How to protect your company against fraudulent transactions online - any tips?

My company processes 100-250 online transactions per day. Our payment processor gives us a certain element of address validation - it simply checks if the cardholder address provided in the transaction is correct for the account.

However, given the nature of our customer base (a lot of businesses and tradesmen), it’s very common that even if the ‘cardholder’ address checks out, it won’t be where the goods are being delivered, or even where the invoice is going. As such the cardholder address verification doesn’t protect us against from fraud.

I’ve looked into other address/person checking services, and all any of them will do is tell you whether a person lives at a certain address. But consider the following situations:

  • Customer wants the goods delivered to their work address, or a friend or relative
  • Customer is a tradesman getting the goods delivered to the job address
  • Customer works in a large company, uses a corporate card and is getting the goods and invoice sent to addresses that aren’t the same office as the card is registered

How are you supposed to deal with these situations in any kind of automated or formalised way? Right now it’s a person looking at it, using their judgement, researching the customer, maybe contacting them. It’s a time-consuming process and we definitely flag up many legitimate orders as possibly fraudulent.

Ruling out 3d secure for the moment, I was wondering what processes or services other people are using because I’m sure it shouldn’t be as hard as this?

This probably doesn’t help at all, but I’ve encountered more than one company which stipulate that first orders can only be delivered to the card-holder’s address. For subsequent orders, you can choose an alternative delivery address.

I’ve seen that before, too. But to be honest I think that would put a lot of our customers off.

use maxmind.com . It really really helped us in preventing fraud orders. There is an extension that allowed us to use it directly with our backend (magento).

Cheers. however I’m in the UK so I don’t think they’ll work for us.

Yes, our payment service will check if the card has been reported stolen. But fraud still occurs in the space between the card being stolen and theft being discovered/reported (otherwise the crooks wouldn’t do it!), which lead us to other methods.

Yes, our payment service will check the address for us, but how about the scenarios above where goods/invoices are going to addresses other than the card address? Address checking only gets us so far and I wondered what other online sellers did to protect themselves against fraud while still allowing honest people to get their goods delivered to their work address? Let’s assume that if an order is being shipped to an address that the bank confirms as the card address, that we accept the order. Now how about the others?

Are other companies making sure first orders are shipped to the card address? Are you allowing the order if the buyer at least knows what the card address is? Are you setting a value limit and allowing all orders below a certain value? Are you using services like max mind that monitor lots of card payments and ip addresses to identify fraud?

What sort of fraud rates are you currently seeing? In what category [electronics, household, apparel, etc]?

Well fraud rates are pretty low at the moment. But we’re turning away a lot of orders because Of suspected fraud, as well as spending way too much time vetting the orders. So I don’t know what the fraud rate would be if we accepted everything.

How about sending the cardholder an automated text to just let them know a transaction has been made, or a pin to authorise the transaction. You can get them quite cheap. www.cbfsms.com does it (fish2text or something)

Or maybe you can use automated phone verification systems?

We also use Maxmind. One thing that significantly lowers the fraud rate is by not having a payment gateway on your own website. That way, you are not the one who is in charge of the transactions. You are still responsible for the transaction itself if you use a third party payment option, but they do the fraud monitoring for you and block more fraud than any payment gateway that I had on a website, even when I used 3-D secured.

But 3-D secure remains extremely useful, why would you not want to use it?

Agree on Maxmind- they check the IP address as well as checking for proxies, high risk IPs etc. We partner with Maxmind to help our merchants… .and I believe their database international- we’ve blocked IP from non-US locations before. I am not sure what datasources are available in the UK, maybe your best bet is to try to automate the processes as much as possible, instead of doing everything manually?

As for 3D secure- I’ve heard that it’s a big hurdle that many customers just don’t want to jump through. At least here in the US, the adoption rates have been pretty low.

I think any merchant who has his own payment gateway on his website must have 3-D Secure to avoid fraud, or else you can get targeted by fraudsters quite quickly once they find out your website is vulnerable. And I’m not really sure if there really is any problem with adoption rates, as it’s written in the “3-D Secure Payer Authentication” thread.

Any step added to your shopping process is going to increase abandonment. Validation can be a minimal impact or a significant one just depending on the type of audience you have shopping and their response to the extra information request and very different style site.

All businesses experience fraud, that’s just reality. You can reduce the rates many ways but the further you go the higher the impact will be to your sales thus the great question: how much business are you willing to lose vs how much you can save.

That’s true, however online fraud is on the rise, as it could be expected.

That is, if merchants who have their own payment gateway have just a bit too much dispues/chargebacks, they are going to face fees and risk having their account closed. For all online merchants who have an abnormally high number of fraudulent transaction, the best decision might end up being to minimize the risk.

We use a software fraud detection service (MaxMind) but we review all orders for fraud manually as well, and we have not lost a chargeback in over 5 years. (we’ve had a few, but they were customers who didn’t feel like following our policies, we disputed and won).

Here are some of the criteria we look for in our store, if you see any of these you should look for more information to further validate the order because there’s a high probability of fraud:

  • Small order with extremely high shipping cost
  • Order with different sized items (i.e. size Small shirt and size Large shirt in the same order)
  • Different billing / shipping address
  • Different billing / shipping country
  • IP address does not match billing or shipping city (you can use GeoBytes to locate IP addresses)
  • Extremely large order
  • Phone number that does not match billing or shipping city (reverse phone to look up)

If you notice any of these things, look at some of the others like IP address and phone number to try to verify further. When we have an order that has a high fraud score through MaxMind and also fails a few of the criteria above, we send the customer an email asking for them to call us. When they call we ask them for clarification.

If, for instance, their IP address doesn’t match the billing or shipping city we’ll simply say something like “our fraud detection software marked this order - is there any reason it might have done that?” or “is there any reason our fraud detection would say you’re not where you live?” something like that.

After 13 years I’ve found that most “scammers” won’t call you and explain - they’re just looking for a quick and easy transaction. But if we’re still uneasy we simply ask them to fax or email us a copy of their photo ID and credit card showing the same name - the one used on the order. They can snap it from their camera phone and blur or hide most of the number, as long as we can make out the last 3 or 4 digits and the name that’s all we need.

It’s a hassle but most customers understand… and it happens very rarely. And again, in all these years we’ve never had one slip through the process so it works! Hope that helps a bit…

1 Like

Here in the US, I know at least one company that will insure physical goods shipped out (you send them all the info, then they’ll tell you whether you’ll insure or not). We have merchants who use them to insure international shipping (especially high ticket transactions). I am not sure if they are available for transactions originating outside of US, but maybe you can find a similar service in the UK.

Have you considered getting a phone verification service? It’s an extremely powerful tool to protect e-merchants against online fraud.

I agree with Micheal. Phone verification will definitely protect you against fraud.

So will only taking orders by phone… or in person. You have to weigh the cost vs the return.