Why Customer Blacklists Aren’t the Most Effective Way to Fight Fraud
“Blacklist”: the very term sounds ominous, but it refers to a common tool that many merchants use to prevent fraud. In theory, banning sales to a list of accounts you believe to be invalid should lower the risk of fraudulent transactions. The reality, however, isn’t quite that simple: in many situations, strict use of a blacklist is likely to cost a merchant more revenue than it saves. At the very least, merchants will experience unevin reults and should be very careful when employing a blacklist strategy to block customers.
What is a Fraud Blacklist?
- Fraud Blacklist
A fraud blacklist is an archived data list containing personal information and transaction histories of accounts linked to confirmed fraudulent activity. All future transactions are compared to this list, and orders with matching information are declined.
A blacklist is a database built on the belief that potential fraud can be predicted based on previous interactions. It works like this: any time fraudulent activity is identified, pertinent details from that transaction are recorded to a blacklist. All future transactions are compared to that list, and if another order is ever placed using those details, the order is automatically declined.
Depending on the parameters set by the merchant, automatic addition to the blacklist can be based on IP address, email address, physical address, credit card number, and more. Merchants can even choose to block orders from an entire country or region, if too many fraudulent orders were received from the same area.
In some cases, different merchants may share lists with each other. The idea is to create a hard stop for cards that were used in fraudulent transactions, and—to a lesser extent—repeated incidents of chargeback abuse (known as friendly fraud).
eCommerce, Fraud & Chargebacks in the Age of COVID-19
What short- and long-term risks do you face as a result of this crisis? How can you protect your business and prevent loss? Download our free report today.Free Download
Do Customer Blacklists Work?
Fraud blacklists are popular, but do they actually work? In the sense that they block orders, yes—but it will cost you. Blacklists may filter out fraudsters, but they’ll also increase false declines, blocking legitimate orders that just happen to have some of the same information.
Worse, these accounts will stay blocked until they are manually removed from the list. And since internal blacklists tend to be static, with no process in place to regularly update the information over time, you won’t only be missing out on current orders: you’ll likely be cutting out customers for life.
How Static Fraud Blacklists Cost You Customers
The main problem with blacklists is the way they’re built: blocking certain accounts based on orders that were declined due to fraud sounds logical, but the strategy is problematic in many ways:
- It assumes all those declined orders were actually fraudulent. Statistically speaking, that probably isn’t true.
- It assumes that every element of the account is equally fraudulent—also unlikely.
- Because the data only moves in one direction, accounts added to the list stay on the list—even if the account was added by mistake.
- Since accounts aren’t added to the list until after the fraudulent event, blacklists can’t anticipate initial instances of fraud.
- These lists are seldom consistently updated and quickly become inaccurate.
Without the most current and accurate information on your customer blacklist, legitimate transactions can easily be flagged as fraud, falsely declined, and added to the list for future reference. A false decline is bad enough, but keep in mind you’re also talking about blacklisting future sales based on legitimate orders that were simply mislabeled. The problem feeds on itself, and soon your chargeback abuse database is costing you more than it’s saving.
This problem is compounded by the fact that fraud is typically discovered (and in the case of friendly fraud, actually happens) post-transaction. To build an internal fraud blacklist based on fraudulent events essentially requires you to be a victim of fraud in order to identify a fraudster.
Data Breaches: When Your Customers Are Victims
The increasing frequency of data breaches increases the odds that real orders from legitimate customers will end up on a blacklist.
To have any noticeable effect, the parameters for blacklist inclusion must necessarily be broad, checking multiple data points. When millions of bits of personal data are criminally (or accidently) made public, any one of those bits attached to an account becomes suspicious, potentially causing an order to be declined.
The unintended consequence of this, however, is that it can cause other, legitimate accounts to be blacklisted as well, because they share that same bit of data. For example, there are usually multiple people living in a home or working at a business. But blacklisting an account based on physical address means you’re blocking everyone who lives or works there—even if only one account at that address is associated with a fraudulent event.
A single fraud attempt may trigger a blacklist entry that shuts out dozens of legitimate customers: IP addresses can serve any number of people. Legitimate buyers may be working through a satellite office or re-shipper in a riskier country. By building and relying on a blacklist in this manner, you run the risk of throwing out a very large baby with a tiny amount of bathwater.
Whitelists: The Other Side of the Coin
A blacklist is much like blocking a number on your phone, only worse: you’re blocking many different types of transaction data at the same time. It won’t stop fraudsters, but it will block valid sales.
You can also flip the blacklist idea on its head and set up a whitelist—which is basically the same thing, only reversed. Rather than ban certain people, a whitelist blocks everyone except those matching a select criteria. For example, you can ban everyone except customers in the US and Canada.
As you might suspect, whitelists are problematic, too. A whitelist includes accounts that are considered good, and therefore transactions from those accounts get to bypass the review process and receive instant approval. Just like with blacklists, whitelists seem like a great idea on paper, but they don’t really work in the real world.
Think about it: both criminal fraud and chargeback fraud will normally be attempted with legitimate credit card information. In the case of criminals, the data would be stolen; with friendly fraudsters, if could come from a card that was used for an earlier purchase. In either situation, if that credit card is on your whitelist, all future orders would be approved automatically, even if all the subsequent transactions are fraudulent.
The Benefits of a More Proactive Approach
On the surface, chargeback blacklists (and whitelists) might seem like simple, straight-forward, fraud-prevention tools. As we’ve seen, however, they’re far less effective than they appear, and can lead you to reject legitimate transactions.
Reacting to chargebacks by creating broader blacklist parameters is not the solution. Effectively preventing fraud means proactively identifying and resolving as many issues as possible before they manifest. But getting out in front of the problem is tricky—that’s why in most cases, merchants are better off bringing in professional help.
Better Results, Guaranteed
Among merchants, blacklists are popular because they’re simple and easy to understand. The tools and methods that work best, however, are not simple: they’re necessarily complex, because the problem of identifying fraud is complex, as well. The most effective fraud detection and chargeback prevention approach will always rely on a combination of multiple automated processes and human involvement.
At Chargebacks911®, we combine expert human analysis with our own proprietary technologies to create the most powerful chargeback and fraud management solutions available...all backed by the industry’s only performance-based ROI guarantee. Click below to learn more.