We've been there and can feel your pain. I often wish there was a network - aside from police - whereby these fraudulent ship-to addresses could be paid a visit after the fraudulent transaction has taken place.

At the opposite end of the money spectrum, here's a story about how much of an effort someone will go through to steal a lousy $10 from a merchant. This just happened within the last couple weeks:

Customer orders widget. Billing & shipping addresses are the same and all verified (normal practice). Billing name was different than shipping name (even though same address). Order ships and is delivered. Customer then calls ranting about a charge from us on her card and claims to have never ordered anything, denies knowing the billing name, and demands refund. She's outrageously rude (which is normal behavior for scammers trying to bluff). Call ends. Five minutes go by - we receive another call. This time she suddenly discovers the she has received merchandise and now begins a new cussing rant about the widget itself. We indicate that returning it for refund is no problem. Hangs up. We receive the package marked "returned to sender" which bills postage to us on a non-Priority package. We open the package... no widget (probably because the widget had already been opened and used).

Our summary is that the customer was calling and attempting to bluff her way to a refund... even though the card was not stolen and the transaction was not fraudluent. All that effort for 10 bucks. Sadly, few things are surprising anymore when it comes to how people plan to rip you off.

Sorry to hear about your loss. I have shipped to different states with success, and shipped to the billing address and got a chargeback. It seems to be one of the hazards of ecommerce. Fight the chargeback, you might win.

I once had a week that provided surprises in the mail each day. I received weight-loss programs, stop-smoking patches, male enhancement products, magazine subscriptions and a dozen other items all under $50.

Some scammer had got my credit card information and signed me up for all sorts of stuff. The product was all shipped to my billing address. I could never exactly figure out why it was done, what the scammer had to gain from it. VISA credited me back everything (even though it was less than $50 per item).

That stinks... I guess I'm lucky, because my stuff is so weird, people would rarely want to steal it. I wonder if it's the trick where some pretty girl cons a lonely guy into accepting all the stuff, then has it redelivered.

My processor won't let me opt out of 3D Secure checking and I have never had a problem with card processing.

@gpilling
The scammer was probably an affiliate who signed you up and got paid via it making it harder to track him down. If you wanted to help put a stop to him you'd be best off probably contacting the merchants who sold and sent the stuff to you.

Credit card numbers are stolen all the time. We've had ours stolen three times in the last two years and four times in the past seven years. One time the card number was good for about two months before it was stolen.

dickbaker I feel for ya bro. The only way we ship to another address now is verify the cc phone number and then call to verify the charge. This is the only sure way to catch this type of fraud.

Same thing as happened to me so we won't ship until cardholder has been contacted...

I think we have caught 3-4 of these the last couple months. The fraud order has all the correct info but when we contact the card owner we find out it wasnt placed by them.

That sucks. Ditto bwnbwn's recommendation of calling the card holder to verify that it is an approved transaction.

I assume you've reported this to your local police? I believe $500+ makes it a felony-no?

I'm waiting for police right now so I can file a report and have the local PD contact the department in the town where the product was delivered. I know the chance of recovery is small, but...

I really hate to call customers but, with this being the third time in two years that I've been burned, I guess I'll have to do that if the shipping address doesn't directly correlate to the customer's name.

Sorry to hear about the stolen card. I hope you get some kind of restitution or at least that they catch the person responsible.

If it was USPS, you can also file something with the inspectors.

[usps.com...]

I used to run an ebay business and sold electronics. As long as I looked out for red flags there was no problem. One day some guy calls up and wants a bunch of ram fedexed to Indonesia. I got exited about the big sell and did not pay attention to the huge red flag. Card was stolen I was out $500. It took the card owner a while to catch on because he ended up making 2 orders with me.

We got nailed for best part of $10,000 last year on a big ticket widget. All of the credit checks past muster with flying colours but unbeknown to us and the credit check people the founder of the company bailed because the company was in trouble to be replaced by a couple of shysters. That was rather painful...

...guy calls up and wants a bunch of ram fedexed...

None of the below behaviors are surprising, but over the last decade or so, we find that orders by scammers usually include some of the following:

1. Ship to different address
2. Ship expedited even if the price is outrageous
3. If comments are allowed on order, there is often a note about urgency
4. Often, there are follow-up emails expressing the urgency and/or notes about compromise just to get the order shipped
5. Communications often include rude or abrupt patterns
6. Something about their order is irregular. Sometimes it's the quantity of an item, combination of items, something selling out of season, etc. Something is breaking a pattern.

Some of these like #1 & #2 are part of regular everyday legit customers though, so it makes it tough to catch them. If we take #1-6 as a collection, we find they can work together to try to profile a scammer.

Aside from actual authorization security measures, I think #6 can be helpful on its own though for attempting to prevent a fraudulent order from shipping. For us, it's partially about our being familiar with our customers' shopping habits. Knowingly or not, experience at order acceptance and fullfillment has profiled a store's customer and sometimes instinct can tell you when something isn't right.

All that being said, we still get burned now and again, but I think experience has helped us keep the monetary loss minimized (especially on a per occurence basis).

dickbaker on all the ones we have called to verify it was actually just the other. Everyone of them thought it was good we called, they know there are real people working there, it helps build customer loyality, and gives you something you didn't have before.....Human contact.....
Call and you will be suprised.

bwnbwn: especially when you honestly state 'I'm calling because we hear a lot about credit card fraud lately and I wanted to verify your order.' Most people are afraid of card fraude and will probably be glad you called to confirm, they might even recommend you to friends and.or shop with you again themselves because you are 'safer to use'.

Don't ever go out of your way to avoid customer contact. Most people appreciate it to know you're taking care of them.

