Fraud has been a problem for centuries. And there have been bad actors and people with ill intent since the beginning of time. What’s different today is the tools and methods that fraudsters are using, particularly when it comes to perpetrating fraud online. Both consumers and brands are in a constant battle against hackers and fraudsters who are gaming and attacking their defenses and stealing hundreds of millions of dollars. So to protect themselves and their cus, brands are putting strategies in place to limit their exposure to risk and stop fraud before it starts. But not only will that defense not last long because fraudsters are always coming up with new ways to run their schemes, more often than not the defenses a company sets up create a bad user experience for the very customers they try to protect.
David Fletcher is the Senior Vice President at ClearSale International, and he and his team are helping to create better solutions, fight fraud, and help ecommerce companies process more orders while giving users excellent experiences. He told me all about it on this episode of Up Next in Commerce, and there are some great ideas for any brand to think about implementing. But even more than that, David and I went deep on some of the other hot topics in the fraud and privacy world, including the debate around two-factor authentication and what’s happening on the dark web. It was so interesting. Enjoy!
Main Takeaways:
- Cutting Off Your Nose To Spite Your Face: One of the ways many companies fight fraud is through filters. If they see suspicious activity from a geographical location or type of customer profile, they set their system to automatically decline those sales in order to prevent fraud. However, in doing that, the company has set up a system that will generate false declines — declining legitimate sales based only on generic information that has been flagged. In order to truly fight fraud and not negatively impact other customers, companies need to be more specific and targeted with their efforts.
- The Unsolvable Problem of Fraud: No matter what you do to address fraud as it happens right now, there will always be new ways that fraud occurs as time goes by. It takes constant vigilance and attention to the environment you’re working in to stay ahead and protect your business and your customers. And while technology can help, having actual humans look into potentially risky transactions is the best way to identify what’s fraud and what’s not.
- Dig Into Data: By examining historical data, companies like ClearSale can get a full picture of how a company has operated and where its weak spots are when it comes to things like false declines and chargebacks, or other indicators of fraud. And from that data, you can almost immediately implement machine learning to improve your processes and get more orders approved.
For an in-depth look at this episode, check out the full transcript below. Quotes have been edited for clarity and length.
Key Quotes:
“Ecommerce businesses globally are booming. Most eCommerce businesses or sites have really grown through the pandemic, and a part of that means fraud has grown as well. So just as the opportunity is looking better and more exciting for the eCommerce company, it looks better and more exciting for the fraudsters. And sadly as the businesses grow, the merchants grow, they get more and more attention from the fraudsters. So what’s starting to happen now, it wasn’t that long ago that fraudsters had to be very strategic in who they targeted and how they targeted them. Now, it’s much easier for them, they have a much larger field to choose from.”
“The problem is when you create that two-factor authorization, if it opens up the doors to everything, now you’re at risk, meaning you get hacked, let’s say your phone gets hacked. And today we have our face identification we can use. And if you don’t use that, you could use your code to get into your phone. Well, if your phone gets hacked, they can still get in with your code. And even the way that it’s set up to get into your banking apps, that changes. If you used your code, the face is no longer available. Well, that just means they need your username and password, so they can easily get into it. And so that’s one of the reasons why they start talking about the two factor authorization being so dangerous because once it gets hacked, it now opens up a lot of other doors that wouldn’t normally be open. And so it’s very similar in the credit card situation where they want to send you this code for you to validate the purchase. What happens if, as I was saying before, if they were able to get your credit card information through your cell phone by hacking your cell phone? They have everything. So what’ll happen is that code will come through, that second authorization will come through, they’ll have access to that. They’ll see the code, there’ll be able to then make more purchases because now because it did pass, it won’t get flagged. It’ll definitely get past the credit card company, it will not get any attention at all. So that’s the problem with 2FA. It can be really good, but if you get hacked, it’s really bad because it just opens up so much more opportunity for the fraudsters.”
“Accounts get hacked all the time. I know that probably 8 to 10 of my accounts that I’ve used for marketing things or sales things, nothing important, and I have my non-important passwords that I use. And that’s what this particular email referenced. They get hacked all the time because they’re just not built to protect that information. Unfortunately, they just don’t put money into that. And so they get hacked. Once that breach happens, they sell it on the dark web. And people then say, “Hey, I’ve got a hundred of these, I’m going to send them out.” They only need one taker to send them money and it was worth the time.”
“It’s amazing what these fraudsters can do. They get a little bit of your information and then the next thing they get a lot of your information. And that’s the world of the internet, that’s the world we live in today. I can see your name on this zoom call and then I can look you up, and then there’s People Finder and all these other memberships that you can have that will tell me everything about you, and that’s scary.”
“There’s a couple of things that all merchants should be paying attention to, large or small. And these metrics will tell a story. And so what you do with that story is what matters most. So let me share with you some of the metrics. Chargeback rate, that’s an obvious one. Chargeback rate needs to be under control… Approval rate is a huge metric, understanding your approval rate. “Fraudsters typically follow the trends set by the fraud prevention companies. And as we start to make the changes, they start to adjust. But quite often, they try to get ahead of us. So that’s why it’s important for us to be good listeners and pay attention to that.”
Bio
David Fletcher is the Senior Vice President of ClearSale International. He previously was the co-founder and CEO of Maven Sales Group and the President & CEO of Systek Corp. which he sold in 2009. Fletcher has a Bachelor’s Degree in Criminal Justice and Cybersecurity from The George Washington University.
