Practical Ecommerce

How to Detect Online Fraud

Every online retailer will, at some point, be faced with fraud. It is as inevitable as taxes, but far more sinister!

Your credit card processor is going to give you two pieces of information to help combat fraud: the 3 or 4-digit “security code” and an AVS response.

The CSC code should never be stored in a merchant’s database. It is only printed on the card itself. So, if someone has stolen credit card info electronically, they wouldn’t have this number (in theory). Therefore, if someone places an order on your website and the CSC doesn’t match, NEVER accept the order. However, CSC is only a first line of defense against fraud. If a dishonest waiter is swiping credit card info, he’ll have unfettered access to the CSC.

AVS = Address Verification System. When a transaction is placed, you’ll receive two YES/NO values: one for the street address and one for the zipcode. They tell you whether the billing address the customer entered matches with what the issuing bank has on file for the customer.

AVS is a guideline, not gospel. International banks rarely support AVS, some US banks don’t support it, and the data isn’t always current. Customers that have recently moved may have old info on file. So, you’ll often receive false negatives. Basically, don’t decline an order based upon AVS info. Rather, use it as part of your overall risk assessment.

So, let’s assume that an order has come through. The CSC matches, the AVS is Y/Y, but the shipping address doesn’t match the billing address. Now YOU have to make the call and determine the likelihood that the order is fraud.

Here are some things to look for:

  • Are they shipping via an expedited method? It isn’t the fraudster’s money and the quicker they can get the goods before the card is cancelled, the better for them. Check for the ratio of money spent on shipping versus the value of the goods. Would a “real” customer pay $60 to ship $30 worth of merchandise?
  • Are you able to contact the customer via email? If they’re responding via email, that’s a good sign that it isn’t fraud. Fraudsters typically provide bogus email addresses or simply never check the multitude of accounts they possess.
  • Is the billing address in the US and the shipping address in a foreign country? This can be a red flag for fraud.
  • Where was the order placed? There are free IP address geolocation tools that you can integrate into your order fulfillment package. If the IP address is in Belgium, but the billing address is in Florida and the shipping address is in California, perhaps you need to do more detective work.
  • If you’re capturing a phone number, where does that phone number originate? Again, there are free APIs that will tell you the city and state. Do these match with the billing address or shipping address?
  • Use or to determine the accuracy of the address information provided.
  • What is the customer’s email address? Do they use a “shady” free email service that you’ve never heard of before? Or is the email address from a .edu, .k12, or .mil domain? The harder it is to get an email address at a particular domain, the less likely the order is fraud. Of course, just because they entered that email address, it doesn’t mean it’s an active email account.
  • Fraud is more rampant in certain countries than other. For instance, never ship to Nigeria.
  • Don’t assume that an inexpensive order isn’t fraud. Fraudsters aren’t stupid. They obviously want to get as much from a store as they can before the stolen card is shut down, but if they’ve ascertained that $25 is your threshold, they will exploit it.

There are many other metrics you can use to assess risk. Some will be more relevant than others depending on your type of business.

If you’re not sure about an order, contact the customer. They’ll appreciate your commitment to security. Sometimes we tell a customer that we can only ship to their AVS-verified billing address. Other times, we ask customers to send us a photograph or scan of their credit card so we can verify that it is in their possession. In some instances, we ask for scans of passports or other government-issued IDs to prove that they live at the address to which they want us to ship. Some customers are uncomfortable with this, but the majority have no problem complying. Remember, you’re the one on the hook if it is fraud.

To mitigate your risk of fraud, you must look at every order and assign a level of risk. If you receive too many orders to do this manually, then you need software. If you must, hire a programmer. It’s worth the expense. If a fraudster starts hitting your website, you won’t know for days or weeks. In that time, you could get hit with thousands of dollars worth of charges.

Your job is to do everything in your power to stop 99.9% of preventable fraud and simply chalk up the rest to the world we live in. This requires your vigilance. You must constantly update your fraud system because fraudsters have blogs, too. They share and flout their conquests.

Take solace in knowing that you’ve become a worthwhile enough target for fraud! You’re popular! If law-abiding citizens love your product, there are going to be criminals that do, too.


Sign up for our email newsletter

  1. blizdas March 24, 2011 Reply

    Hi Jamie,
    I think you missed one of the most important aspects of fraud checking an order, and that is verifying the name on the credit card used for the purchase. In the case of a stolen identity, crooks can change billing address information on an account pretty easily, thus making an AVS match meaningless. The name on the account can’t easily be changed. Unfortunately, the only way to confirm a name is to manually call the card issuing bank for verification. Used in conjuntion with reverse adress look-up, name verification is the most solid bit of information a merchant can rely on.

  2. Michael66 March 24, 2011 Reply

    Ben is absolutely correct.

