Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: buckworks
What steps can I take to minimize the possibility that I'll be burned on this?
Once you've confirmed that the card used does in fact belong to the person at the ship to: address, give a courtesy call to the customer to verify the order. You need to be certain that this person actually is the one who placed the order. This can be done without raising any alarms-just verify an inane part of the order-color, size, etc.
If you don't have a phone number-your job is harder.
Mr. Goldfarb did you purchase this silver rolex?
Yes, I did.
Are you now, or have you ever been, a fraudster?
Whats you address?
13 Crotchety Pike
It matches, thanks for your time. And enjoy your new watch.
If you called the fraudster would they admit it, I doubt it. Actually they tend to be quite charming and polite.
The card and billing address must match and you need to have a record of it matching, second best is calling the bank if you have to (they dont give out information or phone numbers, you just give info. and they say match or no match, nothing else). The fact that the billing and shipping address match or not is irrelevant, if the billing address matches things can safely be shipped anywhere (if you get a signature that is). Getting the number from the customer to the bank can imply fraud to the customer which some people dont like.
It sounds good to call in theory, but in reality it often raises red flags in the mind of a legit customer. Especially dont discuss the order with anyone else over the phone (ie relatives, the estranged wife). Calling to verify information anonymously is fine.
One of the best rules of sales is the KISS rule (keep it simple stupid).
2) Verify the IP address is within the US
3) Ship with signature required by UPS / Fedex
4) We also make a quick call to the customer. I thank them for the order and tell them I've been assigned as his "account rep" and if he has any questions he can call me directly.
I agree with ispy leave the customer alone (scammers are good at wat they do)but verify the card.
Now remember sometimes the card will not match when you do the automated service on checking. They could have moved so if the card does not match call the issuing bank. This can be obtained from your merchant services.
Get a human on the phone give them the information and verify the address and phone number. If say the address does not match have the bank call the owner of the card and let them talk to the owner. This keeps you out of the loop and you won't make a bad decision by a sweet talking crook. banks know what information to ask to verify the account you don't have access to.
I made a 5k mistake myself about 5 years ago let Greed take over...
The bank will call you bank with an answer.
[edited by: bwnbwn at 8:10 pm (utc) on Oct. 30, 2007]
It sounds good to call in theory, but in reality it often raises red flags in the mind of a legit customer.
Today with everything being electronically handled this might not be applicable anymore...KF
BTW been burned with this one to the crook had it all.
So the way I approach this is I call the customer tell them who I am a charge has been placed on our website and just wanted to make sure you knew this was being done.
I have yet had anyone get upset with me and fact is most are thankful I would take the time to let them know.
I have as well been burned by kids using the parents card and then the parents saying they used it without their permission....
You got that right What us ecommerce guys go through is sometimes crazy why we keep doing it....
BTW Tonearm congratulations on your big sale let us know how it pans out ok....
I did end up offending some company once that placed a huge order for all the same item, which is a huge red flag in my experience. I called and asked for the name of the issuing bank and the customer service phone number from the back of the card (this was before many people were using the cvv). One person I communicated with there got mad and wanted to cancel the order. They still bought the stuff, but after that I never called a customer about a charge again. I just void it if I don't feel right about it.
It's highly unlikely that a fraudster would be shipping an item to the actual cardholders billing address and answering their phone.
If you have verified the billing/shipping (same) address for the card used, you SHOULD be safe shipping to that address. If for some reason phone confirmation is not possible, do not provide the tracking number, as a fraudster may use it to redirect the package.
ispy- The hypothetical exchange you composed between a merchant and possible customer is funny-but probably not exactly how a smart merchant would go about it.
Legitimate customers are not bothered by a call.
Totally agree. In fact a legit customer who bought so much may add to the order when you phone and show concern. Happens about 10% of the time.
Make up some reason for calling, such as to go over the delivery timeframe. Don't ID yourself as the boss but rather an underling. That way another employee can call later if need be and patch up "a misunderstanding."
Don't assume scammers are sophisticated. 98% are transparent dimwits. Criminal masterminds exist mainly in popular lore.
Use Zillow and other real estate sites to check out the "ship to"
1. e-mail address - if you can find their e-mail address, it is a good sign. Fraudsters are unlikely to use throwaway e-mail addresses for posing in forums, blogs or for their business.
2. Their tel no. Google will show up if the address matches.
3. Their address - sometimes, it may throw some interesting information about the occupants.
4. Their names - you may be able to find some other information about this person.
5. You should probably call anyway, at least to check that the tel no. is genuine and that the person exists.
I found that the most important indicator for fraud is the e-mail. If it looks normal and matches the person's name, then it should be OK. If the e-mail account belongs to the company, you should check the company's website. You could ring up the company and ask to speak to the employee directly.
You can trust me on this because I have shipped tens of thousands of orders to more than 150 countries. We do carry some highly resellerable items such as flash memory cards. Yet our fraud rate is now almost 0, we achived this record after learning lots of terrible lessons.
Our cart does AVS and CVV2, and additionally requests the phone number of the issuing bank. We don't "say" the phone number is optional, but it is. Also, we don't reject an order based on a CVV2 mismatch, because many customer don't get it right, or the numbers are rubbed off.
However, we have several "red flags," with varying levels of importance:
- AVS mismatch, address and zip - mild (people move)
- CVV2 mismatch, bears closer investigation
- Billing /shipping same or no?
- Bank phone provided, and is it the issuing bank?
- Shipping by Express Mail?
What's important are several of these in combination. When we get a large order and any three of these are present, we begin looking. derekwong's suggestion is a good one - for the U.S., if the person's in the white pages and their address matches the order, it begins to look OK.