Up Next in Commerce is brought to you by Salesforce Commerce Cloud. Respond quickly to changing customer needs with flexible Ecommerce connected to marketing, sales, and service. Deliver intelligent commerce experiences your customers can trust, across every channel. Together, we’re ready for what’s next in commerce. Learn more at salesforce.com/commerce
—
Transcript:
Stephanie:
Welcome back to Up Next in Commerce. I’m your host Stephanie Postles, CEO at Mission.org. Today on the show, we have David Fletcher who’s the SVP of ClearSale International. David, welcome to the show.
David:
Hello. Thank you for having me Stephanie, I appreciate it.
Stephanie:
I’m very excited to have you. So where are you calling in from David? Where in the world are you?
David:
Absolutely, great question. So I’m actually just recently moved, I picked the pandemic to make a move. But maybe not the best time, but great time to get a good loan. Interest rates were certainly down. So just moved from the Washington DC metro area, South and East a little bit towards Ocean City, Maryland. So I moved down-
Stephanie:
Wow, that’s where I’m basically from.
David:
The city to the beach.
Stephanie:
That’s crazy. I know Ocean City very well, I used to bartend there every summer because I’m from Salisbury.
David:
Well, then I got to tell you, I’m just on the West side of Salisbury.
Stephanie:
Really?
David:
So that’s exactly where I am. But when you say Salisbury, very few people know exactly where that is, they know Ocean City. So we’re right outside of Salisbury, then you know the area very well. A couple of my sons actually go to Salisbury right now.
Stephanie:
Really? Cool. I was just on campus when I was visiting my parents a couple of weeks ago. And that has exploded from when I was there last time, which was wild to see. Well, that took a turn for, I wasn’t expecting that, that’s great. So to get more into your background before we get into ClearSale, I want to hear what brought you here because I see that you’ve been a CEO a couple of times before at different companies, that seems like that’s just who you are. So I want to hear a bit about your background first.
David:
Yeah, for sure. So in 2000, I started my first business and that’s when I decided I wanted to be an entrepreneur. At the time, I was VP of sales and marketing for a large systems integrator in Washington DC and decided to venture out on my own. And was in technology, so we were doing custom software development, some web development because in the year 2000, 2001 and so forth web development was a big niche. It was not as easy as it is today back then. And so we were doing a lot of software development, software testing and so forth and was fortunate enough to land a large contract with America Online, AOL at the time. We did all of the testing. So they needed a third to come in and do their testing, we did all that testing for them before they were mailing out those wonderful CDs that they used to mail out to everyone.
David:
So that got me deeper in the technology. And as an entrepreneur, I had to better understand it as opposed to just trying to sell it. And so that really helped me learn more about technology and infrastructure and integration. And from there, I decided I wanted to … So part of that business was acquired. So from there, I was torn between do I want to become a sales coach, a consultant, try to become a advisory board member? And I wasn’t sure where to go. And I ran into a friend that was a sales consultant doing sales coaching. And he said, “Hey, why don’t you come work with me, and we’ll build a practice?” So that’s what I did. And that quickly turned into a marketing agency. So before you knew, we were an inbound marketing agency, a HubSpot partner. So you had two sales guys running a marketing agency, I don’t know how that happened, but they did.
Stephanie:
They worked great.
David:
Right. So we did that for eight years, and I missed sales. So I said, “You know what, I’ve got to get back to the sales side.” And that’s when I started Maven. So my wife and I started a sales consulting firm, And my wife, oddly enough is a marketer. But she’s that marketer that really understands sales. And so we started the sales consulting firm called Maven. And then one of our clients was ClearSale. And ClearSale I guess after two years said, “Hey, I want you to come work with us full-time.” Well, we had an office, we had employees, we had other clients. I’m like, “I can’t do that.” So we worked out a deal for ClearSale to essentially buy out that part of the business that I ran. And Maven still exists today with my wife Shannon running that portion, which is all marketing now. And I joined ClearSale as an executive. So that’s how I ended up here.
Stephanie:
I love that. That’s a good windy story, which I’m always all about. So I’m excited today because I haven’t really talked to you much about the topic of fraud, which is ClearSale’s bread and butter, preventing for all around eCommerce. And so I want to hear a bit of details around what does the industry look like right now when it comes to fraud and fraud prevention? Because I think I have so many great brands on that I hear all the excitement of the company is growing and scaling, and we probably don’t touch too much on the fraud angle and things. So I’d love to hear a bit of the landscape right now, what kind of things are going on and where does ClearSale come into the picture?
David:
Yeah, absolutely. So with the pandemic and the way the buying has changed and the way that we’ve been forced to do more online, the eCommerce businesses globally are booming. Most eCommerce businesses or sites have really grown through the pandemic, and a part of that means fraud has grown as well. So just as the opportunity is looking better and more exciting for the eCommerce company, it looks better and more exciting for the fraudsters. And sadly as the businesses grow, the merchants grow, they get more and more attention from the fraudsters. So what’s starting to happen now, it wasn’t that long ago that fraudsters had to be very strategic in who they targeted and how they targeted them. Now, it’s much easier for them, they have a much larger field to choose from. And so it’s really about finding a vulnerability, finding a way to get into a company, whether it’s laundering money or just making fraudulent purchases to resell through eBay or other marketplaces or whatever it might be.
David:
There’s so many more ideas and ways for the fraudsters to capitalize on our current environment. And it’s sad, but it’s exciting at the same time because for us we get to really analyze this and we get to take more time to look at how they behave and look at the things that they’re doing to learn more about a merchant and how they’re trying to analyze because just like we’re using technology to our advantage, well, they are now too. And they’re getting more creative just like we get more creative. So it’s an interesting battle. The playing field changes literally almost daily it feels like sometimes, but it changes every day as we’re trying to stop the fraudsters.
