Growing side by side with the worldwide increase in internet usage and online sales is the notorious cesspool of frauds seeking to find a flaw in whatever system they can to exploit anyone who uses (or accepts) credit cards. Pretty well everyone associated with any significant online business knows that without fraud prevention controls in place, businesses are set up for substantial financial losses. There are a few trends we have noticed that should be helpful for anyone involved in the operation of an online store.
Detecting a fraudulent customer
There are some distinct behavioral patterns exhibited by the majority of the perpetrators of fraudulent purchases online. In the majority of cases we encounter, the person attempting to make a fraudulent order has stolen someone’s credit card (likely from a restaurant or retail store) or has purchased a list of credit card numbers from an identity theft black market. In cases such as those, the fraud likely has a credit card number and expiration date, but nothing else to verify his identity. In some cases, the fraudulent customer has been thorough enough to get the 3-digit CVV number from the back of the stolen credit card. In either of these situations, figuring out that the customer is using a stolen credit card is a fairly simple process. If he can’t verify the billing address associated with the credit card, chances are you have a fraudulent customer.
Most of the time, fraudulent customers try to keep themselves isolated from the business they’re trying to scam, for obvious reasons. When they sign up for a customer account, they provide a telephone number that doesn’t work. Often we even see bogus area codes used in telephone numbers provided by fraudulent customers. Our online store requires an email address from customers. Because free public email addresses (like those from Yahoo.com, Hotmail.com, or Gmail.com) are difficult to trace back to their owners, most fraudulent customers use one of those kinds of no-hassle email addresses.
In our experience, the most obvious of fraudulent customers naturally seem to be the dumbest. We often receive emails from people who ask whether we accept credit cards for payment and then ask us to send them a list of products we sell. It’s not hard to tell that those emails are fishing for scam opportunities. Other fraudulent customers will ask for multiple quantities of a specific product found on our web site, and they’ll ask whether we accept international credit cards. These emails typically mention that the sender is buying products for some worthy cause, and they’ll use a benign name (such as “Doctor Johnson” or “Pastor Murphy”) that the perpetrator believes will convince the owner of an online store that he’s not being duped. I’m pretty confident that online businesses rarely fall for those tricks, especially since most of the “Doctor Johnsons” we encounter appear to not spell very well and have poor grammar.
There are some fraudulent customers who are smarter and bolder than the typical ones I’ve discussed. We’ve encountered customers using stolen credit cards who use valid phone numbers and email addresses, and who communicate as if they are legitimate. Sometimes we don’t find out until after the order has been delivered that the customer was actually using a stolen credit card. In one particular case, a customer’s billing address didn’t match the address on file with the credit card issuer. A phone call was made to the customer, and he matter-of-factly gave a different billing address. Because of a glitch in our merchant account system, the order was shipped even though the alternate billing address wasn’t the correct one either. The end result was a free set of six hundred dollars worth of football jerseys for a thief in Dallas, Texas. Another fraudulent customer ordered some gym bags and requested that they be sent overnight to Miami, Florida. She wasn’t dissuaded when she was contacted and told that her check had to clear the bank before her order could be shipped. She persisted and mailed a bogus check from an account that didn’t exist.
Here are some principles that should help with combating fraud from customers shopping at your company’s online store.
Common Indicators of Fraud
The most common characteristic of fraudulent orders is a request for expedited shipping. Thinking about it from a thief’s perspective, one of the best ways to have an order picked, packaged, and out the warehouse door without a thorough check to validate the order is to request overnight shipping. Almost every fraudulent order we encounter at our online store involves overnight shipping. People placing fraudulent orders typically show no regard for cost, since they aren’t actually paying for the order. Most stores offer discounts for customers who order products in large quantities. When a customer goes to our store and orders fifty basketball jerseys at the retail price without calling to check on a discount, it raises a red flag about their intentions.
Checking the IP address of a customer can help to identify where the customer was physically located when an order was placed. We have received many fraudulent orders from Ghana and Nigeria. The prospective thieves set up a network that allows them to have a product shipped to an address in the United States and then forwarded to them in their home country or sold in the US, with some of the proceeds going to the criminal who originally placed the order. The order is normally shipped to a house or business office that is vacant, or the item is stolen by someone in the fraud network after UPS or FedEx drop the product off at the shipping address. We have noticed a connection between fraudulent orders placed from computers in Venezuela that are shipped to Miami. Close to twenty percent of the orders placed on our online store with shipping addresses in Miami are fraudulent ones that were placed from Venezuela or another Latin American country using a stolen credit card.
How to Reduce Fraud on Your Online Store
A simple solution to the problem of international fraud involves blocking people from certain countries from accessing your web site. We found a list of IP addresses that originate from Ghana and Nigeria, and we set up our web server to deny users from those countries from accessing our store. Not only does it greatly reduce the risk of being taken by someone placing a fraudulent order from there, but it reduces the amount of time we have to spend investigating and canceling orders we determine to be fraudulent. If you are not willing to take the risk of shipping to addresses outside the United States, you can successfully block most people from accessing your site outside of the country.
If you are set on serving the international community, you can still reduce your risk. Any order we receive from countries besides the United States, Canada, and the United Kingdom has to be shipped to an address that is validated through PayPal or through the credit card issuing company. Keeping such a policy as this in place enables an online store owner to be confident he’s shipping international orders to a recipient who has legitimately paid for the product and isn’t using a stolen credit card. Visa and MasterCard have made it a straight forward procedure to contact the bank that issued any card with either of their names on it.
Merchant account security settings
Merchant accounts allow store owners to set security levels to catch billing address or CVV mismatches, flagging orders that are made by people using stolen credit cards. To prevent fraud, make sure your merchant account checks the billing address and zip code given to you by any new customer using a credit card.
If you accept methods of payment besides credit cards, it is wise to implement policies that prevent your company from shipping items to someone who has no intention of paying. If a customer hasn’t established credit with your store, require that payments made using a check be cleared before an order is shipped. We have seen checks bounce after more than five business days after being deposited, and on one occasion a check bounced even after a customer service representative from our bank claimed it had cleared. The truth is it’s almost impossible for your bank to tell you whether a check has cleared an account in another bank (especially if the banks are in different states) without researching it with the other bank directly. If the customer is in a hurry to receive a product, he can expedite a money order to you, or pay using a credit card. You can also use wire transfers or WU money transfers to ensure you have the payment in hand before shipping an order.
Our company has learned some of these principles the hard way, and it’s cost us thousands of dollars. Spending the time to ensure that your fraud prevention controls are solid is well worth the hassle. Hopefully the tips and guidelines included in this article have been helpful to your organization.