we have a policy of chargeback guarantee, a chargeback reimbursement, as a possibility. So, we don’t want to allow too much fraud go through because it’s going to become a cost of ours. And we also have a chargeback discount policy even if there’s no reimbursement. We also usually only make money when the transaction is approved. So, we want to have the highest approval rate possible so that we can make more money. And usually, we charge our merchants the same amount regardless of being a manual review or a real-time decision, automatic decision. So, we want to make the manual review the lower rate possible, even though we understand that as an important piece of the process, we want to make it very tiny percentage. So, from the options you just gave me between fun and stressful or fun and frustrating, I would pick up the frustration one as the one. Because you’re using it to be successful, and then at some point, one of your merchants – and we have more than 4,000 of them – a big one is going through something you are not being able to solve. And it was not something that happened in one week, it took two to four months before we solved 100% of it. So, it was a lot of frustration from one step to the other. And I think part of the reason is because we as a company want to avoid cost, want to increase revenues, and obviously want to increase customer satisfaction. And in this case, our customer wasn’t that happy with all that was going on. So, that was really challenging for us.
Bradley Chalupski: So, I want you to take me through now. Obviously, you’re in this position where you’re not really sure exactly what’s going on. What was the end result? How were you able to work your way through this and solve the problem?
Rafael Lourenco: Well, in this particular case, I mean, again, we were struggling to understand what was going on because the variables were matching. And the first thoughts that went through our minds was “Okay, let’s try to narrow down the pattern of those orders and check and send them to manual review or decline them.” But that was just not viable because you cannot pick up a city, let’s say, San Diego, and you are going to say, “All the orders in which shipping address match with the card-holder’s –” and you cannot decline because there are much more good orders on this pattern than there are bad orders. So, you cannot decline those and you cannot send all of them too many review because it’s a high percentage. So, most of the transactions, 30% to 40%, are made by people with a good match in shipping address and credit card. So, the option there was not the right option in this case, and that’s what made this case specifically challenging was flagging orders that follow that pattern because the same pattern was followed by good orders. So, it was hard.
Rafael Lourenco: So, the next step was trying to understand what was going on. And by understanding what was going on, I mean, really diving into the scenario. And in this case, that meant having the help of one employee of the merchant and talking to these people, like, people that were receiving these goods. Because think about it, you – again, using you as an example – receive this TV at your home, somebody using the merchant’s uniform, let’s say, Best Buy, they came to your house and you wanted to give it back to them, so you just gave it back. So, somebody had to talk to you to understand what happened. And in this case, we have a process internally called chargeback classification, where we try to classify the chargebacks out of friendly fraud, actual fraud, and the multiple types of fraud, not trusting and relying only on the resume code provided by the bank. And this process also included talking to these people over the phone. And the story they told us was the story I told before, meaning, “I was in my home. I got this TV out of nowhere. And out of nowhere, someone came to catch it, to get it back. And I gave them back.” So, it was a combination of our own efforts and collaboration with the with merchant – with our client in this case – where an employee of theirs went through these people’s house to talk to them and to understand what was going on.
Bradley Chalupski: Who volunteered for that job? Because that would not be a job that I would want to be doing. So, there were people that were actually trailing these fraudsters to the door of the consumer?
Rafael Lourenco: Yeah, kind of. Actually, they never really faced the fraudsters themselves. But what they did is they went to these people’s houses and they look at the security cameras on the building. And that’s how they came up with this.
Bradley Chalupski: So, I think you could really risk a confrontation there which nobody really wants to have. So, I’m also curious here, when you spoke with consumers, this must have been very unnerving for them, I guess. You never really think in this world, I guess, anything is possible at this point. But you still kind of feel like there are some things you could trust, like if somebody shows up in a uniform from UPS that they’re actually from UPS. So, did you ever hear from any merchants about what the feedback was? Or if consumers, what was their reaction to this?
Rafael Lourenco: Well, I don’t remember any complaints or anything in this particular case, but I guess that people got scared a little bit because you usually think about a cyber-criminal or an online fraudster as someone in a dark room, a hacker looking at this. And probably that did happen at some point, because, again, we are talking about an account takeover that does need a high level of attack sophistication. But in this case, it’s clear that it was an organized crime, a crime organization with multiple elements, just similar to what I just described that happen internally, where you have the software engineering, the data science, and the manual reviewer. In this case, the fraudsters also had a couple of elements here at least. And I think that should be surprising to someone who would have the stereotype of the online fraudster as someone who would never show their faces.