Stephanie:
Yeah. I can imagine. So what are maybe one of the most surprising attempts or maybe it actually ended up working, but what are some case study stories of things that have been happening maybe within just the last six months that you’ve seen where you were like, “Wow, that was actually very impressive how they even got in through that door and what they were actually doing”?
David:
Yes. So there are fraud rings, and these rings are like little companies, they’re like a little enterprise. And they all work together, and they share the information amongst themselves. To share a story with you, one of our clients who was a prospect multiple times but never actually decided to use our solution, they were hit by a fraud ring and cost them thousands of dollars, actually $120,000 in one month. And because they’re a fairly large company, it didn’t even get noticed at first. That was the one month. Then the second month, they saw it starting to happen again. So what was happening from the fraudsters’ perspective is they were able to get in, place orders with stolen credit cards using the proper billing address, shipping address. And then they were able to follow up with the customer service team and change the delivery after it had already gone through.
David:
So after the purchase was made and now it’s at shipping getting ready to head out the door, they call customer service and make that change. And they were having these products delivered to addresses that were actually of unoccupied office buildings. And it was very successful. And the reason that this company actually figured this out is because they started seeing their products all over marketplaces. And it wasn’t just one or two products, it was a lot of their products, and they started to piece it all together. And that’s when they said, “Hey, we’ve talked to ClearSale twice now, we probably should talk to them again.” And they reached out to us and then we sat down and met with their executive team and said, “Wow, okay, yes.” Now, we explained to them what happened was you were essentially targeted and tested. So they tried, the fraudsters try it to see if they could do it, they have success. Okay, well, let’s do another one.
David:
Just like we’re working with a company on the software side, we create a test bed and we do some testing in the sandbox and what have you, fraudsters do the exact same thing. So they’ve run their tests, they had success. And once that happens, they do one of two things, they either share that amongst their ring so they can all hit it and they profit as a group or they say, “Hey, you know what, let’s sell that information.” And it used to be that they sold it primarily on the dark web, they’ve gotten as aggressive as they’ll sell on some Facebook groups.
Stephanie:
Just kind of like how they did it.
David:
Yes. They post it as, “We have this IP, and we can share with you how you can do it, and you can buy that information,” and they’ll walk you through the process. So it’s a very interesting business in that dark web. But yeah, those guys are pretty creative. I have to admit they’re not short on intelligence, they’re not short on technology, they unfortunately just use it for a bad cost.
Stephanie:
And like if you would take those brains and put them somewhere of good use-
David:
Use it for the good, that’s right, exactly right. So that’s one that we had recently, but it’s unbelievable how much information gets sold on the dark web.
Stephanie:
So then I’m trying to think, if I’m a brand, and maybe we’ll even say for now if ClearSale is not even in the picture, how would I even identify that if I’m being tested or someone is calling customer service and changing that? It’s like how would you even be able to identify something like that without making the customer experience bad? Because the first thing that comes to mind is like, okay, then customer service has to be on it, “No, you can’t change your address, it has to be however you ordered it.” But then the customer experience isn’t good. So how do you go about identifying that and also making sure that your journey for your customer is still good?
David:
Yeah. In addition to that, you’ve got the issue of false declines because the way that a lot of merchants will face this and battle it is through filters. They’ll create some filters that will stop those orders. And it could be that, hey, we’ve noticed that we keep getting these orders from, completely generic examples here, so no offense to anyone. Maybe they notice, hey, all of our orders from Alabama are getting redirected to Mississippi, and those are the ones we keep getting chargebacks on. So we’re going to create a filter that says, orders from Alabama don’t come through. And they just cut those off. And so the problem with that is, yes, they are fighting fraud, yes, they’re controlling chargebacks. But now they’ve created false declines, so they’ve created a new problem by solving the fraud problem.
David:
In addition to those false declines, you’ve got the lost revenue as well as the customer experience, the impact on that customer. And you’ve lost in the lifetime value of that customer because chances are they’re not going to buy again. And one of the issues with our current situation with COVID and us as a society buying for others online, and I’ll share this story with you. I was making a purchase, so my boys are going to college,
David:
They find this beanbag that they have to have in their dorm room. Well, I’m thinking it’s a bean bag like what I had at that age, which was about $20 from the local Walmart or Kmart back then. And there’s bean bags like a $250 bean bag. So this is a really nice beanbag that they found on Shark Tank. I said, “That’s fine, that’s fine. I get it, you want to have a nice pad, so cool. I’m down.” So I go online, I place the first order, I’m having that one shipped to Salzburg. And I couldn’t buy both at the same time with two shipping addresses, they wouldn’t let me. So I then get back in and I make the second purchase to send to Towson. That one gets declined. So I’m like, “Okay, I wonder why it’s getting declined.”
David:
Obviously as a fraud professional, I’m thinking it’s because I just placed an order, but maybe my card declined it. So I called my card and they said, “No, it was declined by the merchant”. So then I called the merchant who still hasn’t sent me an email, hasn’t called me, he hasn’t done anything. So I call them, I get to customer service. And they said, “Yes, your order appears to be fraudulent, so both orders have been canceled.” And I said, “Wait a minute, I’ve got two sons, one’s at his college, one’s at that college.” And it took me 30 minutes to convince customer service that I was a real buyer with real kids in college. And they could have easily just said no, and I would’ve just had to try to find that beanbag somewhere else, which I don’t think I could have because I think they do it direct.
