The True Cost of e-Commerce Fraud For A Store Owner

How do experts measure fraud? A recurring theme in any fraud-centric conversation is how to comprehend its total costs. Throughout my 12 years in e-Commerce, I’ve worked with countless merchants and their many partners in finance, operations, and marketing. Too often, businesses push fraud to the back-burner, not realizing its true costs. The reality is that the impact of e-Commerce fraud on a merchant’s bottom line is deeply damaging. In this post, I’ll share a real-world example to better illustrate the true cost of fraud.


Meet Jennifer

Jennifer is a store owner who sells jeans through Shopify, an e-Commerce platform. She buys her most popular product – the Boyfriend Jeans – from her local wholesale vendor at $20 a pair. Jennifer uses keystone markup (twice the wholesale cost) to price her item at $40 and offers free shipping on all purchases.

At first glance, a simple calculation shows a 50% profit ($20 profit from a $40 sale) for her Boyfriend Jeans. Although a 50% profit on every sale sounds appealing to many merchants, there are many more costs that haven’t been accounted for.

Below is a more realistic breakdown of the costs associated with selling a single pair of the Boyfriend Jeans1:

Jennifer's Boyfriend Jeans

Continue reading


5 Worst Internet Scams of All Time

Online fraud is expensive. The recent StubHub scam cost $1.6 million and the Target data breach cost an estimated $200M (and counting). At Sift Science, we help customers fight back by analyzing millions of data points on patterns of fraudulent behavior and new tactics.

We hear about fraud stories, large and small, and discover something new everyday. Today, we take you back in time to show you 5 of the worst online scams of all time:


5. $1.3MM Lost in Online Dating Scam

In 2013, Ellen, a comfortably retired Canadian woman lost her life savings of $1.3 million to “Dave”. “Dave” connected with and wooed the lonely Ellen, who thought she had found companionship on an online dating site. Dating site fraudsters prey on vulnerable men and women to elicit money, gifts, and other favors. It’s almost too easy to fabricate stories, personalities, and relationships from behind a screen. After crooks form “relationships” digitally, all they have to do is devise legitimate-sounding reasons for their victims to send money overseas.

Although $1.3 million might seem like a small number on this list, this scam is important to note because it is the costliest swindle of its kind (online romance fraud). Keep in mind that this woman was tricked into willingly giving up $1.3 million.

Did You Know?:

  • In 2013, online dating scams resulted in $90 million in losses to victims.
  • On average, individuals who fall for romance scams lose approximately $21,000.
  • 1 in 10 online dating profiles are scams.


4. $85MM Stolen by Gang in ATM Scam

The biggest ATM scam of all time occurred in 2013, when computer hackers stole thousands of individuals’ credit card information within minutes by hacking into several major credit-card processing companies. They then used the information to steal $45 million from hundreds of ATMs around the world.

Although eight New Yorkers and 2 Dutch citizens were arrested following the attack, a similar operation shook the industry weeks later, with fraudsters targeting a different credit-card processing company and bank. This time, the hackers stole $40 million.


3. $200MM Stolen by International Credit Card Fraud Ring

In February 2013, the FBI arrested 18 members of a global credit card fraud ring. This organization was responsible for the theft of $200 million. The scam involved obtaining 7,000 fake identities to steal thousands of credit cards, which were used to “borrow” huge sums of money. To borrow this money, the fraudsters inflated the credit of the false identities by providing fabricated information to credit bureaus.

Fraudsters are sneaky!


2. $200MM in Damages Caused by Global Fraud Ring

In 2010, the harshest sentence ever given for a computer crime was handed down by the U.S. federal court, giving hacker Albert Gonzalez 20 years in prison. Gonzales was convicted of leading a notorious fraud ring that stole hundreds of millions of credit cards by hacking into various retail store accounts. Under the hacker alias SoupNazi, Gonzalez personally amassed $2.8 million, which he used to live lavishly, surrounded by luxury cars and Rolex watches.

Authorities estimate that the scam cost $200 million to businesses and possibly more than $1 billion in total economic damages.


1. Biggest Cyber Crime Case Ever Filed in US History

In July 2013, after pursuing the case for years, federal agents arrested 5 men for hacking into Nasdaq, Visa, Citibank, JetBlue Airways, among other global corporations. Their credit card fraud totaled more than $300 million for companies around the world.