    One of the sneakiest (but also most common) fraud methods out there is the triangulation scam (google it). An honest customer looking for a deal on a particular item makes a purchase over eBay. The eBay seller, who has been unwittingly recruited by a crook, passes along the customer’s billing address to the crook, who then plugs it into a different credit card (the name can’t be changed). Next, the crook then uses the modified credit card to buy the product the customer wants from an authorized on-line dealer at full price, shipping it the customer’s address. On this type of transaction the AVS will match, but if you call the card-issuing bank, the name will not match – big red flag.

    A merchant can call the customer (if they can obtain the correct phone number through reversing the address), but one must word questions carefully because they made a purchase for the particular item being asked about. Because their original transaction was over eBay and not the merchant’s website, ask, “Did you order from eBay or from”

    Today’s credit card fraudsters are sophisticated enough to spoof the IP address so it generally matches the customer’s geographical location.

    These invoices are pretty tricky because they look so clean: the shipping and billing addresses are the same, the AVS matches, the IP address matches, often times the phone number even matches. In this scenario, the bank name match is critical in detecting the triangulation scam. You can take your chances by only contacting the customer, but a quick call to the card-issuing bank to match the name will reveal this particular scamming method. Bank name verification is not very useful when the crook is shipping to an address that’s different from the billing address.


  3. Jamie Salvatori March 29, 2011 Reply

    @ Ben – First, every issuing bank is different. Most aren’t going to verify names (in my experience) over the phone. More importantly, though, who is going to make all of these phone calls if you have hundreds or thousands of orders? I whole-heartedly agree that detecting fraud is quite difficult.

    Spoofing IP addresses probably isn’t as common as you think for ecommerce transactions — it’s more for DoS attacks. Remember, if you give an invalid IP address, you’ll never see the results of any of your requests.

  4. Ang McGuire December 21, 2011 Reply

    Most online fraud people, we encounter already have the actual cardholder’s name, address and security code. This makes it extremely difficult to identify a fraud order. The only alternative we have to combat this, is to only allow shipments to go to billing address only with a signature.

  5. Dyke Iloghalu September 27, 2014 Reply

    This writer actually tried in bringing up something but his statement that never ship to Nigeria is not correct. I agree that Nigeria might have some fraudsters like the United States, China, etc. Not everyone is a fraudster just as in the United States, China, etc. I am very sorry for businesses that excludes Nigeria because they are missing something very important for their business. I believe if you use the AVS system and and ask for card statements from the bank with scanned images of the card, you should be protected. Because of improvement of technology in Nigeria almost everyone have a Naira MasterCard and Visa Card and that has help to reduce the fraud rate. However you should also watch out for fraud. In Nigeria our processing companies applied another layer of security that resembles the 2 factor authentication via SMS

  6. Michael Beard October 29, 2015 Reply

    Speaking of Nigeria…my company does business in Nigeria and we do have millions of dollars per year worth of fraud coming out of not only Nigeria but the rest of Africa as well, more so than in many other countries. I hate to say it, but it’s been proven that Nigeria and other parts of S. Africa have the highest rate of crime and credit card/cyber fraud in the world because of the laws being so lax in S. Africa. This is not to say that other parts of the world do not have high crime rates and fraud. We do experience fraud coming from other countries…but as I stated above, S. Africa is the most prevalent.

  7. sal December 17, 2016 Reply

    Another form of Fraud which is happening now is that when we call to verify the information, these people are actually answering the phone and verifying the info. Its very hard to tell. The only way to not get caught is to ship to the billing address.

  8. changedman83 January 23, 2017 Reply

    I used to be a fraudster and i wanted to say that most of you are quite accurate with most of your comments. There are however, some who are far more sophisticated in their attempts than others and I will give you an example. I have already gone to jail for this so that is why i will explain… when ordering merchandise from any retailer i would use all the correct billing info that the bank or card issuer has on file everything the home phone number the email address the billing physical address everything and i would place the order over the phone so there is no IP address involved but i would already have gained access to their email address and have the phone number forwarded to a cell phone in my possession and i would also have all mail forwarded to another address so as long as the retailer ships with Canada post for example i get the package or parcel delivered to the address i am at regardless of what the order said. the person who owned the card would have no idea at all and neither does the merchant so the A.V.S and name verification and all that does not verify anything if both the mail and phone calls are forwarded. All it will verify is that its the correct info not who is using it. I do not live that life anymore i work for a living and i do regret what i did and that is now something i have to live with. I know all of you will probably have some not so nice things to say but it is what it is and I do not blame anyone but myself.

  9. Thomas October 15, 2017 Reply

    I’m from Canada and my business only ships within Canada. One place you have to watch out for is Montreal and area. We get a lot of fraudulent orders in Montreal. People there often use different bill and ship address, even in different provinces, they pay the high prices for expedited or express shipping, dead giveaway it is fraud. Not saying all Montreal orders are fraud and fraudulent orders can happen anywhere in Canada. You have to be especially careful when dealing with Montreal orders even if it is full match, that is all.