David:
And it was very frustrated. And I’ve told that story so many times being that I’m in this industry. Ultimately, they were able to get their beanbags, but they had never sent an email to me. They canceled the first order, it never told me. So fortunately the second one they canceled it right when I made it or I would have never known and I would’ve told my kids, “Hey, beanbags ordered, keep an eye out for the delivery,” and they would’ve never been on the way. That was $500 plus as a customer that they would have lost plus the experience, plus the things that could have been said on social media and everything else. Now, if you use a service like ClearSale, that order comes through. It might get flagged because, hey, this buyer just made two purchases back to back, two different addresses, that’s suspicious, so let’s look into that.
David:
What would happen is, so it would not get auto approved, it would get flagged. Our manual review team will look at it, they would say, “Okay, it looks like two college addresses.” They would say, “Hey, let’s look at his social media.” They would’ve gone to my Facebook page or my Twitter and said, “He’s got two kids going on to college. Oh, wow, he’s got five sons, I feel bad for that guy.” And they would’ve said approved just like that. It would have taken as much time as I just explained that to you, they would have seen it, approved it and onto the next one.
Stephanie:
That’s real people behind the scenes then who are actually going and mini creeping on people to make sure that this looks like an okay purchase? Got it.
David:
So we have 3,000 people sitting there that are getting these orders sent to them that says, “Hey, there’s some risk here. We don’t know what it is, but there’s some risk here, look into it.” They do the analysis and they say yes or no. Sometimes they say not sure, then it gets escalated to the next level to someone with a little bit more seniority and experience. But that’s how we as an organization, we help our merchants approve more orders and recognize more revenue. So we love to take advantage of that. And it’s very hard for a lot of our competitors to be able to do that and approve as many orders as we do because we have the largest data lake we’ve been doing this for 20 years, we are an international. And the fact that we can take an order and say, “Hey, that looks risky. We don’t have to decline it, we want to take it and analyze it and make a decision to hopefully approve it.” And that’s how we end up being the leader in approval rates in the industry.
David:
But back to my original point, that is a great story to share because it happens to people all the time. There’s so many people, you make a purchase and it gets declined and you’re like, “What did I do wrong?” And you immediately think it’s, okay, I put my card number in wrong or I did my CVV wrong, what did I do wrong? And then you try it again and it doesn’t go through, then it’s like what the hell, why what’s going on here? It becomes a serious issue with the customer experience and the lifetime value of that customer is lost, it’s gone out the window.
Stephanie:
So how do I think about then credit card companies? Cause to me, they’re the first line of defense. And then if you guys are the second line of defense and then you’ve got the brand, depending on whatever they want to do, if anything, but how do I think about that whole flow of people who are now going to be involved with helping me prevent this? Because certain credit card companies, they seem great. I’m with Chase, they always are flagging things that are suspicious. I’m like, “I don’t even know how you knew that was suspicious, good job.” Other ones, not so great. I mean, there was times when my credit card got rung up like $10,000, and it never got flagged by another credit card company. And it was very weird stuff that was getting ordered. So how should a brand think about maybe putting in rules from the very beginning of like, I don’t know, which would also I guess hurt the customer experience if you’re saying you can only use certain credit card companies. How do I think about that?
David:
Yeah, that’s exactly right. Because you’ve got to be careful with that and the impact that that has on the customer experience as well. And the credit card companies sometimes they can’t even see it. Yes, it’s a fraudulent order, but everything looks right, it doesn’t look that unusual. And so it gets past the credit card company. A lot of times the credit card companies don’t even see it, don’t recognize it unless there’s an unusual circumstance. So if you might be traveling from when you came to visit here in Maryland on your way back, you hit another state gas station and then another state after that, well, maybe on that third one they flag your card, it gets declined. You have to call them and they’re like, “Hey, what’s going on?” And you explain to them what’s you’re doing, you’re traveling and so forth.
David:
And then usually it’s not an issue, but they can see that. So that’s an unusual circumstance. If someone were to steal your credit card information and go online to gifts or The Gap or whatever and buy some clothes, right, they wouldn’t know any different. And so that’s what makes it so hard for the credit card companies. And a lot of times-
Stephanie:
That’s why we’re looking at the consumer perspective, and then you’ve got the brand perspective that they don’t have insights into where maybe a lot of things look weird at Gap, but they don’t have access to that.
David:
Exactly, that’s exactly right. And so it’s really hard for them to be able to see it. And that’s where they started coming up with, there’s some other solutions that are being used today like in Europe, a solution called 3DS. And that’s where the banks and the cards have more responsibility. And so you might see a 2FA, a two-factor authorization on a purchase where you make that purchase. But before it’ll go through, it sends a code to your email or to your texts on your phone and you have to punch that in, and then it’ll go through. And that’s becoming more and more popular. And that’s how the credit card companies are starting to get involved and trying to help out because ultimately when you get that credit card, you’ll connect it to an email address and to your cell phone number.
David:
And as long as you haven’t been hacked through your phone, that’s how they got your credit card number, but let’s just say they were able to find it by hacking into a website you used it on before. They probably don’t have the details through your phone, and so they won’t ever get that code and then it’ll just stop there. So that’s the future, that’s where we’re headed with some of these fraud issues. But think about it this way, that’s going to happen, and that will start to curb some fraud issues and the fraudsters are going to change. They’re going to make the adjustment. They’re not static, they’re extremely dynamic. And they’ll come up with new creative ways to steal credit card information and make the purchases.
Stephanie:
Oh, I believe it. So when I’m thinking about, okay, for two factor authentication, I want to go deeper on that one because a while back I read a whole article on why you shouldn’t even have that enabled. It was maybe back in my Google days, they sent it around of like you think it’s helpful, but actually it’s actually way worse. And then they can access a lot more things with that. And so then I’ve always been in a weird state where in one way I feel safer, and then I always think back to these security articles where they’re like, “No, actually, it can be way more intrusive and you can be hacked way harder if you have two factors set up.” So tell me more about this because I’m still confused.
