I quite certain you can contact the Visa, MasterCard, etc. and clarify where the account statement is sent to.

If different than the address of shipment - the flags are well founded.

They may not give you this info - but can give a yes or no answer.

e.g. - yes that is the same address.

Wouldn't it be nice if there was a secure form to report suspicious activity?

Does anyone have a phone number to report the card? Don't you have to know the name of the bank in order to do this?

We get orders like that about once or twice a month, usually from Indonesia. Yes, sometimes Nigeria. Occasionally they ask for express delivery. The cost is no object. The order is always huge.

None are valid...NONE. NOT ONE!

We don't bother to do any checking anymore. Not worth the effort.

Not once have we gotten a follow up email from them asking where the product is!

Does anyone have a phone number to report the card? Don't you have to know the name of the bank in order to do this?

Go to the web site of the associate credit card.

With VISA for an example you can quickly make a "Code 10 Call".

VISA Fraud/Chargeback Avoiding PDF [international.visa.com].

Although you can simply do nothing and it will not cost time/money today - the simple fact that if everyone does this you (or someone else) will eventually get burned by the same individual.

As fraudulent use grows -- fees do too, so in the end it will cost you money by avoiding it.

Have burnt our fingers once with an order from Nigeria. Despite signs indicating something fishy, we let it go since the total amount was only £9.68. However, we got a chargeback, our first ever! So now, we completely ignore orders from Nigeria, Ghana etc., with a polite response that our processor is presently unable to accept card payments from Nigeria etc.

No. No. No.

Never ever send ANYTHING to Nigeria under ANY circumstances unless you are 100% sure of the details.

I get 30-40 orders per week from Nigeria and surrounding countries and these are my findings:

1) 95% use yahoo email addresses
2) Address Verfication always indicates the card was not issued in Nigeria
3) Quantities are high, products are usually high prices (compared to their competitors)
4) About half of orders are chased very quickly with short emails
5) More than half of the orders have the address typed in entirely uppercase or entirely lowercase. Well, they are in a rush - another 75 merchants to try to get goods out of today ;)

There are many other things that look out of place.

Never ever send ANYTHING to Nigeria under ANY circumstances unless you are 100% sure of the details.

Agree totally.

However, I would be interested in knowing if merchants actually report such occurrences to the appropriate credit agency or simply ignore the orders.

My line of thinking... scammers are becoming extremely innovative, and unless they are caught, we are all bound to get burnt as they prosper.

I have NEVER had a legitimate order from Nigeria.

Its almost as if they breed fraudsters!

From the visa.com website:

Card-not-present merchants can be held financially responsible for a fraudulent transaction, even if it has been approved by the card Issuer. This is because there is a greater chance of fraud without face-to-face contact, an actual card in hand, or a cardholder signature. Merchants who participate in Verified by Visa receive added protection from fraudulent chargeback activity. Ask your Acquirer for more information.

Anyone in this program? What about the other cards?

So what additional steps can we take to protect ourselves? Here's a couple of tips I can offer:
1) Get the name on the card
2) Validate the "bill-to" address
3) Send the package "signature required"
4) Get the 4 digit security code
5) Call the customer to make sure they provided a valid phone number.

Am I missing anything?

Don't you wonder how many Dot Coms used to ship huge orders to 3rd World customers just to make quarterly revenue projections!

---

Very quickly ecommerce retailers have got away from the early idea that selling on the web means selling worldwide. I did a study of major U.S. shopping sites and was pleasantly surprised how many of the biggies (Wal-Mart.com for example) don't ship outside the U.S. Not even to Canada where they have many stores. (I'm sure fraud isn't the problem with Canada)

Frankly, I love it when I see "We Ship Anywhere" on a competitors site. They'll soon be out of business!

The party is mostly over for 3rd World scammers (at least for awhile).

FWIW Amex cards make me very wary because of the ease a customer can issue a charge-back for a purchase at the first mention of it being an internet purchase.

However back to dvdual's list;

1) Get the name on the card
2) Validate the "bill-to" address
3) Send the package "signature required"
4) Get the 4 digit security code
5) Call the customer to make sure they provided a valid phone number.

1, 2 and 4 are very easy to bypass if they have a copy of the card+details - I've seen nigerians do this with cloned cards before to a very impressive level of accuracy.

5 is also bypassable if you buy yourself a forwarding number ie I call a US number but it forwards the call to Lagos. Either that or you have someone acting as your agent taking those calls in the country.

Equally if you allow different bill-to and delivery addresses and they have a copy of the card then 3 is also bypassable since they have the signiture and a package which doesn't have to go to the billing address.

If you are taking the initial stages of the transaction over the 'net I would also suggest red-flagging orders which come from "questionable" IP blocks (the same way you would if they came from that country).

- Tony

Although I am not familiar with this topic from your end, I just wanted to add a note from the other consumer end.

Whenever I ship to an alternate address, the credit card company should have a record of the other shipping address on file. This means, as the credit card user, I have call and let the credit card company know the alternate shipping address. You should be able to verify alternate shipping addresses with the cc comapny.