We got our first "legitimate" fraud the other day. Large order, Global Express (more than the order,) Billing New Jersey, Shipping South Africa, all phony phone numbers - gee I'd have never caught that one. :-)
Most of the time we can do this without calling the customer, but in a couple we have had to as a final check. True, they can lie, but you can tell a lot by listening to someone talk.
And I tend to agree, once the customer understands you are looking out for their interests and not doing a sales call, they are not only cooperative they are extremely grateful you take the time to call them.
This is always a good idea for large orders.
I agree call them. Do not volunteer all the information. Be a little vague about what they have ordered. Fraudsters order lots of stuff and ussually they have no idea what they have ordered or who they ordered from.
Another ploy I use is to tell them there may be a delay bofore shipping, fraudsters know the clock is ticking and will immediately start asking for express shipping.
Verify with the credit card company that the following are correct:
1 billing address
2 name on card
3 CVV number is correct
Amex will actually call the customer with the phone number they have on file to verify that they actually placed the order. In the past we had a situation where it all matched, however the customer did not make the purchase, but their grandson did with out their permission.
Also be aware that if the card is a "secondary" card on the account that the primary card holder CAN file a chargeback claiming that they did not "authorize" the charge. We were screwed on that one.
We've also had everything match, it shipped to the billing address however the person that placed the order (once they got the tracking #) had the package rerouted with fedex, which cost us an additional 5.00 fee on top of the chargeback fee AND cost of the item.
Verify that they are shipping to the billing address in your system.
Ship ups or fedex with "DIRECT SIGNATURE" required, but this doesn't totally guarantee it. They can deny that it is their signature.
You can have the customer fax you a copy of their drivers license with a signature on the page.
When in doubt, request money order or western union payment.
Sometimes you have to go with your gut feeling because the CC companies are NOT out to protect you. They are out to protect the customer and their own money.
CALL - did it for years on large orders and tell them your doing it "for security purposes" to make sure it wasn't an unauthorized charge. Most people were thrilled about the extra level of customer support because you can also inform them WHEN it will ship and WHEN it will arrive!
HOWEVER, make sure the whole order smells right as just calling to check that the phone # is valid isn't enought because it could be a stolen or throw away cell phone.
More thorough validation for larger orders is easily done starting with the following:
1. Use GeoIP to confirm the IP address that placed the order is near where they live
2. Look at the email address too, as many fraudsters use out of country email accounts to avoid that nasty subpoena, so checking the location of the email service provider is another clue.
For instance, I've seen an IP from Singapore with an email account in France ordering something for Los Angeles - my alarms went off right away.
3. Look in Google for the name + city and see if they show up with the same name, address and phone #
4. Call information at (AREA CODE)+555-1212 and ask to confirm the name, address and phone # match because Google could be out of date ;)
Doing both #3 and #4 might sound redundant but it confirms some history as I've seen a stolen VISA DEBIT card work where the thief looked up the customers 6 month old PRIOR address in Google and the AVS system still accepted the charge although the customer hadn't lived in that address for 6 months.
5. If everything looks good, call the customer to confirm the order is valid and give them a shipping date and thank them for ordering.
3-5 minutes doing those simple checks could save you thousands in losses.
If everyone lays out the steps that they take to avoid fraud, well...
If your fraud detection is pretty bullet proof using a combination of CVV, phone company name/address/phone verification and verbal customer confirmation there's not much more they can they do short of driving down the street looking for packages on doorsteps and stealing them.
The only time you'll get nailed is when you let your guard down.
I used to bring up a satellite photo or map of their billing address and then ask them something about a nearby landmark. If they didn't know, for example, the nearest railway station to their house, chances are they don't actually live there. In the end though I decided that was too intrusive for legitimate customers.
Now I just cancel any order which looks suspect (usually a few each day), sending them an email saying that we couldn't verify their card details. Legitimate customers will almost always call and question why we've cancelled the order - at which point we just apologise and reinstate it. Fraudsters very rarely call to do that. They just assume the card they are using has been cancelled.
Also, be sure to require a signature for your package. This helps with Merchant Service should you have to dispute a chargeback...
I'll clarify my original point:
Call the card holder.
If you don't have the card holder's phone number-get it. If you can't get it, cancel the order and notify the customer of the cancellation.
Fraudsters read forums too
Did you see the hilarious video 2 weeks ago of a hapless U.S. bank robber who didn't even notice the armed uniformed guard at his desk just inside the front door? While the robber was pulling his gun on a teller, the guard came up a few feet behind him with his gun drawn!
Two cases come to mind where bank robbers wrote notes on the back of their own utility bills.
I did note that the original question (from Tonearm) came from an old active WebmasterWorld member.
Often, to fake out the geo-ip checks, fraudsters will use hacked servers in US datacenters to make the orders.
99% of the time, if the IP answers on port 80, it's a fraud order, no matter how good it looks otherwise. That's really a conservative estimate, because I can only recall one legitimate order that failed that test in 6 years of taking multiple daily orders.
Definitely don't be afraid to call if you're concerned. We've done that for years and I've never heard of anyone being upset by it. Usually, it's quite the opposite.
In addition to the many other things people have mentioned, one little check that we've learned over the years is to query the IP address of the buyer for a running webserver. (To do it manually, just paste it into a browser like [ip-address)...]
Often, to fake out the geo-ip checks, fraudsters will use hacked servers in US datacenters to make the orders.
That's a great tip and the servers probably aren't even hacked, it's more likely a PHP or CGI-based anonymous proxy server most of the time to obfuscate their identity.