How Online Fraud Become Physical Theft
The line between online fraud and in-store theft is vanishing. Buy Online, Pick Up In-Store (BOPIS) has reshaped retail with speed and convenience, but it’s also organized retail crime crew’s new opportunities.
What begins as a stolen credential online can end with a bag of merchandise walking out the door.
The problem? Fraud prevention teams watch transactions, while Loss Prevention teams watch store exits. Too often, those two defenses never connect, leaving gaps criminals are quick to exploit.
The Big Picture: What Is BOPIS Fraud and Why It’s Growing
Buy Online, Pick Up In-Store (BOPIS) has become a staple in retail. Customers love BOPIS because it saves money on shipping costs, speeds fulfillment, and adds flexibility to the shopping experience.
For retailers, BOPIS has become a competitive “must-have”. However, the same aspects of BOPIS that make it attractive for consumers also create weaknesses to traditional fraud defenses. Since there’s usually no shipping address to verify, verifying the legitimacy of an order becomes much more difficult.
Fraudsters know this, and they’ve leaned in.
COVID-19 helped BOPIS sales grow more than 500%. While it was growing, fraud attempts also grew. As of today, roughly 7% of all BOPIS transactions show evidence of fraud. This is 2.4% higher than in other methods.
Some schemes start small. Why hit you with a $1,000 laptop when I can place a $50 supply order and see if the staff pays attention? For many organized crews, low-value fraud is practice for a higher-value hit.
It is clear why retailers should be worried. BOPIS strategies are growing faster than controls to mitigate fraud, and the gap is being cut out of margins.
Real-World Proof: How Retailers Are Feeling the Impact
These are not hypothetical risks. They are showing up on balance sheets right now.
In one survey, 40.4% of retailers said BOPIS has increased fraud concerns, and over a quarter admitted losses between 3% and 10% of revenue. That’s not margin erosion, but a business threat.
Defenses like ID checks, signatures, or card verification are common but often inconsistently applied. Fraudsters can easily find the weak link. And when stolen credentials are used for pickup, cardholders dispute the charge, leaving merchants stuck with chargebacks and no merchandise.
Some scams get creative.
Fraudsters will make a BOPIS order, then race to the nearby retail store to return it, for example. They may swap the product for gift cards or straight cash. It is the classic return scam taking place in the e-commerce landscape, but now it is using the brick-and-mortar resources to obtain instant cash from stolen goods.
The Ops Gap: Where Fraud Prevention and LP Break Down
Fraud prevention teams may flag questionable orders, but those alerts get lost well before they can reach the store floor. Loss Prevention teams have been trained to stop shoplifters, instead of to investigate transaction anomalies hidden away in fraud systems.
That disconnect leaves staff exposed.
Imagine a new employee behind the pickup counter. An aggressive customer argues the order is theirs. Without proper context as to the issue, and without the confidence that management is backing them up, many employees hand off the order.
It’s really no wonder employees think they will personally be held liable for fraud slipping through. This scenario shows us just how unsupported and vulnerable front-line workers can feel because of systems designed without regard to the realities at the store level.
Retailers are walking through a tightrope.
Push too hard on verification and you risk frustrating legitimate customers; ease off and you allow a fraudster to walk out with both merchandise and profits. Without integration, the operational gap between fraud and loss prevention is where criminals win.
The Criminal Advantage: Exploiting the Disconnect
Organized retail crime groups know how to exploit the gaps. Combining online carding with physical in-store pickups, they can navigate between digital fraud and physical theft.
There are obvious policy loopholes that provide easy points of exploitation, like allowing proxy pickups, accepting partial ID matches, and allowing transactions to process after a cancellation has been requested.
Many scams start small. A $50 supply order to see if the staff will release it without any questions or completing the required verification process. Once they figure out that this store’s process is somewhat cavity-soft, they move on to laptops, electronics, and high-value gift cards.
The real blind spot is ownership.
Fraud prevention flags data, while LP watches doors. But no one holds ownership of the continuum from digital fraud to physical theft. ORC crews thrive in that vacuum, turning minor tests into coordinated theft rings.
The SecOps Fix: Closing the BOPIS Fraud Loop
Fraud alerts can’t live in silos or dashboards the store team never sees. They need to flow directly into LP workflows, tied to the bigger investigative picture.
This is where investigations systems such as Hubstream add values. Instead of leaving fraud data isolated, Hubstream ingests cyber, fraud, and LP signals into a unified case, then uses link analysis to connect the dots and escalate before goods walk out the door.
That means:
-
Cross-domain ingestion ensures fraud alerts, LP incidents, and cyber signals are captured in one place.
-
Link analysis highlights repeat offenders, proxy pickups, or suspicious overlaps between online and in-store activity.
-
Automated escalation moves cases forward in real time, prompting holds or ID checks before merchandise is released.
Dynamic friction plays its part too. Legitimate customers glide through, while suspicious activity hits a speed bump. With Hubstream powering the workflow, fraud and LP finally operate as one defense.
From Siloed to Converged: Lessons for Omnichannel Security
Fraud and Loss Prevention aren’t separate battles, they’re two halves of the same risk. Treating them in silos only widens the gaps ORC crews are eager to exploit.
True convergence means fraud alerts don’t just sit in a queue. Instead, they should trigger automatic holds on pickups, giving staff time to verify before the merchandise leaves the store.
BOPIS has become essential for modern retail, but without convergence, it doubles as a backdoor for organized crime. Fraud isn’t just online, and theft isn’t just physical.
In today’s omnichannel world, they’re the same crime.
For Security Ops leaders, the call is to unify fraud prevention and LP, invest in integrated tools, and prepare staff to recognize hybrid scams. Because when defenses converge, criminals lose their advantage.
Next up in this series: how cyber vulnerabilities spill over into the physical world.