How to Detect Online Fraud
Every online retailer will, at some point, be faced with fraud. It is as inevitable as taxes, but far more sinister!
Your credit card processor is going to give you two pieces of information to help combat fraud: the 3 or 4-digit “security code” and an AVS response.
The CSC code should never be stored in a merchant’s database. It is only printed on the card itself. So, if someone has stolen credit card info electronically, they wouldn’t have this number (in theory). Therefore, if someone places an order on your website and the CSC doesn’t match, NEVER accept the order. However, CSC is only a first line of defense against fraud. If a dishonest waiter is swiping credit card info, he’ll have unfettered access to the CSC.
AVS = Address Verification System. When a transaction is placed, you’ll receive two YES/NO values: one for the street address and one for the zipcode. They tell you whether the billing address the customer entered matches with what the issuing bank has on file for the customer.
AVS is a guideline, not gospel. International banks rarely support AVS, some US banks don’t support it, and the data isn’t always current. Customers that have recently moved may have old info on file. So, you’ll often receive false negatives. Basically, don’t decline an order based upon AVS info. Rather, use it as part of your overall risk assessment.
So, let’s assume that an order has come through. The CSC matches, the AVS is Y/Y, but the shipping address doesn’t match the billing address. Now YOU have to make the call and determine the likelihood that the order is fraud.
Here are some things to look for:
- Are they shipping via an expedited method? It isn’t the fraudster’s money and the quicker they can get the goods before the card is cancelled, the better for them. Check for the ratio of money spent on shipping versus the value of the goods. Would a “real” customer pay $60 to ship $30 worth of merchandise?
- Are you able to contact the customer via email? If they’re responding via email, that’s a good sign that it isn’t fraud. Fraudsters typically provide bogus email addresses or simply never check the multitude of accounts they possess.
- Is the billing address in the US and the shipping address in a foreign country? This can be a red flag for fraud.
- Where was the order placed? There are free IP address geolocation tools that you can integrate into your order fulfillment package. If the IP address is in Belgium, but the billing address is in Florida and the shipping address is in California, perhaps you need to do more detective work.
- If you’re capturing a phone number, where does that phone number originate? Again, there are free APIs that will tell you the city and state. Do these match with the billing address or shipping address?
- Use whitepages.org or anywho.com to determine the accuracy of the address information provided.
- What is the customer’s email address? Do they use a “shady” free email service that you’ve never heard of before? Or is the email address from a .edu, .k12, or .mil domain? The harder it is to get an email address at a particular domain, the less likely the order is fraud. Of course, just because they entered that email address, it doesn’t mean it’s an active email account.
- Fraud is more rampant in certain countries than other. For instance, never ship to Nigeria.
- Don’t assume that an inexpensive order isn’t fraud. Fraudsters aren’t stupid. They obviously want to get as much from a store as they can before the stolen card is shut down, but if they’ve ascertained that $25 is your threshold, they will exploit it.
There are many other metrics you can use to assess risk. Some will be more relevant than others depending on your type of business.
If you’re not sure about an order, contact the customer. They’ll appreciate your commitment to security. Sometimes we tell a customer that we can only ship to their AVS-verified billing address. Other times, we ask customers to send us a photograph or scan of their credit card so we can verify that it is in their possession. In some instances, we ask for scans of passports or other government-issued IDs to prove that they live at the address to which they want us to ship. Some customers are uncomfortable with this, but the majority have no problem complying. Remember, you’re the one on the hook if it is fraud.
To mitigate your risk of fraud, you must look at every order and assign a level of risk. If you receive too many orders to do this manually, then you need software. If you must, hire a programmer. It’s worth the expense. If a fraudster starts hitting your website, you won’t know for days or weeks. In that time, you could get hit with thousands of dollars worth of charges.
Your job is to do everything in your power to stop 99.9% of preventable fraud and simply chalk up the rest to the world we live in. This requires your vigilance. You must constantly update your fraud system because fraudsters have blogs, too. They share and flout their conquests.
Take solace in knowing that you’ve become a worthwhile enough target for fraud! You’re popular! If law-abiding citizens love your product, there are going to be criminals that do, too.
Hi Jamie, I think you missed one of the most important aspects of fraud checking an order, and that is verifying the name on the credit card used for the purchase. In the case of a stolen identity, crooks can change billing address information on an account pretty easily, thus making an AVS match meaningless. The name on the account can't easily be changed. Unfortunately, the only way to confirm a name is to manually call the card issuing bank for verification. Used in conjuntion with reverse adress look-up, name verification is the most solid bit of information a merchant can rely on. Ben
Ben is absolutely correct.
One of the sneakiest (but also most common) fraud methods out there is the triangulation scam (google it). An honest customer looking for a deal on a particular item makes a purchase over eBay. The eBay seller, who has been unwittingly recruited by a crook, passes along the customer’s billing address to the crook, who then plugs it into a different credit card (the name can’t be changed). Next, the crook then uses the modified credit card to buy the product the customer wants from an authorized on-line dealer at full price, shipping it the customer’s address. On this type of transaction the AVS will match, but if you call the card-issuing bank, the name will not match – big red flag.
A merchant can call the customer (if they can obtain the correct phone number through reversing the address), but one must word questions carefully because they made a purchase for the particular item being asked about. Because their original transaction was over eBay and not the merchant’s website, ask, “Did you order from eBay or from myewebsite.com?”
Today’s credit card fraudsters are sophisticated enough to spoof the IP address so it generally matches the customer’s geographical location.
These invoices are pretty tricky because they look so clean: the shipping and billing addresses are the same, the AVS matches, the IP address matches, often times the phone number even matches. In this scenario, the bank name match is critical in detecting the triangulation scam. You can take your chances by only contacting the customer, but a quick call to the card-issuing bank to match the name will reveal this particular scamming method. Bank name verification is not very useful when the crook is shipping to an address that’s different from the billing address.
Jamie Salvatori says:
@ Ben - First, every issuing bank is different. Most aren't going to verify names (in my experience) over the phone. More importantly, though, who is going to make all of these phone calls if you have hundreds or thousands of orders? I whole-heartedly agree that detecting fraud is quite difficult.
Spoofing IP addresses probably isn't as common as you think for ecommerce transactions -- it's more for DoS attacks. Remember, if you give an invalid IP address, you'll never see the results of any of your requests.
Ang McGuire says:
Most online fraud people, we encounter already have the actual cardholder's name, address and security code. This makes it extremely difficult to identify a fraud order. The only alternative we have to combat this, is to only allow shipments to go to billing address only with a signature.