How Allow & Deny Lists Impede Fraud Prevention

How ClearSale Is Leading the Way With More Inclusive Language

ClearSale is committed to leading the fraud prevention industry with our commitment to diversity, equity and inclusion in every way possible. We’ve begun to change the conversation around fraud and technology to eliminate outdated, discriminatory terms.

Specifically, we’re no longer using the terms “blacklist” and “whitelist.”
Instead, we’re using the terms “deny list” and “allow list.”

The reason? Using terms that imply “black” as bad and “white” as good is steeped in systemic racism. We still work in an industry in which our clients and partners have yet to transition away from those terms and may have to reference them, but our preference and practice moving forward is to use the terms “deny list” and “allow list.”

Now that we’ve established this new vocabulary, we can take a deeper look into what these lists are and the risks and issues with each.

Risks & Issues With Deny Lists

Fraud prevention deny lists have a long history as a go-to tool that ecommerce businesses use to prevent fraud and, ultimately, chargebacks.

When a business is hit with a chargeback, all the transaction details are added to the deny list, including credit card details, email addresses, IP addresses and physical addresses. That way, the next time an order is placed using any of the same data, the transaction is automatically declined.

While this seems to make sense in theory, in practice it creates a lot of problems.

Deny lists can prevent future fraudulent transactions and simplify operations, but they’re a misguided way to address chargebacks. Deny lists don’t just block fraudsters — they can also block good customers with legitimate orders.

You Risk Turning Away Your Best Customers

Think about it. Customers don’t necessarily live at the same address their entire lives. They shop across multiple channels and multiple devices. By relying on a single list of credentials to parse out unauthorized purchases, businesses ignore modern consumer behavior.

Consider the circumstances that brought one client to us. They had a celebrity customer who made multiple high-dollar purchases (upward of $3,000 each) per week, using their assistant’s name to protect their identity.

The client mistakenly put the customer on a deny list because the transaction frequency and amounts “seemed” suspicious. To say the customer wasn’t happy about being blocked is an understatement.

The loss for the client was significant:

• At a pace of $30,000 per week, that celebrity customer could’ve represented more than a million dollars of sales in one year.
  
• Any possibility of the client providing a much-desired endorsement — and all the revenue that would’ve generated? Gone.
  
• The risk of negative exposure on social media if that celebrity complained was terrifyingly high — especially when you consider that they’d likely complain on social media after being declined for just one purchase.

The lesson our client learned?

Fraud prevention deny lists can backfire in epic fashion.

You Mistake Legitimate Transactions for Fraud

Now think about what happens when a fraudster uses a legitimate customer’s credentials, which then end up on a deny list.

Usually this happens as a result of account takeover (ATO) fraud, which was responsible for every fifth login attempt and 13% of U.S. ecommerce fraud costs in 2021. ATO fraud happens when a criminal hacks into an online database and steals customer data. That data is used to take over the identity of legitimate customers and even change or set up new accounts in the customer’s name.

If those customer credentials are placed on a fraud prevention deny list purely because of a chargeback and/or fraudulent transaction, your business runs the risk of declining legitimate transactions.

You Cast Too Wide a Net

Not all details from a fraudulent transaction are unique to the fraudster. For example, large apartment buildings, university dorms, shippers and other multi-unit buildings might have one general delivery address but include a large number of people. Blocking one of those addresses can prevent hundreds of legitimate customers from making transactions.

Along the same lines, IP addresses are dynamic. The IP address a user has today can belong to someone else five days from now. Adding an IP address to a deny list will almost certainly block a valid customer.

Fraudsters Know How to Get Around Deny Lists

Fraudsters constantly change the details they provide when placing orders online. After all, think about how easy it is to create a new email account today. In addition, fraudsters have a treasure trove of stolen credit card details, proxy servers and shipping addresses to choose from.

It’s important to understand that unless you’re a fraud prevention expert, fraudsters will often be three steps ahead of you. So, adding their transaction details to a deny list and blocking their transactions will only cause them to use a different combination of credit card and shipping address details. It’s a constant (and exhausting) game of “Whack-a-Mole.”

When Should You Use Deny Lists?

In some unique situations, a deny list may make sense. Usually, those situations have nothing to do with fraud or are only peripherally related. But there are times when preventing customers from making transactions is needed.

Problem Customers

There are customers who are simply more hassle than their transactions are worth — if they’re abusing staff or your policies, for instance. Putting these customers on a deny list to keep them from coming back to your online store and creating more drama and work for you and your employees frees up your time to deliver great service to other valued customers.

Known Criminals

Customers who’ve been caught stealing in brick-and-mortar stores are another example. You definitely don’t want them to do business with you again, since they’ve already shown their intent.

Fired Employees

If you’ve had to let an employee go for stealing and/or the employee has expressed a desire for vengeance of any type, you’ll definitely want to block them from making purchases and having any access to your ecommerce presence altogether. 

Blocking these customers makes sense, but we recommend being very judicious with deny lists and considering a more comprehensive approach to fraud prevention.

On the other end of the spectrum, some companies automatically approve certain transactions without any evaluation. Those transactions are often associated with what’s called an “allow list,” which is equally dangerous.

Are Allow Lists Effective?

An allow list is similar to a deny list except the practice is reversed. Rather than ban certain people, an allow list blocks everyone and allows only certain people through. For example, you can ban everyone except customers in North America or customers in countries with low fraud risk such as Denmark, New Zealand, Finland, Norway and Switzerland. Another reason someone may end up on an allow or deny list could be related to a specific offer or sale.

