Friendly Fraud: The Silent Killer Putting Your Ecommerce Margins At Risk — Simon Wijckmans | How To Stop Friendly Fraud, Why It Kills Your Margins, How To Prevent Chargebacks, What A 0.5% Fraud Rate Really Means, Why Browser Security Matters (#451)

Show Notes

In this episode, we dive into the silent profit killer known as friendly fraud and chargebacks. 

Simon Wijckmans, Founder and CEO of cside, shares how these false chargebacks risk your margins and payment accounts. 

He explains what friendly fraud is, why it's so hard to fight, and how client-side security intelligence, combined with new programs like Compelling Evidence V3, can drastically reduce fraudulent chargebacks and potentially save your business from losing its payment processor.

Topics discussed in this episode:  

• What is friendly fraud.
• How bad actors use it for profit. 
• Why payment issuers make it easy for customers to file chargebacks. 
• The hidden costs of fighting chargebacks. 
• What volume of chargebacks constitutes a high-risk vendor and jeopardizes a payment account. 
• Why gathering intelligence from the browser is critical for security and fraud prevention.

Links & Resources 

Website: https://cside.com/
LinkedIn: https://www.linkedin.com/in/wijckmans/
X/Twitter: https://x.com/SimonWijckmans

Get access to more free resources by visiting the show notes at https://tinyurl.com/td78au49

______________________________________________________

LOVE THE SHOW? HERE ARE THE NEXT STEPS!

Follow the podcast to get every bonus episode. Tap follow now and don’t miss out!

Rate & Review: Help others discover the show by rating the show on Apple Podcasts at https://tinyurl.com/ecb-apple-podcasts

Join our Free Newsletter: https://newsletter.ecommercecoffeebreak.com/

Support The Show On Patreon: https://www.patreon.com/EcommerceCoffeeBreak

Partner with us: https://ecommercecoffeebreak.com/partner-with-us/

Transcript

00:00:00:00 - 00:00:19:00
Unknown
Hello and welcome to another episode of the eCommerce Coffee Break podcast. Today we're tackling a silent prophet killer friendly fraud. These false chargebacks aren't just annoying, they're putting your margins and your payment accounts at risk. If you're running an online store, this episode could literally save you tens of thousands in lost revenue. So today, my guest is Simon Wijckmans.

00:00:19:02 - 00:00:40:02
Unknown
He's the CEO, CEO of Seaside, the company leading the fight against browser side threats and friendly fraud. We have a lot to cover, so let's get started. Simon, welcome to the show. Thanks for having me. Simon, let's start simple. What is friendly fraud and how does it hurt my business? So to give you a bit of, like, a story line, right?

00:00:40:02 - 00:01:04:11
Unknown
So imagine you were a bad actor and you wanted to make some quick money, then buying products online and reselling them really quickly and getting your money back. Sounds like an amazing moneymaking business, right? And unfortunately, that is something that has become quite routine and large at this point. So a bad actor goes to a store, buys a range of products that it knows it can resell very easily, or they just buy it for themselves and don't plan to resell it at all.

00:01:04:13 - 00:01:23:12
Unknown
But in a call to credit card company after saying, hey, this wasn't me, I didn't make this purchase. I don't know what this is. I want my money back. That is a friendly chargeback. Of course, chargebacks aren't always fraudulent. There can be chargebacks where people's credit cards were actually stolen. But that is a particular, like the word friendly there.

00:01:23:13 - 00:01:46:08
Unknown
It's often also referred to as first party fraud. Chargeback fraud. All types of, like, like names are being used for this today. I think everyone was running an online store for some time, had this chargeback request, but how is it possible that these fraudulent customers can get away with this chargeback claims? So it comes out to a range of different problems here, right?

00:01:46:09 - 00:02:09:21
Unknown
I think firstly, the, I mean, a payment issuer is the credit card companies, etc. they have a material interest in keeping people happy. They don't want people to feel like, restricted in making online purchases. They want to make it easy for them to make online purchases. So, for that reason, if there is ever a credit card theft situation or people do end up in a fraudulent situation, you want to make it easy for those to be able to contest that and get their money back.