David:
So that debate still goes on today, that hasn’t gone away. And the problem is when you create that two-factor authorization, if it opens up the doors to everything, now you’re at risk, meaning you get hacked, let’s say your phone gets hacked. And today we have our face identification we can use. And if you don’t use that, you could use your code to get into your phone. Well, if your phone gets hacked, they can still get in with your code. And even the way that it’s set up to get into your banking apps, that changes. If you used your code, the face is no longer available. Well, that just means they need your username and password, so they can easily get into it. And so that’s one of the reasons why they start talking about the two factor authorization being so dangerous because once it gets hacked, it now opens up a lot of other doors that wouldn’t normally be open.
David:
And so it’s very similar in the credit card situation where they want to send you this code for you to validate the purchase. What happens if, as I was saying before, if they were able to get your credit card information through your cell phone by hacking your cell phone? They have everything. So what’ll happen is that code will come through, that second authorization will come through, they’ll have access to that. They’ll see the code, there’ll be able to then make more purchases because now because it did pass, it won’t get flagged. It’ll definitely get past the credit card company, it will not get any attention at all. So that’s the problem with 2FA. It can be really good, but if you get hacked, it’s really bad because it just opens up so much more opportunity for the fraudsters.
Stephanie:
So don’t let your phone get hacked, step one.
David:
Exactly. That’s why it’s very important, your email and your phone, super important. And especially because of credit cards, I’m sorry, because of gift card fraud. So we go online and we purchase gift cards or we get a gift card and we register it. Well, if we’ve been hacked and we don’t know that we’re hacked, but if we’ve been hacked and we get in there and we’re doing all that information to register our gift card, well, guess what they’re looking for. They’re looking for that information, they’re pulling it. And bam, they use it in a matter of seconds, the balance is gone. We’ve talked to people that say, “Hey, I just got this card today. I went online, and it said I have zero in my account.”
David:
Well, that’s because your email has been hacked or something’s been compromised where they were able to get to it before you did. And they used it. And gift cards are very popular with fraudsters because there’s very little tracking. It’s hard to tell he uses like gift cards, you don’t know where it came from, how it was used. There’s very little data to trace it back to somebody.
Stephanie:
Yeah, okay. I’ll just never use gift cards, that’s the rule for me then.
David:
Well, the key there is if you buy them in the store, you’ve got to analyze that box because fraudsters do have the ability to scratch off the pins on the back and then replace the sticker. That’s very common. And so what happens is they then run bots with the cards that they’ve collected and they keep waiting for them to go active. And as soon as the bots hits one active, bam, they take all the money off of it.
Stephanie:
Can you imagine the person at the register is in on it too. They’re like, “Yeah, go ahead, swipe it, get it real good.” I’m sure that’s happening somewhere.
David:
Sadly yes, I’m sure, I’m sure.
Stephanie:
Okay. So then, well, can your phone … I feel like this just turning into a personal session where I’m just learning a bunch, which is great. Can your phone get hacked if it’s in your possession? Can anyone be [inaudible], how would they get to it?
David:
Yeah. It’s pretty crazy. And you can buy some of these tools on the internet. But they have various readers that are about that big that the carry around. A lot of times they’ll keep it in a pocket on their pant’s pocket or they’ll put it in the small pocket on the outside of a backpack. The reason they put it on the backside of a backpack is they will turn, if you’re on the phone, they will turn their back towards you and it’s able to pull the data from your phone.
Stephanie:
What’s it pulling? What’s it getting?
David:
Everything. It takes all of your information. So literally from, you think about what you see in your settings as you go through your settings on your phone, all of that data is being taken and stored into a folder.
Stephanie:
Like maybe your passwords and stuff from Google Chrome, it saves it on your phone?
David:
Yeah. And that’s another example that I was going to talk about in a few minutes is when you go to Chrome, you can save all your passwords. So now every time I log in, there it is. Well, the problem with that is if they hack into you, they’re getting all that too. That’s why there’s third-party password keepers, they are worth it. They are worth a couple of bucks a month to have those because it keeps it protected. And they’re completely separate. So they’re something to look into. But the other thing I wanted to tell you is they will keep it in their pocket and, for example, go to Penn Station in New York City and just walk around the train station. And they will get hits. And when it starts to pick up, it vibrates. So they just stop and they know that, hey, I’m connected to somebody right in this area, and they’ll just stay there and do their download and then move on to the next one. And it’s amazing.
David:
And then, like I said, they will then take that either use it for themselves or their broker. And so they’re in the business of selling that information and they just go out and collect it and then sell it. which is also a big business.
Stephanie:
That’s why how get the cases, right? What are the cases called that you can put on there?
David:
Well, there’s a number of different cases that you can use. And they’re very expensive on some of the cases but well worth it. Because what happens is it essentially protects the backside of your phone so it can’t transmit anything.
David:
But yeah, it’s well worth it. It’s a little heavier, but that’s okay because I’d rather know that my phone is safe and my information is safe.
Stephanie:
So are you not using Google Chrome then, every time you’re going to log in you’re going to like One Pass or what are you doing?
David:
So I use Google Chrome, but I don’t save my passwords. That’s the key is I don’t save any passwords. I don’t even use a password keeper, I’m not doing any of that. This might sound crazy, and this is cause I’m older, I rotate my passwords and so it has a common name. And then the numbers, the last number will change, and I go by two. It’s an odd number, but it’ll be one, three, five, and it’ll just keep skipping. But yeah, that’s how I do it.