In theory, an allow list is effective in parsing out exactly which customers can make purchases, either because of their status with your company, their location, or other factors.

However, there is a significant risk with using an allow list. Should a fraudster gain access to just one customer's data on an allow list – typically as a result of ATO fraud – they will be like a kid in a candy store with virtually no restrictions. 

Allow lists are usually designed to circumvent fraud analysis, so there is no opportunity to screen for fraud or learn about shopping patterns to help detect fraud in the long term. That’s why we caution ecommerce companies about allow lists and suggest alternatives. 

How ClearSale Handles Deny Lists & Allow Lists

Accurately detecting and identifying credit card fraud is extremely complex.

While deny lists and allow lists seem like effective ways to prevent fraudulent transactions and increase your business’s profits, neither is foolproof and both often result in rejecting legitimate transactions while approving fraudulent ones.

We understand why these lists are used, but the risk of being wrong is high. As we pointed out earlier, the suspicious transactions could be from a loyal customer or one who’s the victim of ATO fraud. The last thing any business wants to do is lose the lifetime value of their best customers.

“There’s a lifetime value of each customer that you lose when they’re not going to buy from you anymore, you might lose a sale for a $200 item. But that may be a customer who was going to shop with you five times over the course of a year. That’s $1,000. And over a lifetime of shopping, that could be $25,000 of lost revenue from one false decline.”

David Fletcher, ClearSale Senior Vice President

“Each customer has a lifetime value to your company that you lose if they never purchase from you again. Accidentally blocking a valid customer who is attempting a $200 purchase could actually cost you much more. If they would have shopped with you five times that year, that’s $1,000 lost. And over a lifetime of shopping, that could be $25,000 from just one false decline. When you consider how many false declines are actually legitimate purchases, the numbers get very large, very quickly.”

The Impact of False Declines

In addition to just the bare-bones loss of sales, you also must consider the significant impact false declines can have on your CX. In our original research report, State of Consumer Attitudes on Ecommerce, Fraud & CX 2021, we discovered 40% of consumers would never shop with a company again after a false decline.

And this destruction of consumer trust comes with a steep price: For every $1 in false declines, an ecommerce business loses $13.

Those customers aren’t just going to stop shopping with your brand. If they’re millennial or Gen Z customers, they’re also likely to take their complaint(s) to social media. That means losing even more customers at a cost that can’t be totally quantified.

Fortunately, there’s an alternative to deny lists that we’ve found useful in preventing fraud and false declines.

Use Warning Lists as an Alternative

Instead of a deny list, we use a warning list, which flags transaction details associated with fraud or chargebacks.

When any of the flagged details are found in another purchase attempt, that transaction is flagged and reviewed extensively to determine if it is, indeed, fraud or some other circumstance. Maybe the customer is making multiple purchases and accidentally entered the wrong credentials multiple times. They could’ve been the victim of fraud themselves. There are myriad reasons aside from actual fraud for why a transaction appears suspicious.

By subjecting those transactions to a more rigorous review instead of rejecting them outright, overall fraud prevention is significantly improved.

Here’s why.

Warning Lists Promote Machine Learning

When online businesses add transaction credentials to a deny list, those purchases aren’t evaluated through any type of fraud prevention system. They’re simply declined. The data isn’t integrated into any internal intelligence.

However, when we use a warning list, the transactions are flagged, and the data is processed using artificial intelligence — this trains our system to better recognize fraud. So, not only are we preventing false declines, we’re teaching our system to be better at automatically detecting fraud.

Are Your Fraud Prevention Deny Lists Helping … or Harming?

It’s natural to be a little wary of eliminating your deny lists altogether. The first step is to determine if they’re helping or hindering your business.

Look at Your False Decline Rate

If your deny list is working, your false decline rate should be low. If you’re experiencing a high rate of false declines, social media complaints and blocked transactions, your first place to look should be your deny list.

Check the Last Update Date for Your Deny List

If the last time you updated your fraud prevention deny list was more than two months ago and you include IP addresses, make sure to create a process for evaluating and updating your list.

And most importantly, track why each entry is on the list. During each evaluation, see if that rationale is still relevant — you may have new information that can change things considerably.

The Best Solution Is Fraud Prevention

Ultimately, fraud prevention deny lists should be handled gingerly. Fraud prevention is not a one-size-fits-all activity.

To truly fight fraud, you’ll need a more strategic approach. Not only do you need to stay up-to-date on fraud trends, locally and globally, but you also need to have the experience and bandwidth to do a complete analysis using technology and secondary reviews.

That’s where a fraud prevention partner comes in. An expert team that can analyze transactions, identify potential fraudulent patterns and maintain a warning list for further examination will help you take fraud off your plate, so you can focus on sales and grow your business.

At ClearSale, we can help you find alternatives to a fraud prevention deny list and keep your online business protected.

ClearSale brings a global network and dataset to distinguish between a valid customer and a fraudster. Our 1,500+ highly trained analysts can quickly spot a high-risk order. We analyze data points, conduct behavioral biometrics and offer an extremely high degree of accuracy.

We can also conduct a full analysis of your database to determine fraud trends as well as consumer behaviors and attitudes. If you’re looking for a partner to help prevent fraud, chargebacks and false declines, contact us and one of our analysts will work with you to create a solution specific for your company’s unique needs.