00:02:09:23 - 00:02:30:23
Unknown
There is that side of things. Unfortunately, fraud has also been monetized to an extent by these platforms because they're able to charge fees for you to contest that. Fraud, even like that. Like contested fraud scheme. Right. And so those charges, they essentially create a weird conflict of interest between the merchant credit card issuer, the payment provider, and the end customer.

00:02:31:01 - 00:02:48:19
Unknown
So there's a range of issues there. The problem as well is that over time, payment infrastructure got so much more complex. And when people start buying things online and they pass through a range of different systems, those systems need to align. So for the longest time, Mastercard and visa, they had their programs, but they weren't that clearly documents.

00:02:48:19 - 00:03:15:17
Unknown
And so it was very difficult. To make an accurate judgment call. The better the evidence you had would suffice or not. That has luckily changed. So nowadays, there's actually improvements being implemented to make it easier for you to be safe. Guidelines around what type of evidence is allowed that would be sufficient to prevent the chargeback from being filed or, contesting it if it is filed, and so on, that there's a range of new programs, like, for example, compelling evidence, fee tree, by visa that was shipped.

00:03:15:19 - 00:03:36:02
Unknown
There's a few more just so, I want to dive into this a little bit, later. But just to give our listeners an idea what it will cost you to have one of these chargebacks, can you give an example what kind of fees and whatevers involved and how what's the cost of business in real life? So there's multiple categories of costs here, right?

00:03:36:03 - 00:03:58:22
Unknown
You have the admin costs of like actually contesting a chargeback. So if a chargeback comes in and you want to contested that there's charges involved with that, it starts relatively small $15 with a stripe fee, $5 here, $10 there before, you know, it's a back and forth cost you a couple hundred bucks, right? Usually companies stop at around $40 with those, and at that point they just let it go.

00:03:59:00 - 00:04:14:10
Unknown
However, there are other costs involved of that, of course. Like when you spend time on these things, time is money. You need to actually staff a team for that. If you're a large e-commerce vendor, it is likely that you have a support team that spent a considerable amount of their time dealing with chargebacks or a dedicated team to that, right.

00:04:14:12 - 00:04:31:12
Unknown
There is the cost of all of the good, right? If it is a physical good and it is never returned to you, then that item is also gone. So the cost is very high, right? And so you basically have to contest it or accept a loss of that physical. Good. If you contest service fees involved with that.

00:04:31:12 - 00:05:00:08
Unknown
And so at some point you just feel like, okay, this is actually not worth going after. If this physical good, like, is actually charged for, I will probably I probably would have spent a number of times the actual like money that I've made from this particular customer. Right. And so there's a few issues there. Overall it tends to be like depending on like the service are good that gets a bot equal amount or multiple amount of the actual good that was contested for a lot of businesses, which is like, of course, a real problem.

00:05:00:08 - 00:05:24:18
Unknown
And so that's why companies have been buying insurances against it. And then the find themselves, but also looking for technology providers like ourself to at least have an easier time to contest these charges. And so for that reason, as part of a chargeback cycle, one, there's a company that we work with the most, basically what we do with MSP, we help them with the client side intelligence of things, provided evidence to them, and they then work with that evidence to prevent chargebacks.

00:05:24:18 - 00:05:41:07
Unknown
Or if a charge bank is filed, at least having the evidence of where that request was coming from, who made that payment on which device, and that type of data can help a lot, of course, because the more information you have about the actual action, the harder it is for somebody to claim that it wasn't them. Now it makes perfect sense.

00:05:41:07 - 00:06:03:18
Unknown
And I think what just mentioned on the one side, you have the cost to your business, your time, whatever their agendas and the other side, your, in the risk of losing your payment account, which is far worse because then you basically your business comes to a full stop. So we see side. You obviously found a solution to make it easier to prove if it's a real chargeback or a fraud on a chargeback.

00:06:03:20 - 00:06:29:14
Unknown
Talk me through it. How does it work? So it isn't just that simple, right? So there is a program called Compelling Evidence Feature for you, which allows you to provide evidence to visa through a program that they call like verify and Vamp. And that basically allows you to then have evidence already with visa so that when they call the bank to say, hey, I don't recognize this transaction, the evidence is already there and a chargeback wouldn't even be filed.

