Finally some time to write an article. I've been swamped practically 9 months straight and it's nearly killed my writing time. And my workout time. And my quit-smoking-before-I'm-40 time. I think you get the idea
I wanted to take some time and share my experiences with online fraud detection and prevention. These experiences will make certain assumptions. I'll try to make these clear where ever possible but if I miss something please let me know.
What is Fraud
Simply put, online fraud is nothing more than one individuals attempt to purchase something using another persons identity. There are a number of reasons for online fraud with the most obvious being for-profit on the black-market. Yes, there is a black-market. Sometimes it's someone directly competing with you – they attempt to weaken you financially whilest they gain financially. Other times, the (now) stolen goods are exported via 3rd party shipping companies. Finally, there's the teenager who didn't take Dad's "no" for an answer and instead borrowed his credit card.
Whatever the reasons or motivations behind fraud, it's a painful process for you as the merchant. It means paperwork and it means phone calls. Both of which cost you even further. To put it mildly, anything you can do to prevent fraud before it happens is money in your pocket.
Tips to Recognizing Fraud
I've taken fraud pretty seriously. I'm a small business with a tight budget, so I have no choice. One major hit of fraud and my finances are hosed for quite some time. That and it really just ticks me off given I'm working my butt off for this money and the fraudster is cheating the system on easy-street.
When a fraud purchase is determined, you as the merchant get hit twice. The monies received for the purchase are immediately withdrawn from your account. Plus, your distributor still wants paid, so a second hit to your wallet occurs. That's why it's ever-so-important to be vigilant with the online purchases made at your store. Fraudsters will test you.
The Point System
I use a point system in my head when reviewing orders for fraud. Anything that is on my "good" list gets +1 point. Anything on my "bad" or "say what?" list gets -2. If the final score for an order isn't 0 or better, time for the microscope and some phone calls. More on this later.
Tip 1 – Good Business Policy
The first step to recognizing fraud is establishing your business boundaries. In my case, I have designated a specific dollar amount that forces a complete review of the purchase. For examples sake, let's say it's $ 200. So any order that is $ 200 or more, regardless of repeat customer or not, goes under the microscope.
How did I come up with this number? I don't know. Seriously. I think I was shopping at Best Buy one day and saw something that was $ 400 and thought "wow that's a lot of money." In other words, what do YOU consider to be "a lot" of money? What ever that amount is, cut it in half and that's your limit. Anything over that, once it's a fraud order, will be doubled and now you feel the sting.
The secondary influence on this number is your average order amount. Setting too low a number will bog your business down in fraud reviews. Setting it too high sets yourself up for a bad day. Think about it, start low and work it higher as your comfort level dictates. Anything under my set limit gets +1 score. Anything over it gets -2.
Tip 2 – Address Verification Service
I use Authorize.Net for my payment gateway. They have a fantastic service called AVS or Address Verification Service. It gives you a nice indicator of how close the billing address entered by the visitor matches what the issuing bank has on file. If you don't use it, you should. Accepting orders without an AVS match will reduce your chances of winning a chargeback dispute.
When AVS and the customer are on their best behavior, you'll get an exact match every time. Unfortunately AVS isn't fool-proof. Sometimes it'll detect only a partial match (Z) and now you have to make a judgement call. Is it a $27 order? Fine, push it through. Is it a $ 900 order? Well ok then, maybe it's time for a phone call or two just to be safe.
I refuse all orders that cannot obtain at least a partial AVS match. Period. Maybe I've lost some business, but I'm certain my bank account is the better. A full AVS match gets a +2 score. A partial AVS match gets +1 and and AVS failure gets -2.
Tip 3 – CVV Validation
Never accept an order without a valid CVV code. Period. End of story. You guarantee only one thing by not heeding this advice – you will lose any chargeback dispute. Card companies created CVV codes mainly due to online commerce. They consider it proof of physical access to the card since the code is not an imprint-type (raised numbers) and is not documented on any bill or statement. A CVV failure gets a -10 score – I'm done with this order and will contact the customer to discuss.
Tip 4 – Check the Phone Number
My site requires a phone number be entered for the billing address. If I am doing a fraud review on an order, I use google to see if the area code of this number matches the state and is geographically near the city of the billing address. If it's not, that's a -1 on the score. I understand the age of cell phones makes this more difficult but it still must be factored into the final fraud review assessment. A good location match on the area code gets +1 score.
Tip 5 – Check the IP Address
There's a great site for checking IP address sources. It's at http://www.dnsstuff.com. At the top is the Free DNS Tools link – click it. Take the IP address off the order details page and copy it into the IP Information box and tell it to go. DNSStuff will tell you the geographic origin of this IP address.
Again, like cell phones, IP address geography can vary wildly. But if the DNSStuff reports back that it's a Brazil IP address, that's really useful to know. Odds are someone using a Brazil ISP to order something (electronic) from you to be shipped to Miami, Florida is fraud. Trust me.
Most times, the IP will be in a general area to the billing address. This is a +1 score. Another location in the US is a 0 score and anything outside the US is a -2 score.
Tip 6 – Email Address
Fraudsters like to use generic emails. Often times I compare the name on the billing address to the email address provided with the order. If Tom Jones orders something and his email is TJones@ATT.Net, well that's just swell and gets a +1 score.
