10 Steps to Reduce Online Fraud by 99%
Published in Order Processing & Fulfillment Management & Legal
Every industry has its share of fraud, but e-commerce companies get targeted by sophisticated scammers with scripts and bots and can cost retailers not only money but your reputation and even your merchant account.
Manually Review Orders
One of the allures of owning an Internet business is complete automation. Orders come in while you sleep and are whisked away to your drop-shippers for fulfillment without so much as a second thought, and you just watch as your bank account grows.
Unfortunately, this approach is just what scammers want. Many fraudulent orders are incredibly easy to spot, if you take the time. Look through your orders manually before processing. Setup your shopping cart software so that it preauthorizes credit cards, but does not charge them (there are other reasons for this too, such as Visa/MasterCard regulations stipulating you must ship within 24 hours of charging the customer's card).
Here are some warning signs to look for as you manually process orders:
- Different bill-to and ship-to addresses
- Foreign credit card shipping locally
- Shipping to a Post Office Box
- Shipping to a Hotel
- Large orders (either in number of products or price)
- Products that don't match (such as a size XL shirt with a Med jacket)
- 2nd Day or Next Day Air shipments
- No phone number or email address provided
- Free email address used (Hotmail, AOL, Gmail)
These warning signs alone are benign... but as you look at orders, any number of warning signs together in a single order should put up a red flag. Anytime you see one or more of these warning signs, you should consider further verification before processing and shipping the order.
Fraud Detection Software
MaxMind provides IP address location services and fraud detection services to e-commerce websites. Their fraud detection software rates orders based on a number of factors including:
- IP Address Origin and distance from address given
- IP and Email addresses checked against database of fraudulent orders
Their software can also integrate with phone verification after the order is placed. In our experience, MaxMind has successfully flagged a number of potentially fraudulent orders that were accurate after further investigation.
IP Address Locator
The GeoBytes IP Address Locator is an excellent tool to manually verify orders (this verification is automatically done with the MaxMind software mentioned above).
The tool analyzes an IP address and displays the visitor's origin on a map, and gives their approximate city and state/province. Of course, this isn't fool-proof - visitors could be using a proxy.
Still, it's an excellent tool to use to verify an order. If the billing/shipping address is in one country, and the IP address locator says the IP address used was from another country entirely, the likelihood that the order is fraudulent is very high.
Reverse Phone Lookup
Don't assume that the phone number provided in an order is accurate. Before calling a customer to verify information over the phone, do a reverse phone lookup to see if the phone number is registered to the billing or shipping address on the order.
It could always be a mobile phone or an unpublished number, but can help you verify an order as legitimate if it matches. We once had a very large order placed, and I was leaning toward not shipping the order because it met a few of the criteria from above (different billing and shipping addresses, different sizes ordered, large order amount, next day air shipping).
As it was, I was not going to ship the order. I did a reverse lookup on the phone number and it matched the billing address. I was able to call the customer and verify the information, and they have since placed several more large orders.
Address Verification Service (AVS)
Using your merchant account's address verification service is absolutely mandatory. AVS can be setup to reject orders or let them through based on different criteria. Since your e-commerce software should allow customers to enter both billing and shipping addresses, it's absolutely critical that you make sure their billing address match their credit card information. If it doesn't match, the credit card company will automatically side with the customer in a chargeback.
Set your AVS to reject any orders that don't match both the billing address and zip code. We let these orders come through, but they're flagged in our system and we contact customers before processing their orders. Customers must provide correct information, and we re-authorize the transaction with our credit card processor so the billing zip and address match fully before processing the transaction.
Card Verification Code (CVV2)
The CVV2 number is a 3 (or 4 digit for American Express) number on the back of the credit card. It is against Visa/MasterCard regulations to store this number, so verifying it should prove that the person placing an order phsyically had posession of the credit card used.
Unfortunately, a lot of merchants store these numbers and they are also easy for credit card theives to obtain as they are printed on the actual cards. It should still be required to verify the CVV2 for all customers placing an order at your store. We reject all orders that don't match CVV2 and they cannot even get through to be manually reviewed if they don't match.
Verified by Visa and MasterCard SecureCode
Verified by Visa and MasterCard SecureCode offer an additional layer of security on top of other fraud protection. Your customers register their Visa or Mastercard with their respective programs and assign a password to them. The store's e-commerce software connects to Visa or MasterCard's secure authentication servers and the user enters their password to authenticate.
Verified by Visa and MasterCard SecureCode can significantly reduce fraud, but the vast majority of Internet shoppers still don't even know about these programs. Asking them to register during the checkout process can lower your conversion rate, costing you sales. Until these programs become widely accepted, they are best only offered as an option to your customers.
Blocked Countries List and Blocked IP Address List
Most merchants don't want to block any large segment of potential customers, but it's better to block a country and lose 1 order in a year than allow the country access and have 3 fraudulent orders. The vast majority of small e-commerce retailers will never ship to Nigeria or South Africa. You should seriously consider adding a block list to your store, especially if you only ship within your own country.
Your Gut
A lot of times you should just listen to your gut. Everything about the order might look perfect, but you just have a bad feeling about it for whatever reason. There is nothing wrong with calling the customer to verify, even if everything else looks normal.
We've had several orders that we verified further simply because we had an uneasy feeling for whatever reason. If you're looking at every order before processing, you'll have the opportunity to do this.
Good Old Fashioned Phone Call
Sometimes all it takes to tell an order is fraudulent is to pick up the phone. A lot of scripts hackers use will put the customers real phone number or a completely phony phone number. Either way, it's very easy to tell these orders are fraudulent. Either the cardholder will tell you that they've never placed an order with your store, or you'll find out that the number was completely bogus. Either way, it proves the order is fraudulent.
When the customer does answer the phone and acknowledges the order, it's still very useful because their tone and the way they answer questions will often give you insight into whether the order was legitimate. If they are defensive or seem rushed, you should be very cautious about processing the order.
Bonus Tip: Check the Chargeback Registry
ChargebackFile is a global chargeback registry, with over 5,000,000 records of customers who have filed chargebacks with merchants. If you're suspicious about an order, it might be worth a check to see if that customer has filed a chargeback before.
About Brandon Eley
I am an Internet entrepreneur and own several e-commerce companies. I started 2BigFeet.com in 1999 and have shipped big shoes to all 50 states, most provinces and over 40 countries all over the world. We have a warehouse and retail store in LaGrange, GA.
I also work as the Interactive Director for Kelsey Advertising & Design. I am responsible for enterprise level web applications for Fortune 100 companies as well as e-commerce websites and other client projects.
I also run several content websites and write for several publications, including SitePoint where I am also a Community Advisor, The Apple Blog and others.
