The person originally in question has submitted yet another credit card for me to try for her.

I looked the address up on the net, checked to see if the address matched the name on the card, and it does...but the phone number doesn't match. The internet did provide the correct phone number and I was able to let the card holder know that this card is being submitted by this "Customer" of mine.

I have stopped calling the card companies, let the card holder do it, the card companies don't care when I call.

So address and phone number verification is a must where orders are concerned now.

For instance: 0-5 in order of suspicion. 0 being the least suspicious and 5 being the most.

So, even though you're diligent enough not to ship to Indonesia, you may be tricked into doing so!

About 70% of Indonesian addresses start with "Jalan", "Jl." or "Jln." which mean street (and its abbreviations). This is a tell-tale sign. You should also google the name of the foreign city...

PS-Don't give up! My first "customer" was a fraudster from Indonesia too.

That's why a new website should never say that it's new. The first few months, a site is especially vulnerable to fraud.

(it's also why you should NEVER ship to Indonesia, among a few others)

indonesia addresses will often say singapore or malaysia as well. that whole region's postal system is apparently helpful in delivering properly to indonesia (and defrauding us).

We just got burned ($4000)by a well known credit card processor in Toronto Canada that uses a "SYSTEM" to "PAY" you!
So,they may just be in a neigbourhood near you and they are not always potential customers!

Where we live any foreigner is fair game,it's a national pastime.(cheating,that is!)

MM

One other safeguard is to have a "bad list" of people who have tried to swindle you available. At times the same person/group has tried to swindle me over several months. When I ID an order as fraud, I keep the shipping address, billing address, shipto name, billto name, phone # and the last 4 digits of the credit cards used to reference against new orders that I receive. I now have a Perl program that automatically checks for me. This program saved me just today.

My rule of thumb: If the purchase sounds too good to be true, it probably is, regardless of how bad you need the order.

- make them pay in advance via a method they cannot later challenge. Wired funds are the best. NEVER allow them to use any kind of check or any kind of credit card. This alone will make most of them go away.

- make them agree in writing in advance that all risks of the transactions are on their shoulders, and that all sales are final. There will be no refunds for any reason including refused delivery.

- make them take delivery at some point here in the US. Further forwarding is on their dollar.

- when in doubt, cancel the order. I do this regularly, and surprisingly my customers only take it as a further sign of MY legitimacy as an online store... they almost always have re-ordered.

Thanks.

Just got another large order going to Puerto Rico. Not large same product order, just large dollar order. Asked for a wire transfer and already got an answer of yes back.

Thanks! I feel better, and yes I know it is only Puerto Rico, but we have to start somewhere when it comes to sercurity. I hope to make this habit forming.

We get a number of large orders from overseas and we sometimes ship before payment, but only for established companies. It all depends on what general clientelle you're dealing with.

In the vast majority of cases, I would recommend pre-payment.

all order are per wire transfer and I whant them to order a test product first. Then they can order a bigger amount and still all wire transfers.

I can see there could be some troubele if you sell a lot of different small amout products 1-500$.

- Grant

Rep: Sorry, the $300 product is out of stock, we'll have more Monday
Fraudster: What else do you have?
Rep: We only have the $500 product right now.
Fraudster: OK, I'll take that one - can you overnight it?

A real customer would almost certainly check with other outlets, or backorder the item if they weren't in a hurry. Watch out for elaborate stories, too - one that comes to mind is a guy who was (supposedly) traveling on business and had his notebook die; he needed a replacement shipped to his hotel overnight. Believable, but also a great fraud setup since it explained both the lack of address match and the need for rapid shipment in a plausible way.

Better to be safe than sorry and a REAL customer will not have a problem with the verification. Also, it is not uncalled for to ask that the customer pay with a cashier's check, wire transfer or something of that nature. I am finding that my business keeps me awake less at night after reading all the threads here.

Good luck

Even if its a prince!

Sounds good to me. You should be able to get issuing bank info from your cc processor.

- Grant

I have stopped calling the card companies, let the card holder do it, the card companies don't care when I call.