Stephanie:
That sounds too intense for me.
David:
Every 90 days, it gets changed. And I have it set up so that every 90 days it requests a password change courtesy of Microsoft. And that way I’m constantly changing it. And I got to tell you, and my wife will tell you, I am notorious for forgetting my password, and that’s why.
Stephanie:
I’m going to say, I don’t think I can do it. I need to have another alternative.
David:
She gets so mad at me, so mad at me because I would be like, “Wait a minute, I think I remember it.” And she’s like, “Why don’t you write them down?” I’m like, “Because they just keep going in an order, and I forget-
Stephanie:
Yeah. Just put different notes in parts of your house and then you got to piece them together to get the full password every time you want to get on G-mail. What’s wrong with that?
David:
Exactly, exactly. And it’s funny because the kids will log in to use Amazon. They’re like, “Dad, did you change the password again?” I’m like, “Yep.”
Stephanie:
Every three months. I want to also talk a bit about voice because that also seems like a big area that can be infiltrated. I remember hearing that people were calling phone providers at one point, and you can get a lot if you call Verizon or something, access too many details by doing that. So how do you think about that then?
David:
That’s interesting. And we as an organization don’t do a lot there. But from personal experience, I do know that that is very popular with the fraudsters to get into phone records. And what’s interesting is I’m a Verizon customer, I know for myself probably 10 years ago or so they changed it where you had to have a four-pin code. So even though you had your username and password, part of the 2FA was you had to have that code. And that’s still true today. Even when you go in the store, you have to have that code. And if you don’t have that code, they’re not going to talk to you about the account, which is good because I’ve heard of people and I’ve had some friends going through divorces that spouses were trying to get phone records-
Stephanie:
You can track everything on there, you can see everything, all the text messages coming. I’m not creepy, but I know you can.
David:
Yes, yes, exactly. So that’s another one that, and I think that’s more on the personal side versus the business side. I don’t know how much profitability would be in there from a fraudster’s perspective, but it’s definitely something that they can use when it comes to some of the ransom swipe setups where they have your information. They tell you, “Here’s your password, here’s your log-in. We’ve got all this information send us, $5,000 or we’re going to do this.” And I had one personally, I guess this has probably been about four years or so. We were on a family vacation in Myrtle Beach, and I get an email that says something like, “Hey, you’ve been hacked,” and I’m reading this email.
David:
Ad I’m looking for a link thinking they’re trying to get me to click something. And it was just telling me how they had my username and password, which they did, it was right. And they wanted $10,000. And they gave me the information on how to send them the $10,000. And I sent them a not so friendly response, and they responded back to my response, and then I responded to them again.
Stephanie:
Now you’re friends, just kidding.
David:
After that, I blocked that email, but I definitely had fun with it for a while.
Stephanie:
They did that to my friend as well where they had her password and they were like, “We’ve got stuff from a webcam on you, and here’s the password we have. And we’re going to share it if you don’t send money.” And she was like, “Steph, this is actually my password.” I’m like, “I don’t know how they got that, but you should change it.”
David:
See, they get that from the dark web. And we’ve heard about some of the breaches. Accounts get hacked all the time. I know that probably 8 to 10 of my accounts that I’ve used for marketing things or sales things, nothing important, and I have my non-important passwords that I use. And that’s what this particular email referenced. They get hacked all the time because they’re just not built to protect that information. Unfortunately, they just don’t put money into that. And so they get hacked. Once that breach happens, they sell it on the dark web. And people then say, “Hey, I’ve got a hundred of these, I’m going to send them out.” They only need one taker to send them money and it was worth the time.
David:
But yeah, that’s how that happens. And they get your real email, it happens all the time. And then what’s really cool is now you’ve got, I know Capital One does it, I think Citibank has started to do it as well. They will tell you when they find your email, your sosh, I think that’s it, your email or your sosh on the dark web or your address, that’s the other one, your address. If they find it on the dark web, they’ll give you a notification and then tell you where it came from, how it ended up there. Which is really interesting.
Stephanie:
Wow, that’s good.
David:
Yeah. Which is really cool because I just had one a couple of weeks ago. So one of the tools that we use on the marketing side here at ClearSale, and again, it was my easy password. So it wasn’t a big deal, but it’s like myself and probably 50,000 other executives, how many of those executives had their real personal password that they used on there. And now it’s out there, it’s being sold. So it can be scary. I mean, it’s amazing what these fraudsters can do. They get a little bit of your information and then the next thing they get a lot of your information. And that’s the world of the internet, that’s the world we live in today. I can see your name on this zoom call and then I can look you up, and then there’s People Finder and all these other memberships that you can have that will tell me everything about you, and that’s scary.
Stephanie:
Very scary. So to pull myself back in and get back to a brand perspective, if I’m a brand and I’m hearing all this crazy stuff right now, what kind of metrics can I look at today? What can I go in and look at right now that can start helping me understand do I even have a problem with this right now? What should I look at?
David:
So there’s a couple of things that all merchants should be paying attention to large or small. And these metrics will tell a story. And so what you do with that story is what matters most. So let me share with you some of the metrics. Chargeback rate, that’s an obvious one. Chargeback rate needs to be under control. And for the most part, it should be in the neighborhood of 50 basis points or below. Most companies are in the 30s. And as long as they’re 30 to 35 basis points, they’re not in a bad place. We have some merchants that come to us and they’re over 1%. And at that point, now your processor is looking at you like, “Hey, what’s going on? Why do you have all these chargebacks?” Because that’s a danger too, you don’t want to get in trouble with your processors because if you lose your processor, well, hey, now you can’t take credit cards because you’ve had so many chargebacks.