00:06:29:16 - 00:06:59:12
Unknown
Thing is that information needs to be present with them within two seconds. So it needs to be very quick. So there's no correspondence emails or anything. That's an API. It needs to be technology based right. And so one of those pieces of evidence is like actually having devised the whole fingerprinting information, something that is able to route back a transaction to a device that is easier said than done, mobile devices, you can get an email number if a transaction happens inside of a mobile app, all the actual laptops and desktops, there is no such thing as an email number.

00:06:59:13 - 00:07:19:19
Unknown
And that's, of course, a lot more difficult. What seaside does is basically make that uniform across mobile devices, tablets, laptops, desktops. We will be able to provide you a consistent fingerprint across all of those devices. It is also a long term. So if that fingerprint, that fingerprint must be a distinctive sustainable so that you have evidence over a prolonged period of time.

00:07:19:21 - 00:07:38:11
Unknown
And then with compelling evidence, V3, you're able to confirm that that credit card was used on the device. Right. And so if there were two transactions and then the third time they buy something, they can test it. At that point, you basically have all of the evidence to say, well, no, actually this device, this credit card was used before, they can't claim it wasn't them.

00:07:38:11 - 00:07:58:18
Unknown
It was already here. They've done that before. The evidence exists. And so that's one of the things that we can provide as part of our solution. How does this differentiate between like a stolen credit card and, somebody who does a legit transaction? Yeah. So of course, a stolen credit card should not be used on the same laptop.

00:07:58:18 - 00:08:17:06
Unknown
Right. So if a bad actor manages to steal a credit card and then, goes online and makes a purchase at that point, of course, that transaction would be coming from a different device with a different fingerprint evidence, which we would not have the evidence to prevent that chargeback from being filed. Those types of situations are, of course, very annoying.

00:08:17:08 - 00:08:35:00
Unknown
So it is in the best interest of any individual consumer to immediately call the bank call card. Still get that card canceled if there was a charge made, to challenge that charge before the order is actually sent out or too good is sent. Because of course, if the credit cards get taken offline, the better for everybody.

00:08:35:02 - 00:08:54:02
Unknown
Don't have to file as many chargebacks. You don't have to provide as much information to fast through to better for everybody. In in the main compelling evidence of tree is a, I would say a rather water like proof like tool for this. Like if there is evidence that it was the same, on the same device using the same credit cards, then you're able to use that program.

00:08:54:06 - 00:09:22:22
Unknown
If not, you can't. It is that simple. But with that, you can drastically decrease the amount of chargebacks that are filed against you as a business. And of course, if you're a smaller e-commerce merchant, you may be talking 5 to 10 chargeback symbols right? At that scale. Things become manageable enough to just do. Right? For larger companies, especially those with hundreds of thousands of transactions every day, these types of situations are best prevented because otherwise you just have to hire a bunch of people to fight them.

00:09:22:22 - 00:09:50:14
Unknown
Right. And and that's not ideal. For me, that sounds like a perfect job for AI. Is there AI involved in our fingerprinting models itself? There are some tricks that we do use some lens for, but, it is an I would say minor senses. The reason why we don't go full on AI on this, is because firstly, that's nowhere in competition which reserves reserved space for that.

00:09:50:16 - 00:10:17:14
Unknown
It is asking for certain information. We provide that information. But then also there is the predictability factor, of an outline. Right. So you've got the issue where like lm still every now and then can hallucinate. It's important to understand several LMS are actually adding value versus where they're creating noise. In the case of fingerprinting devices and understanding, like certain parameters that are long lasting, usually you don't need to use LMS.

00:10:17:14 - 00:10:38:13
Unknown
There are a couple of methods you can use, but up until this point, those were very minimal. I want to talk a little bit about the the technical background there so that our listeners can understand how it works from their side. You said there's a fingerprint which will read out the device of the fraudulent, buyer. How does it work?

00:10:38:13 - 00:10:57:15
Unknown
What kind of software do I need to install to make it work? Super simple. You add our script to the website, copy paste, that's it. One script. And that script is then basically monitoring at that point when when the transaction gets made, it does a quick snapshot fingerprint of that device. As I said, that fingerprint is long lasting.