The credit card companies actually make more money from these fraudulent sales than they do from legitimate sales. I've got a stack of chargeback's to prove it.

Another thing to add to the checklist is if the initial contact was made through eBay. EBay is a virtual directory of people who want to make a quick buck but don't have a lot of business experience that might make them leary of such a sale.

The last time I was taken in by a scheme like this, it fit the pattern perfectly, but they were offering so much more than I could get in the States that I decided it was worth the gamble.

3 weeks later, the CC company took the $1,600 back out of my bank account, and the shipping company called me to make good on the $600 shipping fee that they charged on the credit card that I had relayed to them.

The bank told me that this card was mailed to someone in Phoenix AZ, and before the person realized that he didn't receive it, the fraudster in Indonesia had racked up over $40,000 on his new card.

Best option is to ask these people to make payment using Wire transfer or check.

No, no - never check. Many banks will deposit money to your account first, then clear the check much later (up to 21 days in cases of international / Canadian checks) - so you may *think* that the check clears, only to have it actually bounce later.

Ultimately the merchant loses out and the banks still get money. So it is truly in the merchants best interest to try and prevent fraud as much as possible.

Some of the easier fooled methods, but easy to implement methods for validating information are to use AVS (address verification). Generally this works reasonably well in the US and not well in other countries. Typically a full street match is challenging, but a zip-code match provides some level of additional verification.

You can also use use CVV or CVV2. These are some additional digits on the back (or front for amex) of a card that are a little less common for fraudsters to get ahold of. Most card issuing banks also change these from expiration period to expiration period.

You should develop a pattern of your "normal user" and screen things outside it. For example, if your normal customer spends $20 and you have some spending $200, look more carefully at what they are doing.

If you require an email address, make sure that at least an MX record exists. Or better still, have them verify their email address before you process and order.

There are also some reasonable things one can do to check on simple things like client browser, ip card bin, etc. For example, statistically speaking, linux users and opera users are more likely to be fraud than not. Is the clock on the computer synchronized with the approximate location the person claims to be? Sure they may be on a laptop, but a guy who says they are in indonesia with a EST time should get flagged. does the ip address match -- at a country level even -- where they claim to be from? is the card issuing bank in the same country where they claim to be from? These are all not "deny charges if..." statements, but rather small data points one should use to better highlight transactions you may want to look at more closely before shipping anything.

some of the countries peopel are talking about here (in jest maybe) like nigeria are listed on the OFAC
which are listed as having sanctions against them (such as nigeria, syria, etc.) Additionally there is a huge list of people you are prohibited from working with (go search for 'OFAC' at your favorite search engine

There exist also other systems for validation of information and challenge-response systems to try and ask alternative information such as "which of these addresses have you lived at" or even verification of the last four digits of an SSN. If you are interested in more information on these types of systems or designing such heuristics, drop me a PM.

Take careful note of your standard ordering pattern. For instance, if customers usually order one peice of a particular item and you get an order for three peices, alarm bell should go off. If out of N/A, cancel the order. Otherwise, contact the customer before deciding if you will ship. If you have any hesitation, follow your initial gut feeling and don't ship. Chances are you will lose your money.

Also, try to ship via fedex, etc. where the customer has to sign for receipt. This will dissuade claims that the goods was not received. Some legitimate credit card holders do this on a regular basis hoping to get away with it some of the time.

Even so, you should factor into your selling price a percentage for fradulent orders from users of stolen credit cards. Can't stop them all!

DEFINITE FRAUD

• Customer doesn't know the Cardmember ID (CID) found on the back of the Card, indicating that they don't have the actual Card
  
• Customer asks that you try lower dollar amounts when a decline message is received
  
• Customer instructs you to try different expiration dates when initial attempts fail
  
• Customer attempts to place a large order using several credit cards to obtain the total authorization amount
  
• Customer offers the phone number to an authorization center to speed up the credit card approval process
  
• Fraud Countries: Nigeria, Indonesia
  
• Order received from anonymous proxy IP
  
• Shipping and billing country are different (non-gift sites)
  

PROBABLE FRAUD

• Customer requests that sales be split up to avoid paying "import taxes" and/or "duty fees"
  