David:
Because a lot of the times chargebacks will result in something as simple as item not as described or item not received. And those two in particular processes worry about because that means, hey, we’re processing this order. It’s not really what they’re saying it is, that’s a concern or it got lost. Well, how many times can it get lost? And so those become issues with processors. So that’s a big deal. So chargeback rate. Approval rate is a huge metric, understanding your approval rate. And for us as an organization, our merchants, we’re above 99% approval rate.
Stephanie:
What’s approval rate mean?
David:
That means out of 100 orders that comes in over 99 are getting approved.
Stephanie:
Okay. Got it, got it, yeah.
David:
Most merchants on their own will be around 90, 93 at the best case scenario-
Stephanie:
And that’s using you guys though, that’s using you-
David:
They’re not using us, and they’re 90 to 93. And that’s because they’re using filters maybe. That’s what a lot of them will use because a lot of eCommerce platforms will give you the ability to create these filters. And I gave you the example of Alabama to Mississippi. So they’ll create these filters that maybe if billing doesn’t match shipping, decline the order. Or, hey, we’ve had a lot of fraud in Australia, so any orders from Australia, decline them. That’s why their approval rate is typically lower, and that’s why we don’t audit a client if anything because we want to try to approve them. That’s our goal, we just want to prove as many orders as possible. So chargeback rate, approval rate. And when you start to understand what that chargeback rate means, if you try to reduce your chargebacks, you’re going to start declining more orders because you’re saying, “Hey, that might be a little risky, that’s probably going to end up in a chargeback, let’s decline it.”
David:
Now, that customer, let’s say they were at 93% approval rate, they’re declining more orders because they want to control chargeback rates. Now, their approval rate is down till 92, 91. So what happens is when you start looking at those two metrics and a customer or sorry a merchant says, “Hey, I don’t have a chargeback problem, I don’t have a fraud problem.” I can without a doubt stay, well, chances are you have a false decline problem. What’s happening is you’re declining good orders so that you don’t have a chargeback problem. And short-term, that’s okay. If you have this attack, something happened and now all of a sudden just chargebacks went through the roof, tighten the reins, close the doors a little bit, but immediately start to solve that problem because that’s not to solve. That’s a bandaid. And you can do that to stop the bleeding, but you then have to bring in someone like us or just someone that has the ability to say, “Hey, we can start letting some of these orders come through because we’re going to analyze them. We’re going to better understand them and start to identify trends.”
David:
And orders that, hey, we declined all these orders that were going to Australia. Well, let’s find the trend in the chargebacks from Australia versus the ones that weren’t chargebacks and start to do things like that. Most merchants don’t have staff to do that.
Stephanie:
Are you able to look historically, go to an org and look at maybe the past six months or something? Be like based off all the false orders that you guys were declining, here’s how much money you actually lost because you declined these orders when they were actually good ones?
David:
Yes, absolutely. And so we get that extract. We’ll say, “Hey, let’s look at 12 months of your historical data.” And we’ll bring that in, we give it to our data scientist team, they feed it into the machine and they start running through it. And using our data lake and using our technology, they start working through it and they say, “Hey, it looks like we’re at 98.9 without manual review.” And then we’ll compare it to what the prospect did in those 12 months, and they’re like, “Yeah, we were at 90%.” Well, just using our technology, we’ll make it better. And that’s why we find ourselves in positions where, we have a merchant right now that we’re talking to, a very large brand that said, “Hey, we want a 99.5% guarantee in approval rates.”
David:
And at first we were like, “I’m not real sure I want to guarantee that, but give us some historical data, let me see what we have.” So for us, that meant we get to practice before we know if we could hit that number. And we hit that number by going through their old data. So we said, “Yes, we’ll do that.” And so we were able to win the business. But normally, we wouldn’t want to say, yeah, we could do that, and still we have that data. So that data is very powerful, very helpful. When you think about a new customer, if we could get 12 months of their data and we feed it into the machine with our machine learning, that’s like 12 months of experience with that new customer. So day one of going live with that new customer is really day 366. And therefore the experience is better for them, the experience is better for the customer and we can approve more orders right off the bat. So very important from a data standpoint.
Stephanie:
Wow, that’s really cool. So what kind of data variables do you need? If you’re coming to a brand and they’re like, “Okay, I have data, what do you want?” what specific things to do you need access to to be able to go back and-
David:
Great question, great question. By the way, we’re hiring. So if you’re interested because you’re asking all the right questions. I would love to add-
Stephanie:
I’ll be there after [crosstalk].
David:
All right. So all the obvious. So we’re looking at the name, we’re looking at the addresses, both billing and shipping. We look at the first few digits of the credit card, the last few digits of the credit card. We’re looking at the IP, if they have that. We’re looking at the product, what are they buying? We’re looking into that. And it’s hard for a new merchant to us, a merchant that hasn’t worked with us in the past to give us more much more than that. But once they start working with us, we get behavioral biometrics. So if you go to a website that is one of our customers, I can see where you came from. I can see if you looked at multiple pages, I can see what you compared product wise. I can see if you copy and paste your address or if you pasted in the credit card number, if you tried multiple credit card numbers.
David:
So I can see all of that information. There’s some behaviors that are on the positive scale, so it’ll actually decrease the risk rate. And then there are other behaviors that will obviously make it look like a more risky order. And so that combined with all the regular data that we collect that you are putting into the system is how we’re able to make our decisions. And we see all the time, we see email addresses that were literally created the day before or four hours ago. And now all of a sudden they’re making a $1,000 order. Okay, that’s suspicious because you just created that email. So things like that will definitely be like, whoa, that gets flagged, let’s look into this a little bit.