00:10:57:15 - 00:11:16:20
Unknown
And that would then allow us to then separate that device from another device with a high degree of confidence that you can then use in your fab, like in, in your, competitiveness tree reports. Yeah. Can you give an example of or a case study of a brand that you're working with and you don't need to name the brand and what kind of results they saw.

00:11:16:22 - 00:11:39:04
Unknown
So one of our customers is a large online hotel, like reseller platform where people are buying in, like buying hotel rooms for a night. Right. And they plan it ahead. Unfortunately, fraudsters have realized that those types of businesses, the data is like 70 spread out. If you go to a hotel, when you check in, that is in one tool.

00:11:39:04 - 00:11:57:00
Unknown
They give you a key that is in another tool. You get an email afterwards asking for a review. That's another tool. And especially if there's an intermediary hotel booking that's from in the middle, they often don't have information on whether you checked in or not. And so that company faced a lot of chargebacks after the fact, saying that wasn't me.

00:11:57:02 - 00:12:20:13
Unknown
I never booked that. Right. And so in that situation, because there's a long lasting token and you can use that evidence and then the data points, right? That evidence really like helps them a lot. So they had a significant amount of chargebacks every month. And we were able to reduce it about 60, 70%. Just by being able to like present the evidence that this was a credit card used on that device with them before.

00:12:20:15 - 00:12:37:23
Unknown
The results, of course, vary significantly from industry to industry. If you are in an industry where people just buy a subscription and that's it, they buy like put their credit card there and that's it, and you're going to see different results from a platform where people go and buy things. And from there, of course, every industry is different.

00:12:38:00 - 00:12:59:19
Unknown
I would say that these types of tools are most significant, in like in, in environments where people face a lot of chargebacks, for example, online gaming, also online media, a line entertainment, like the like, the parallel organized like a apparel company. So e-commerce companies that sell clothes and then those get resold again on eBay.

00:12:59:21 - 00:13:25:19
Unknown
There's a whole range of those. Right. And so if anything is of value for resale ability or there is perhaps an opportunity for people to say, hey, I got access to this, but I actually don't want it anymore afterwards. Like, for example, online media, then chargebacks are particularly commonly used here. I just want to highlight for our listeners, again, the risk of losing your payment processor, is there some kind of cut off?

00:13:26:00 - 00:13:48:12
Unknown
What kind of volume or what kind of number of fraudulent charges they are? Look at before you get into trouble. It's water. Yeah. So there's a thing called a vamp ratio, right. And the vamp ratio, allowed a certain percentage of transactions by, like, over a certain a period of time to be contested. As soon as you go above that, you're considered a high risk vendor.

00:13:48:14 - 00:14:07:02
Unknown
And if that becomes a substantial issue over time, then you can just be kicked off that, like the, provider altogether. If you're a high risk vendor, then at that point you're going to see your margins getting eaten away because of risk. Right? And so the disperse forms, they protect themselves more, charge you more. They're basically synthesizing you to keep chargebacks to the lowest level possible.

00:14:07:04 - 00:14:26:08
Unknown
That is, of course, to prevent, malicious online like transactions from being done. So if there are platforms out there that scan people routinely and people start filing chargebacks after some time, that is going to be a signal for that provider to pull the plug on that platform. So it comes from a good place. However, that ratio has been lowered, actually, so it's gotten more aggressive.

00:14:26:08 - 00:14:41:22
Unknown
You have to do more to prevent yourself from being in a position where you're considered a high risk vendor. And so for that reason, these products, like compelling evidence for three of these came out. There's going to be more of those across all the other credit card issuers. It's kind of a given that if one does it, the other do it to eventually.

00:14:42:00 - 00:14:57:21
Unknown
And that then will allow you to prevent some of these chargebacks from happening in the first place. So it all comes down to that. It's, you know, you're going to have to take action here if you get one chargeback month and you do 1000 transactions a month, then you're probably gonna be fine. As soon as it goes above half a percent.