Bradley Chalupski: So, once you have something like this happen, obviously, you’re taking lessons from it in the moment, but what are you doing in the long term when you see something like this happen? Because obviously, these people are highly creative, both strategically and tactically. How are you trying to think ahead and make sure that you can avoid this type of targeting in the future?
Rafael Lourenco: Well, the first is celebrating a little bit. So, you gotta understand that if you found the diagnosis and a good solution and a, let’s say, medicine for that, you gotta to apply it. But in the minute after, you got to already start thinking about how to scale that, so that at least this pattern won’t happen again. I mean, other patterns will always be able to happen. We usually say that the fraudsters can beat us once, but they cannot beat us twice. And that’s the mentality. So, the most important thing is closing the cycle and building whatever you build to solve this particular problem, try to scale it to other merchants, to other situations, and not to find the same pattern again. In this case, the solution or the way we handled that was by including not only a supervised model. And I don’t want to get too technical but we have to step in a little bit. Supervised models – they try to find a pattern that differs one order from the other. But in this case, we applied what we call unsupervised models where you are trying to find out anomalies, behaviors and stuff that is going on that you’re not used to seeing before. In this case, it was as simple as understanding the volume of orders on a given region with a given type of product on a given week, and compare it to the last three months. Because think about it, this type of fraud requires a lot of resources, as we said before. So, nobody is doing this to get one TV. In this case, we are talking about hundreds of orders and hundreds of cases where they went with the uniform.
Rafael Lourenco: So, they had to do it on a single region because they couldn’t travel from one city to the other. And they had to do it on a single merchant because you’d only have the uniform of this particular merchant. So, the way to catch it was understanding if the volume of a given item category combined with a region – in this case, zip code – combined with the type of item, transaction, and the matching – the fact that the shipping address was matching with the credit card number before in transactions previously. So, in this case, that’s what we learned for this case. But obviously, the tool that went back to our toolbox was anomaly detection as a whole. So, it’s not that now I’m protected against people that use uniforms in San Diego, but now I should be all over the world, all over the other types of anomalies that can be detected. So, I think the story behind here is always the more experienced you are, the more fraud cases you’ve faced. And I’ve been 12 years at ClearSale, I’ve seen a lot of different stories, and tools at your toolbox, in other words.
Bradley Chalupski: It’s really great to hear about the chess game and how social providers are able to react to these kinds of things. I do have one more question before we go: When you’re internally looking at the crazy things like this, which is absolutely amazing, and the complexity of the fraud here is staggering; do you have a team that tries to think of all the crazy ways that people could try to defraud customers, and maybe run some kind of – I don’t know – WarGames or something like that where you’re attacking the system from the outside in order to try and be prepared for what you might see in the future?
Rafael Lourenco: Well, I know that for cybersecurity, this is a common practice. Let’s say you want to understand the vulnerabilities of a system, and then you try to invade it yourself as a solution provider. That’s not exactly what we do. I think, in our case, we got to be very conscious about handling credit card information and stuff like that internally at ClearSale. So, we try to avoid this kind of information, this kind of practice. But what we do that is kind of similar to what you just described is we have a team, internally, that tracks forums, and deep web, and actually the regular web on the forum. So, we shouldn’t be naive to believe that we are here talking in our podcast and the fraudsters do not have a similar thing. So, they might have a podcast or a blog or whatever similar to this. They talk even more than we talk on the on the good boys side, they exchange best practices. And that’s why, by the way, if you allow some type of fraud from happening, very likely, someone else is gonna try the same thing. And you may have a much bigger problem than just just one transaction. So, that’s something that we do. But it’s interesting also to mention that is a team because it’s kind of an ethical discussion on how much we should follow these discussions. The team that does that, that follow these discussions and are evolved on these groups is a team that most of our employees do not know who they are. So, they are picked up from different departments, and just a few of us know who they are, so that people don’t start asking them what they will make. This committee will make periodical meetings so that they can talk about their findings. It’s a really challenging world.
Bradley Chalupski: All right. Well, I really appreciate your time, Rafael, thanks so much for joining us.
Rafael Lourenco: Thank you, Bradley, and hope to have another opportunity to talk to you and your audience.