Welcome to WebmasterWorld Guest from 184.108.40.206
Forum Moderators: buckworks
we got 5 fraud orders over the "cyberweek / black Friday" period.
but weird fraud...
2 were via paypal, with shipping address being a confirmed paypal address. These 2 people called us asking why we sent them free stuff as their paypal accounts were not charged, but their name, address, and phone # were correct. Nobody has called to complain about charges to their paypal account yet.
the other 3 were credit card orders. billing and shipping addresses matched and were confirmed via authorize.net as well as the use of the security code on the credit card meaning they had the card present. The IP address of the person placing the order even matched the region where the order was shipped and billed to. These people want to charge-back the order. They say all the information is correct but the email address is not theirs. The order amounts were not even that large of orders as well as these people claim their credit cards weren't stolen or used inappropriately anywhere else.
BTW, we use the fraud detection suite from authorize.net and that cuts down of fraud a lot, but these few got through.
How in the world can you stop this and what are they thinking?
the security code on the credit card meaning they had the card present.
I take not having the (or not matching the correct) CVV code to be a red flag, but I don't assume a matching CVV is a green flag.
Since they (supposedly) didn't place the order, they obviously need to sent the products back to you. After you receive them, then issue refunds. If they refuse to return the products, it sounds suspiciously more like fraud by the card holders instead of fraud from stolen cards.
but I want him to cancel his credit card and file a chargeback as if someone stole his card I want the card company to have an incentive to help me find the criminal.
Nice thought, but I think you'd be going about it in the totally wrong way. As far as the CC company is concerned, you are the criminal if he files a chargeback. Or at least you are party to the crime. I can think of ways to go about this without getting yourself $$#*$!.XX in chargeback fees:
Go here, for starters:
I want the card company to have an incentive to help me find the criminal.
I wouldn't put much (any) hope with IC3 either. I've filed several complaints through them and have never heard anything back.
[edited by: LifeinAsia at 10:33 pm (utc) on Dec. 15, 2008]
I use authorizenet and find the fraud suite they offer is next to useless. For a start AVS only works in the US.
One thing i do is check the IP address on every order. It needs to match up with the address associated to the order. Fraudsters never have an IP location anywhere near the address. For example, a fraudster might give an address in California but the IP says they are in New York.
When I see this I send a "challenge email" which requires them to send government issued ID prior to processing the order.
Legit clients generally comply, fraudsters send false ID's or simply do not reply.
I've had over 13 years experience on the net and sales of over $20 Million. I've learnt a ton of stuff about fraudsters and how to beat them.
[edited by: eelixduppy at 5:20 am (utc) on Jan. 5, 2009]
[edit reason] no signatures, please [/edit]
People may still chargeback but you will win unless you use Paypal.... in that case... dont even bother ... you might as well kiss your money goodbye.
[edited by: lorax at 2:17 pm (utc) on Jan. 6, 2009]
[edit reason] no self-promo please [/edit]
I do what I need to do to protect myself, but losing an occasional chargeback gains me a lot of business I would not have if I tried to be completely safe. Retail is all about risk.
If you would like some real solutions and help to fight fraud contact me. I'm not allowed to post the link to my book here so you will need to contact me.
since I began making money on the net in 1995 I have processed millions of dollars worth of sales and have discovered the very best, cheapest and easiest ways to beat the fraudsters.
contact me and i'll give you a hand to solve this problem
Of course we look to make sure the billing and shipping address are the same and match the AVS which is available in the US and some parts of Europe. This is actually why some companies don't accept international orders- because aside from the AVS system there's really no sound way of confirming that it's the cc billing address on the order.
Just remember, most importantly, the following:
Google is your friend.
Telephone numbers usually give the most away. #*$!-#*$!-#*$!X is the best format in my experience and usually returns some good information (or nothing at all, which is also good information). If you're still undecided you can call the number as most of those calls are either disconnected lines, or they go straight to voice mail (machine type voice). Put a hold on these orders and wait for them to inquire about the order. If they're real customers you know they're going to be up your ass in two days wondering where their shipments are!
Google Maps is also a great tool. Plug a shipping address in there and take a look at the neighborhood. Does it look like the kind of place your product might ship to? If it's an empty warehouse in a neighborhood of empty warehouses then you're probably ok to cancel.
The easiest way to determine whether an order is real or fake, in most cases, is to contact them directly and speak with an actual person. 99% of the time you're going to find that a fraud order doesn't have a courageous person available to be the face to the crime.
You also can't forget the sad fact that some of these fraud orders might be the kind where the purchaser simply files a chargeback. Courier services are happy to leave it at the door most of the time and there's honestly no way they can prove it was delivered to you. Credit Card companies are so scared of consumers that they're happy to simply take the money from hard working websites, AND penalize you for having a chargeback filed in the first place.
Okay, i've run out of steam. Time for bed. Nice thread though. I am certified in Computer Related Crime Investigation and am developing an informational site for Internet Security, so I enjoy when this topic comes up.
1st- red flag was being shipped to an overseas docking area. I checked the card all checked out and usually it would be a ship except for my gut feeling.
2nd red flag Got the Cards issuing bank called them to check the telephone number on file this was not a match. I then asked the bank to contact the customer and was told we can't do that. (this is about par for a bank)
I used yellow pages and searched got a number and called him myself ending up a fraud order. He was very grateful to say the least and I told him how his bank acted and wouldn't call him to confirm the charge and suggested he find another bank to do business with.
Books are good, information is great but somethimes ya gotta go with that gut feeling...:)
Why I don't trust even Physical Card Present transactions, nor faxed or PDF copies of IDs or Credit Cards: [wired.com...]
3. Like ispy said, do AVS Zip/Address verification and get a tracking number with signature confirmation on EVERY order. Do this, and you won't lose money, even if it is fraudulent.
4. As bwnbwn mentioned, use external sources to verify the data provided. Google the phone number(s), addresses, call the bank. I've used Experian to look up the credit card and the customer, for which I can usually find a phone number.
5. Ask for the phone number of customer service on the back of the card, as well as the billing phone number on the credit card. MinFraud accepts and will verify this data and will help you make a decision on orders.
I realize I sound like an advertisement for MinFraud, but it is fantastic, a great tool to minimize fraud. $0.004/query makes it SOOO cheap to do so on EVERY attempted transaction.
[edited by: lorax at 1:17 pm (utc) on Jan. 14, 2009]
I wonder if this system will help with increasing orders ($$) by giving consumers confidence in the security of a website.
If it does increase consumer confidence in security, I would say definitely. However, I am not sure they have a big enough market share/name recognition to elicit any reaction from consumers. If one of the big boys plastered their usage of Minfraud all over their site for a year...then yes. As things stand, I doubt there would be an immediate or noticable effect.