Oh, I do call customers. I don't like calling them because I feel as though I'm bothering them. You're right, though, in that most appreciate the extra precaution. There are a few who seem annoyed.

Or better yet, state that your call is simply a courtesy call to assure the customer ordered the items correctly and that the shipping address is correct before you ship product. This saves you and your customers the possibility of customers ordering wrong and their orders not arriving due to missed apt/suite # etc. And last but not least you can possibly increase your sales and provide that WOW factor that is very rare even with any purchase whether in person or over the internet. Furthemore, place a call two weeks after delivery to provide the extra WOW factor to really assure the customer that you care and to find out how you can improve. Our company has implemented this policy and it's amazing what we catch before orders are shipped, how much this has increased the sale beyond the original purchase and last but not least to assure our customers that we care about them and their order. Also at this time, we extend to them (if we feel it's in line) that we are into other lines of products that they may be interested in.

Best Regards

In the call many are suggesting, what is it you are trying to accomplish? What questions do you ask to confirm it's a real consumer and not a scammer?

1- Question did you place an order off of example.com on x date, for x product at x cost to be delivered to x address.

Either you find out it is a good charge or fraud.

It won't be the scammer because you contacted the bank the card is drawn from and confirmed the cc phone number in the banking files and call only that number to ask the above question.

how do you know which bank is the issuer?

i'm pretty sure that my auth.net reports just tell me "Visa", not the bank. are you saying you can call Visa, without a full card number, and verify the card holder's phone number?

i was guessing you all meant you called to catch the obvious scammers, the one who either listed the actual owners phone or a dummy phone number.

The first four numbers of the card identify the bank, but if you are like me, you never see the full set of numbers anyhow, because the customer interacts directly with the payment gateway. I am forced to go by my gut feeling with international purchases. When an order is big, I have to decide based on a number of factors that involve a lot of intuition.

Recently, for instance, I had a large order with a Canadian billing address shipping to Glasgow. Okay, that's within the realm of possibility. But:

The ip address was of a mobile phone in England.

The phone number of the billing address was located at a different address in Canada and under a different name.

No such person as the billing person seemed to exist in that city.

The shipping address on Google Earth was of a curry shop.

There was a delivery failure on the notifying email address--no such address.

So I figured that one was probably bogus. You might ask why I did not call the phone number given in the billing address. Because a) it wasn't located at the billing address and even if it was a cell phone, b) none of us has any assurance that the phone number given in the billing address actually belongs to the person who owns the card. As soon as you call a thief and ask "Is [customer's billing name] there?" they know they have a dupe on the line. One thing I have noticed. Thieves do not usually contact me about where their order is--only at the beginning, when they want it shipped now now now. Another giveaway. Sometimes I will hang on to an order like this just to see if the customer will contact me and what they say.

I end up wasting a lot of time checking this kind of thing. I wish there were some easier way, but with my setup, not that I know of. It is kind of frightening just how much "fraud prevention" is just plain gut instinct. Why aren't people with cards enraged about this?

Why aren't people with cards enraged about this?

Because they usually have no liability. If their card is stolen and used, the merchant usually has to eat the costs.

You can bet that if the credit cards were held liable for the costs, they would move VERY quickly to put better safeguards in place.

RhinoFish and HRoth please tell me why you don't have access to the whole cc number to verify cardholder information.

The only card numbers I can't get are those done through Google. I then can fall back On google for any problems.

My cart interacts directly with authorize.net. The only time I see the card number is if I take the number over the phone. I suspect that RhinoFish has the same situation.

Naaa you should be able to sign into authorize.net and pull the card numbers.
I use FastData and I don't see a card till I log into my account to pull the number for checking. Man I can't imagine not being able to do this I would be busted from bad charges.

I am sure you can get the numbers call authorize.net and ask and then let me know.

Holy smokes I called them myself and yep your correct you can't get the numbers. How in the world can you do business like that. authorize.net is nutin but a go between you and the cc processor.

I can't see why someone would want to use a go between when you can get a merchant ID and go to the cc processors yourself.

I have a payment gateway because I don't have a POS terminal, and I don't have a POS terminal because I don't need one--I don't have a B&M store or go to festivals and whatnot to sell. If people want to call and use their card over the phone, I can input it directly onto authorize.net (although I actually just use the cart, because it's easier for me in terms of an invoice). The advantage of using a payment gateway is that they are responsible for most of the security and they are the ones who interact with the banks. It's supposed to mean a lower discount rate, but I doubt it. I've been doing it this way for ten years, though, and it seems satisfactory to me. I only have so much attention to give to aspects of my store. I have a merchant ID and I have cc processors as well whom I deal directly with when there is a problem.

I should add that I have it set up to authorize only. Then I decide whether I want to capture or not. That allows me time to decide if I think it's bogus or not. When I had it set to capture, I did get screwed a couple times.

[edited by: HRoth at 7:24 pm (utc) on Jan. 14, 2010]

HRoth I use fastdata they are a cc processor. You have everything you need to open an account might want to look into it.
They as well have a cart processing system you can look at if you need a cart to process orders.
Worth spending some time looking into it.

I'll check it out.

---

Well, First Data looks like a payment gateway. They have a gateway charge, which authorize.net does also, depending on your processor. It looks like First Data incorporates the processors into themselves rather than standing separate, like authorize.net does. All this stuff is like one big shell game, IMO. :) Like a bunch of leeches.

You did used to be able to see the whole card number on authorize.net. Then it got so you could only see it if you downloaded a tab file. Then they got rid of that. It was a bother for me when I used to get recharges. Now I figured out how to do that on authorize.net, so I don't care.:)