The hackers stole an estimated 160 million card numbers with malicious software installed in Nasdaq servers and hid their crimes by disabling anti-virus software on victims’ computers and storing data on various hacking platforms. They then sold and used this data for huge profits. It turns out that these fraudsters had ties to the 2010 Gonzalez fraud ring—bad habits are hard to break!


At Sift Science, we identify patterns in fraudulent behavior by adapting to your specific business and industry, as well as leveraging the information we see in our global network. We would love to hear about your experiences or stories you’ve heard in the comments below!


Seven Habits of Highly Fraudulent Users

At Sift Science, we analyze a lot of data. We distill fraud signals in real-time from terabytes of data and more than a billion global events per month. Previously, we discovered that the U.S. has more fraud than Nigeria and solved the mystery of Doral, FL. At our “Cats N’ Hacks” Hackathon last week, I decided to put some of our fraud signals to the test. Working with our Machine Learning Engineer, Keren Gu, we discovered some interesting fraud patterns[1]:


Habit #1: Fraudsters Go Hungry

Normal Transactions

When we looked at total non-fraudulent (normal) transactions by hour, normal users had slow starts to their mornings. We noticed a slight dip in transaction volume around lunchtime and suspect that’s because people are taking lunch breaks! Happily fed, they resumed activity in the afternoon and activity petered out as users went home for the day.

What about fraudsters?

Continue reading


Custom Workflows to Match Your Business

Our customers range from on-demand services like Instacart to online retailers like JackThreads to small stores using platforms like Shopify.

Each of our customers is unique not only in the way that fraud affects them, but also in the way fraud teams work through manual reviews of suspicious orders and users. Many of our customers prefer to review just their most recent orders while others prefer to focus on orders with high order values or have mismatches between shipping and billing addresses.

We’ve listened, and with the latest release of the Sift Science console, we’re really proud to give customers the ability to customize manual review queues in the way that makes the most sense for their business.


Custom queues that are personalized for your business 
You can now filter queues by any attribute that you send Sift, including order value or country. Also, you can create queues using attributes our algorithms calculate, like the distance between billing address and shipping address or the number of failed transactions.

You still have built-in Orders and Users queues, but now you’ll have the ability to customize those queues further. Also, you can now build a queue completely from scratch through Search, and share that queue with other analysts by sharing a URL.


It’s now easier to train Sift Science to spot fraud
We’ve also made labeling users a one-click experience in Queues and the User Details panel to help analysts understand the labeling process better as well as be more efficient. You can still add a reason (like chargeback or spam) after you’ve labeled a user.


We’ll be rolling these changes out to you on August 4, and we won’t be supporting earlier versions of the console moving forward.


Help make Sift Science better!
We love feedback! If you have any thoughts you’d like to share, please let us know what you think by emailing


The Sift Scientists


Behind the Signal: Doral, FL

What’s up with Doral?

Let’s say you’re going through orders, and you come across one with a high order value where the billing and shipping addresses don’t match. You decide to do a bit of sleuthing, starting with research on the shipping city: Doral, FL.

At first glance, shipping to Doral seems like a no-brainer:

Based on that information, it’d be perfectly reasonable to ship that order.

However, there’s also cause for caution. Sift Science has found that —  despite Doral’s wealth and status as member of the Trump empire — orders shipped there are 8X more risky than normal!


What Versus Why

At Sift, insights like these are discovered automatically, and often the signals are subtle and not immediately intuitive. After all, a computer can say “what”, but it takes a human being to say “why”.

For Doral specifically, I did ask “why”, and here’s what I found. Continue reading


How Did My Credit Card Info Get Stolen?

Nobody likes dealing with credit card fraud. It can be embarrassing and difficult to admit that you’ve been a victim. At Sift Science, we often hear from our customers about 2AM nights at the office spent triaging thousands of orders that were placed with stolen credit cards. Today, we thought it would be helpful to understand how it all starts. To do this, we need to go underground deep inside criminal territory. It goes without saying that credit card fraud is malicious and illegal. It can result in felony charges added with several years of imprisonment in jail.


Simply put, credit card fraud starts with theft. With determination and time, fraudsters can obtain credit card numbers and information at any price. In fact, an entire underground economy, complete with moderators and reviewers, exists for criminals to buy and sell your information online. Databases of people’s names, credit card numbers, and even complete bank account login information (also known as “FULLINFO” or “FULLZ”) can be sold anywhere from $2 to $50. “Carders” as these thieves are called, even share tutorials and spread information on which sites are vulnerable to attack.