David:
But the other thing for us is that order may have or that email may have been created 30 days ago, which is still high risk, but we’ve seen that order two other places with two of our other merchants and we didn’t have any issues and everything was fine. So we know that it’s good. And so that’s why that data lake is so important. But yeah, so there’s a number of data variables that we like to collect. And it’s pretty much consistent across the board. Doesn’t matter what industry you’re in, what [inaudible] you might be in, there’s certain things that we need to know about the customer that helps us to make our decisions.
Stephanie:
Seems like pretty basic variables that any brand should have. So my last question that I just thought of, how often are you guys on the dark web buying the details to the newest schemes? Because I’ve read about that in other areas too of people posting things on Reddit of a how to guide of how to do this, this, and this or going on the dark web and like you said, buying the manual of how exactly to hack someone. How often are you guys in that arena trying to figure out what’s next in the world of hacking?
David:
So we have a team dedicated to that. So we are on the dark web 24/7, we have a number of bots that we’ve created that are looking for keywords. So yes, we have a team that that’s all they do is they’re reviewing that, analyzing that, trying to stay ahead of the curve and understand the trends because, like I said, the fraudsters typically follow the trends set by the fraud prevention companies. And as we start to make the changes, they start to adjust. But quite often, they try to get ahead of us. So that’s why it’s important for us to be good listeners and pay attention to that. We never have to buy anything, so we don’t do anything like that because there’s so much information out there. We just want to know what’s being offered, what’s for sale, that’s helpful. But yeah, we don’t actually make any purchases. But we listen, and like I said, we have a team. We have international team that listens and pays very close attention to that.
Stephanie:
I bet you all have some fun user names in the dark web.
David:
Absolutely. The dark web is very interesting, it’s the weirdest thing I got to tell you. I’ve only gone to it once and was like, “I’m not interested in bouncing around on the dark web again because I don’t want to end up in the wrong place.” Due to my own fear factor, I stay out.
Stephanie:
That was probably for the best. All right, David, let’s move over now to the lightning round. The lightning round is brought to you by Salesforce Commerce Cloud. This is where I ask you a question and you have 30 seconds or less to answer. Are you ready?
David:
As ready as I’m going to be.
Stephanie:
All right. First one, what’s one thing you wish you understood better?
David:
Parenthood.
Stephanie:
Yeah, same. I feel that.
David:
Right, right. I told you I have five sons.
Stephanie:
I have three, so I got to just pop two more out I guess to get on your parent.
David:
Believe me, it happens fast. To give you a serious answer, I would probably say more technology from a data scientist standpoint. Meaning spotting trends and identifying what the numbers are telling us a little bit faster. That’s something for me personally because I am very big into numbers. Numbers tell great stories, they never lie, but you can always be better with your numbers.
Stephanie:
Yep, I agree. That’s definitely a big trend that everyone is turning to data scientists, but now there’s even more to do. And there’s more data and a little overwhelming. If you were to have a podcast, what would it be about?
David:
30 seconds. If I were to have a podcast, it would probably be about eCommerce and how to safely start your eCommerce business and grow that business. Which, by the way, I am currently writing a book on that exact topic.
Stephanie:
Nice. What’s it called or what will it be called?
David:
It’s probably going to be called, we’re only on the fifth chapter, but it’s probably to be called The ECommerce Playbook on How to Build your ECommerce Business. But yeah, that’s what I would do for my podcast.
Stephanie:
I like it. Maybe we’ll partner with you, I’ll let you know. What is the best piece of business advice you’ve ever received?
David:
I think probably best thing I ever heard was in order to get your team to do the things you need them to do, they have to believe in you. And showing them that you can do it just like they can do it carries more weight than teaching them how to do it.
Stephanie:
Show, don’t tell, I love that.
David:
Exactly. And as a owner of a marketing agency being a sales professional, that was something that I had to really work on. And I learned a lot about marketing for that very reason because our staff was full of marketers. And I was a sales guy at heart, so I had to understand that so much more so that I could jump in, I could be a part of it and create those marketing plans, create that go-to-market strategy and be involved just like they would be. And that definitely created that relationship that was respected.
Stephanie:
Love that, that’s a good one. And the last one, what’s up next on your reading list?
David:
My reading list. You know what’s funny, my wife just got a new Kindle. And she asked me to download a couple of books, and I was just recently looking for some new authors. And I’m torn between, The Blue Man is the name of the book, and I forget the name of the author. But I’m torn between The Blue Man and The One Not Received. So two fiction. I don’t typically read fiction, I read all technical type books. And these were two books that came up as recommendations through Amazon Prime. So I think I might have to go down that path and check them out.
Stephanie:
David, thank you so much for coming on here, hanging out. It was a really fun chat. I feel like I learned a lot personally, and I’m pretty sure from a company perspective a lot of brands will get a lot out of bit. So thank you. Where can people find out more about you and ClearSale?
David:
Yeah, absolutely. To learn more about ClearSale, you can visit our website at www.clear, C-L-E-A-R, .sale, S-A-L-E. Me, you can find me on the web. It’s pretty much-
Stephanie:
Not the dark be.
David:
That’s right, not the dark web. Pretty much any social media platform I’m listed as Fletch The ECom Guy. So you should be able to find me on Instagram, Facebook, and LinkedIn and Twitter. And then you can always reach me via email at david.fletcher@clear.sale.
Stephanie:
Perfect. Thanks so much, David.
David:
Great. Thank you, Stephanie.