But if the same Tom Jones uses "firstname.lastname@example.org". has a very heavy asian accent when he answers his phone and barely speaks english, yeah that's probably a bad sign and should get the -2 score.
Tip 7 – Payment Authorization Failure
There are a variety of reasons why a payment authorization will fail. 99% of the time on working site, it has absolutely nothing to do with you as the merchant. No matter how hard the customer tries to put it on you, it's really not your fault.
I gave up playing "yes sir, no sir" with customers earlier this year. If their payment fails, we'll try the same information only once more. After that, it's new payment information or thank you for calling.
This may seem harsh at first, but think about it. Credit card companies will lock the customer card down if they see too many attempts in a short period of time. Then you've got a *really* honked off customer and he technically still hasn't paid for the product he wants.
Not a good scenario. So to save everyone pain, suffering and a possible migraine, establish a good "retry" policy for failed payment information. Explain to the customer WHY you have this policy and they'll usually be grateful more than angry. Usually, but not always
Tip 8 – Billing versus Shipping Address
I always look at an order with sharper eyes when the billing and shipping addresses do NOT match. Granted this can be common, especially during the holidays. But there are clues that can help you.
If an IP in Atlanta, Georgia places an order with a Bill-To of California and ships it to Miami, Florida well then you've got some calls to make. It is fraud? maybe or maybe not. But it definitely gets a -1 if billing/shipping don't match and a +1 if they do match.
What's the Score
You've done the checks, now add the score. Is it 0 or higher? Great, process it. If it's less than zero, now it's time to make some phone calls. Here are some good tips by Credit Card Type to help you along:
1. Visa/MC – there's a toll-free number for Visa/MC that gives you the phone number for the issuing bank. Just dial the number, enter the customer card number and the lovely yet robotic voice will give you the issuing bank telephone number. Now, stop for a second. Look at the number you just wrote down. Was it an international number? AHA! Someone has set up a US-issued bank card using an international bank. While this may be common in your business, I won't accept them. There's practically ZERO fraud detection with non US-issued bank cards. I won't accept them, period.
If the issuing bank is a US phone number, call it. The people will be glad to help you verify purchase amount, address information and available funds. +1 to your efforts. Contact your payment processor or gateway to find out this toll-free number for Visa/MC issuing bank information.
2. American Express – ruthless on the merchant. You'll be lucky to EVER win a chargeback dispute with them. However, they have a toll-free number that is absolutely golden. AmEx will actually contact the cardholder on your behalf and verbally confirm the purchase. They say it can take up to 3 days for verification but usually it comes back within 24 hours. Oh how I wish Visa/MC would do this….imagine the drop in fraud worldwide.
If you accept AmEx, call your AmEx customer service and get the Charge Verification phone number. Make sure you get CHARGE verification and not ADDRESS verification.
Disputing A Chargeback
Don't panic. It happens all the time. The first step is identification of the order involved. How you do this is completely dependent on the payment processor but usually involves a date and a dollar amount. Most of the time, the processor will never know YOUR order numbers. Give your processor a call and get customer service to help you determine the date, amount and correct procedure for a response from you. Don't call Authorize.net, it's not their problem. The issue is now between you and your payment processor (usually your bank but not always).
Once you identify the order in question, screenshots are your best friend. Here's what I do when I have a chargeback and make the initial processor phone call:
1. Snapshot the order details page that shows AVS, CVV and billing/shipping information.
2. Snapshot the Order Notes page that shows payment authorization and any customer comments.
3. Snapshot the Payments page that shows payment transaction ID information with precise dates/times.
4. Use DNSStuff to lookup geographic details on the IP address that placed the order and snapshot it.
5. Snapshot the customer page.
6. Snapshot the customer pageview history.
7. Look up the shipment tracking info for the shipping carrier used and snapshot it. You did ship it signature required didn't you??
8. Assemble everything with a brief cover letter referencing the chargeback case number and your FULL contact information.
9. Send the information as dictated by your processor. Mine requires it to be faxed.
10. FOLLOW UP 24-48 HOURS LATER TO BE SURE THEY GOT IT!
Step 10 is critical. Assume nothing at this point – you're talking about real cash from your real bank account. Most banks will immediately take funds out when a chargeback is received but temporarily return the funds once they receive your dispute. Check with your processor to learn how they handle it.
Step 11 – be patient. Chargeback disputes can take upwards of 60 days or longer. Check your online processor account every-so-often for any new information.
Fraud is painful. But it is also something that is manageable to point. It all depends on how much effort you want to put into it pitted against the value of the goods involved. If I sell a $ 4,000 ocean radar system, you can bet I'm spending the next 1-2 hours on the phone.
In my experience, nobody buys 6 fishing rod holders as fraud. But they will buy 10 Garmin C340 StreetPilot GPS units and ship to New York or Florida. A vast majority of my site purchases are individuals, so what does someone need with 10 GPS units?? That's a red flag.
I've seen some companies do a full credit check for large purchases – TigerDirect is one I know for sure. Expect them to call and ask what gas company or mortgage company you had at your last known address. Very nice, but very costly.
Pay attention and always keep on top of your orders. And remember, anything you can do to reduce your vulnerability to fraud is real cash in your pocket.