The act of the theft itself can take shape in a number of ways. The most common is through hacking databases, sending phony emails (also known as “phishing”), and exploiting security holes. Sophisticated carders usually hoard the information and sell them in bulk to consolidators. The consolidators then sell them on the black market lurking in secret online forums or chat rooms. They even offer flash sales on bulk discounts. Here is a sampling of “products” and prices we found on our own research via Google:

Continue reading


Three Ways Gamers Cheat in Online Poker

As we mentioned before, there are many signals linked to fraud in the digital world. At Sift Science, we use advanced fraud detection technology to help customers identify bad behavior and adapt to tactics in real time. In the online gambling sphere, where regulations and oversight are unclear, gaining player trust by providing a safe and fair environment is paramount. One way to improve game experience is to prevent fraudulent behavior.

Here are three common ways gamers commit fraud in online poker.

1. Bonus Abuse Through Multiple Accounts

Poker sites often give away play money using bonus codes to attract new players. Fraudsters try to take advantage of this and sign up using multiple accounts at the same game table or tournament, causing the poker site to lose money while also providing a bad experience for other players. Usually it’s enough to track account registration by IP address, but for advanced cases, more sophisticated tools are required. The best fraud detection tools use device fingerprinting to find multiple accounts created by a single laptop or computer.

2. Computer Bots in Poker Rooms

Hackers have created computer programs (“bots”) that automate online poker play. Bots are banned from poker sites because they create an unfair advantage–computers have no emotion, so they are not subject to “tilt” (the poker term for player aggression when they play a poor strategy). Fraud rings have been caught colluding and cheating players out of hundreds of thousands of dollars using bots.

So how do poker sites detect bots? While most detection techniques are proprietary and unknown to the general public, some measures include monitoring player reaction time, suspicious mouse movements, and randomized pop-up windows with challenge questions.

3. Chip Dumping in Tournaments or Ring Games

Chip dumping happens when a player intentionally loses chips to another player at the table to give them a better chance to win. It has become a way for players to launder money. Fraudsters use stolen credit cards to deposit funds and then dump chips at a cash table to another account he or she created. In other cases, the fraudster will hijack an innocent player’s account (“account takeover”). Online poker rooms typically check for players making curiously large bets with a terrible hand or folding on a relatively safe bet.


Interestingly, most fraud is caught by vigilant human players who report fraudulent behavior. However, cyber criminals can still take advantage of even the most experienced (and most valued) players. One reason is that online poker is still mostly illegal in the US and most sites are physically located offshore. It can be difficult to determine whether sites are legitimate and whether it’s safe to hand over your credit card number. The good news is that there are simple steps players can take to protect themselves from fraud.

To learn more about common methods online poker rooms use to combat fraud, check out Cheating & Collusion at Online Poker Rooms. If you’ve been a victim of online fraud or would like to learn more about us, let’s talk.


What It’s Like to Intern at Sift Science

Editor’s Note: This is part of a series of blog posts by Sift Science’s superstar interns. Today, we hear from Holly Yu, a summer intern in her second week on the Marketing team. Holly is currently pursuing a Bachelor’s Degree in Consumer Psychology at the University of Pennsylvania.


Sift Science is the best place for interns who want to take initiative on projects while learning from the best and the brightest. All of us are working on projects that will have a direct impact on the company. I often hear interns at huge companies complain that their work is one-dimensional and insignificant to the company’s larger goals. Even at smaller companies, interns are often given menial work, not trusted with important tasks. At Sift, I’ve already felt changes in the company with the work I’ve done so far! But most of all, I think what makes Sift Science great is our tight-knit and welcoming culture.


Sift Science Interns Jump Attempt #6

Sift Science Interns Conquer San Francisco’s Angel Island


Every day at lunch, we gather to eat catered lunch, share stories, and laugh together. A long-standing tradition here is to play Two Truths and One Lie with new Sifties, interviewees, or just friends visiting the office. Our company has been growing really quickly, so there has been at least one game per day.


We also have bi-weekly all-hands meetings where each of us gets the opportunity to contribute ideas to the group and talk openly to Jason, our CEO. Coincidentally, Wednesdays also call for game night —board games!!


During the first week of my summer internship, I hit the ground running with a week full of intern bonding events. On a sunny Sunday, our group of seven interns headed over to a Y Combinator BBQ and got to meet and take pictures with Paul Graham, the founder of Y Combinator, and Alexis Ohanian, founder of Reddit. We got to make friends with interns from other Y Combinator companies. Here’s a picture of Sifterns, Pebblers, the Sift Scientist, and Alexis (photobombing):



Sifterns take over Y Combinator... and then the world!