• Customer hesitates, or has a long pause, when asked for personal information (only applies when you can get them on the phone)
  
• Customer attempts to purchase large quantities of a single item (high price item)
  
• Customer has little regard for price
  
• Customer shows little or no concern for return policies, manufacturer warranties and/or rebates when purchasing in large quantities
  
• High Fraud Countries: Romania, Singapore (people from Indonesia will use this and still get it), Ghana, Ukraine, Uganda, Hungary, Belarus, Estonia, Latvia, Lithuania, Slovak Republic, Russia, Yugoslavia, Macedonia, Phillipines, Thailand, Malaysia (people from Indonesia will use this and still get it)
  
• Total order more than ~5x your average order
  
• Shipping and billing address different (for non-gift sites)
  
• Shipping and billing country are different (on gift sites)
  
• Shipping and billing name do not match (non-gift sites)
  
• Order IP's country does not match order country
  

POSSIBLE FRAUD

• New customer attempts to make a very large credit card transaction
  
• Customer repeatedly sends e-mail messages requesting confirmation of shipment
  
• Customer attempts to purchase large quantities of a single item (lower-cost item)
  
• Customer seems overly concerned about delivery time frames to overseas destinations
  
• Customer purchases several large-ticket items, which do not go together, e.g., appear random
  
• Customer calls a few minutes before closing and wants several large-ticket items
  
• Customer details entered in all upper or lower case
  
• Cell phone number used
  
• Overnight shipping
  

This tells me I could never have a career in credit card fraud, since I could never offer the phone number to an authorization center without giggling.

A common fraud from Indonesia is to use a genuine card and a genuine address. But the cardholder then disputs ever ordering the goods, signs a form to that effect and gets refunded. Out of your pocket. You lose goods and the money!

It's happened to me and I've never sold to Indonesia or any other similar country since - unless I've received cash upfront.

Thanks!

It's a form email they send out and if you respond to it, they first go to your website and look at stuff to order. One of our employees answered one such email and we proceeded to get a list of about $2000 in merchandise this person wished to order. It was all stuff that we don't even carry. I guess they got confused as to who responded.

I don't think free email account is a good barometer of fraud. When I order online I always use my hotmail account. It's my spam account so if the company spams me or sells my email address, I don't care.

Okay, NEVER deal with people from Indonesia even if the card clears - as you will be liable for the money the credit card refunds to the cardholder.

A common fraud from Indonesia is to use a genuine card and a genuine address. But the cardholder then disputs ever ordering the goods, signs a form to that effect and gets refunded. Out of your pocket. You lose goods and the money!

It's happened to me and I've never sold to Indonesia or any other similar country since - unless I've received cash upfront.

Except that this very same thing happens here in the US all the time. I can provide you with home addresses of people who have done this to my clients. Order, take delivery, sign using a squiggle (neither UPS or Fedex checks), and then claim they never received it. Since you don't have a valid signature or an impression of the card, you're out of luck. The credit card company doesn't care... no skin off their back. What are ya gonna do, not take Mastercard? The legit customers don't care, they don't have to worry about getting stuck. The only ones that have to worry are the merchants... us.

And don't bother calling the police or FBI. I tried calling the LAPD on one incident. They had a total of 2 fraud investigators for all incidents of this type fraud for all of LA and didn't want to be bothered. The FBI is not even interested unless it is over $5,000 in REAL losses.

Thank you so much. That has been printed and posted over each computer at the store. Never will I NOT look into each order.

As pointed out, yes this is a foreign matter, but let us not forget that this happens in the USA as well. We can get duped in our own country as easily as the next country.

I am finding that the real trick to this is to be on guard at all times, to be satisfied with the order and confident about payment before you ship any product/merchandise.

Again as pointed out, the banks do not care about the merchants, they care only about the almighty dollar. So it is up to us, as merchants, to watch out for our own dollars.

I would rather turn away an IFY $2500 and work on a few $50 orders. The $50 order will not make me rich, but they won't leave me filing bankruptcy either.

Thanks again Critter...great post.