00:14:58:01 - 00:15:15:09
Unknown
Then you start getting into Amazon and you want to be very careful with situations where, your payment provider can pull the plug on you. Of course. I think, yeah, there's plenty of conversations about some Reddit for example. Once that happens, your business is effectively down. You're going to have a harder time reopening with another payment provider as well.

00:15:15:11 - 00:15:37:02
Unknown
Communication between those providers does happen. There are all types of like fraud networks that communicate about these types of things. You definitely don't want to end up on one of those. I was great that you highlighted this point 5%. That's already where it becomes really, really difficult and where you basically can use a business. So for our listeners, look at this.

00:15:37:04 - 00:15:58:06
Unknown
It's really a matter of having a business on not having a business. Now, when it comes to the implementation, a lot of our listeners on platforms like Shopify, etc., how does the day to day life of a merchant look with your solution? It is very straightforward. You add our script to that webpage, to the payment page itself.

00:15:58:08 - 00:16:13:13
Unknown
It will be there listening in to the fingerprints that it needs to get. That information will be shared with the platform that it is required to have. So for example, charge based on one which we work with the most. And they will provide that information to visa. And so it's honestly set in. Forget you put a script on the site.

00:16:13:13 - 00:16:31:00
Unknown
The data gets scattered. The data gets passed over. That is it. It really depends a little like it depends on the platform you're using as well for like, the like for the actual processing of the payments, source words from Shopify, etc.. Then to try to restrict what type of tools you can put in the payment pages.

00:16:31:01 - 00:16:52:22
Unknown
But we do have solutions for that. So the veil comes down to that okay. How do you charge your for your services. So we charge actually for like they choose to that payment page. So your transaction volume is essentially the number you're looking for. So if you do 10,000 transactions then it's going to be if you do a million it's going to be and it scales nicely.

00:16:52:22 - 00:17:12:13
Unknown
Right. So if you only see a certain amount of charge rates every month, our pricing models will actually be able to handle that rather well. Depends on the thing is, volume of chargebacks is a factor, especially if you have to start contesting them. Takes a lot of time to contest 50 versus one. Right. But then of course, the cost of these as well is, is a huge factor.

00:17:12:13 - 00:17:37:17
Unknown
So we tend to see companies seeking solutions like us when there's a certain level of volume or there is certain amount of money at stake. Usually if it's just purely money at stake, and there's only a small handful of that is actually, like a monthly get contested. Well, then people try handle it manually. Still, the problem is that that is a slippery slope, because as soon as people realize that you're contesting the chargebacks manually, do these bad actors do talk about that.

00:17:37:17 - 00:17:59:03
Unknown
So they will essentially try to like DDoS you with more and more chargebacks over time. So prevention is better than reaction on these things. Yeah, I have to have was very few chargebacks in seven years beat myself on Shopify. But it's also very nerve wracking. It's very time consuming. And for our listeners, I can only recommend to have someone dealing with that makes your life so much easier.

00:17:59:05 - 00:18:24:00
Unknown
Summer before our coffee break comes to an end today, is there anything you want to share with our listeners that we haven't covered yet? Don't forget about the amount of intelligence that you can gather out of the browser of a user. So, seaside stands for client side too. We do all types of things. We protect all of those weird marketing tools that your people put on your websites, prevent them from listening in on keystrokes and passwords and credit cards, all that kind of stuff.

00:18:24:02 - 00:18:41:02
Unknown
There is a lot of stuff happening in a browser that you don't necessarily have any knowledge of today that can be helpful to your business in one way or another, or to prevent something bad from happening. So don't forget about the browser. Don't forget about security. The reputational damage of an incident is significant. And then there's all types of compliance pressure on it as well.

00:18:41:04 - 00:19:01:20
Unknown
But yeah, better safe than sorry. Yeah, I couldn't agree more. Where can people go and find out more about seaside. Very simple seaside dotcom. So the letter C aside.com perfect I will put the link in the show notes and you just want to click away Simon, thanks so much for giving us an overview for what I think is a very important topic for every merchant out there.

00:19:01:22 - 00:19:13:09
Unknown
And if you have dealt with, chargebacks, have a look at seaside might be the right solution for you and might at some point even save your business. Thanks so much for your time. Thank you. Bye bye.