Sifterns take over Y Combinator… and then the world!


Later the same day, we dashed over to a Bay Area Intern meet-up with over a thousand interns lounging, chatting, playing frisbee, eating, or whizzing by on giant inflatable slides. We randomly ran into a former Sift Science intern named Eric and snapped a picture with him.


Sift Science Interns at The Intern Project hosted

Hi Eric!


We recently had our 3-year anniversary party, where we dressed up as our favorite scientists and ate delectable food, donned lab coats, and danced to music! All of our friends, families, and customers came and had a blast at the science-themed party.


Sift Science 3-Year Anniversary Party

“Sifties Luv Bayes”


I’m extremely fortunate to have the opportunity to work in a dynamic environment filled with such great people!


For updates and more, check us out on Twitter, Facebook and Instagram.



Our next chapter

The internet offers unprecedented connectivity, scalability, and anonymity. Unfortunately, it can also be abused. As activity moves from the physical to the online world, so does fraud. Online chargebacks, spam, referral abuse, and account takeovers cause all sorts of headaches for businesses that would rather focus on their core competencies.

At Sift Science, we make world-class online fraud detection easy and accessible to merchants of all sizes. Just over a year ago, we launched our first product: a fraud detection API that empowers online merchants with realtime, large-scale machine learning. This is the same core fraud detection technology used by giants like Amazon and Google.

And boy oh boy, it’s been a busy year. We launched a new version of our API, a real-time fraud console, plugins for Shopify and Magento, and many other exciting changes. We now analyze more than $1.5 billion of transactions and 600 million events each month. We’ve helped customers detect, in realtime, 95% of their fraud with an industry-leading 7% false positive rate. We’ve cut their manual review rate more than sixfold, while enabling them to capture revenue that would have otherwise been rejected. Our customers include retailers of physical and digital goods, financial services companies, marketplaces, mobile-only companies, nonprofit organizations, and online communities on all six habitable continents. They range from high-growth businesses like Airbnb, Uber, OpenTable, Indeed, JackThreads, Kickstarter, and HotelTonight, to mom-and-pop shops collecting their first dollars. We also won the Best Emerging Technology Award at this year’s Merchant Risk Council conference (a key event in the anti-fraud industry). Woohoo!

And now, some exciting news. We recently closed an $18M Series B round of funding led by Spark Capital. We welcome Mo Koyfman to our board of directors, a kindred spirit who shares our passion for great product experiences and big thinking. We’ll use the funds to grow our team and accelerate our sales, marketing, and product development initiatives. We have just begun our mission to make the internet a better place. Our machine learning product improves with more customers and data, and over time we believe that this network can deliver tremendous value across the web.

To our customers and investors – thank you for your continued support. We will work hard to deliver even more value. To our potential customers – don’t hesitate to contact us and learn how we  can help protect your business. To potential candidates – we’re hiring across the board.




What to do about Heartbleed

Yesterday, the OpenSSL Project released an update to address a vulnerability nicknamed Heartbleed. Heartbleed impacts all websites that use best-practice, bank-level security encryption on its internet sites.

Sites whose web addresses start with “https” (~66% of the internet) and run OpenSSL are impacted. For many sites, the risk posed by Heartbleed is extremely small.

At Sift Science, we are hyper-vigilant about data security. It is our #1 priority. We took internal action immediately upon hearing of the issue. As of Tuesday, April 8 at 4PM PDT, our SSL certificates and infrastructure are updated to protect you against this vulnerability.

For users:

  • If any of the websites that you go to require or have required login via SSL (1.0.1 through 1.0.1f) in the last 2 years, ask them if they’ve issued a fix. You can use this tool as a starting point.
  • Once they have, change your password. For passwords, longer is generally stronger. (Sift uses this xkcd comic to illustrate what a strong password looks like.)

For businesses that use SSL:

  • Upgrade to the latest version of OpenSSL immediately (1.0.1g or 1.0.2-beta2).
  • Contact your SSL certificate authority and reissue your SSL keys.
  • Once your new SSL keys are installed, ask your certificate authority to revoke all old SSL keys.


For a non-technical explanation of Heartbleed as a bug, check out gizmodo.You can find technical information on the CVE-2014-0160 vulnerability and on