If a flag has been raised, always call the phone billing address number given to verify the order. I would not ship until I had verified the order with a person. If you can not verify this way, try the work or daytime number to verify. If nothing, then I would alert the credit card company of the situation.

This process can solve a lot of problems and doesn't take a lot of work by the retailer or the cc company.

For example, I have two shipping addresses on file with my cc companies. My home address (billing address) and my work address. They know both. If there is an order to another address, I had better have called them to inform them of this.

Also, I do not have a problem with an order being delayed because a verification process has taken place. If you need to verify an overnighted order, make sure you get all consumer contact info, such as even a mobile phone number, so you can exhaust all contact possibilities before shipping.

We can reduce cc fraud dramatically, but it calls for work from the user, the retailer and the cc company.

After many fraud transactions my first year on the internet, I just don't take orders that look suspicious. I immediately void them and send the purchaser "sorry we do not ship to x-country". Indonesia and India are immediate voids for me.

The worst is the cards that go through for download products. I know that they have the product, are passing it around, I have to change passwords and then I get a chargeback of $25 for a $10 download. I void anything now that even smells a little rank. I will take the $10 hit but the $25 is a killer.

I have called my authorization company and asked if there was a place to report suspicious cards. Wouldn't that be nice if we could just email the details and have a company look into the card status? Is this an business opportunity waiting to happen?

--Mercy

I am not sure If I can post this here but there is a good system being used in the UK. Try a search for "early warning fraud" on google (without quotations) This new system seems to be working well here. It also gives some good advice.

I agree with everyone here, when I first launched an ecommerce site, I was bombarded with expensive orders from Nigeria and Indonesia, usually for 2 or more items, the fraudulent orders have slowed down now.

There isn't enough happening in the UK to protect retailers. We only ship to the credit card holders address and always use code10 to confirm that the supplied address is the registered address. This seems to be working.

[edited by: Total_Paranoia at 7:02 pm (utc) on Dec. 28, 2002]

This is a very emotional subject with me. Shortly after I opened up my website about 2 years ago I got an order for a sinlge high priced item to be shipped to Indonesia. I had never been warned about this or anything and the address gave me a matching code for the AVS system! If it had not I would not have shipped it. Over two months later they took the money out of my account for that sale without any sort of notice. I had to call to get them to fax me information on why the money was taken out of my account. It almost put me out of business.

I still get e-mails and orders for products from Indonesia and delete them all, I never have anybody ask where the parts they ordered are oddly enough. And with any orders overseas I require prepayment with a cashiers check or money order. I am carefull about that too because I have heard there are money orders which are not guaranteed funds, I always ask the bank when I deposite it.

It happens to me all the time. Indonesia, Nigeria, former Soviet States. Even the people at my bank said they don't want to hear about it. Apparently banks in those countries just print those cards and hand them out. Never had a legitimate order and key catch phrase is "send EMS, charge my card for additional shipping"

I had the same thing happen to one of my clients. This guy ordered 1000.00 worth of coffee and put it on some bogus card. He was from Nigeria.

These are the same people that email you asking if you can help them transfer millions of dollars to the US... etc.

Then they want you to come to Nigeria and make a withdraw from the bank.

If they actually trick you into going they kidnapp you at the airport and hold you for ransom.

We caught the first order and they tried to order again and again and agian....

We did cll the credit card company and report the card

Damn....

Found this on a bbc web-site last year and it has come in pretty useful.

Countries from where the most online fraud originate:

1.Ukranine
2.Indonesia
3.Yugoslavia
4.Lithuania
5.Egypt
6.Romania
7.Bulgaria
8.Turkey
9.Russia
10.Pakistan
11.Malaysia
12.Israel

Countries from where the least online fraud originate:
1.Austria
2.New Zealand
3.Taiwan
4.Norway
5.Spain
6.Japan
7.Switzerland
8.South Africa
9.Hong Kong
10.UK
11.France
12Australia
13USA

Actually it is pointless reporting fraud to Visa/Mastercard/AMEX.

Some of the fraud I had contained so much evidence that I contacted the police. I expected nothing. But to my suprise, they visited me twice for the evidence, and then took a statement.

So I contacted the card processor (WorldPay) who said they were not bothered about this. Thinking about this I am not suprised. They (WorldPay and the card company) have made 4.5% plus an admin charge from me. I lose the money - they make profit from fraud :0).

In effect it is Visa/Mastercard/AMEX who are allowing it to happen and they are not doing enough to stop this from happening.

P.S. Anyone using WorldPay can apparently use the callback facility to automatically accept payments while leaving others on a manual authourisation. Thus if you have a customer called Charlie Brown with the postcode 10101, you can write a program to check this yourself and process their card automatically using the above data (you can use any data - so you can automatically process all orders under $20 and all orders under $50 where the AVS results match if you wanted). This seems like a good idea, has anyone tried this yet?

gsx, this sounds very interesting. Where did you find this information from WorldPay? I can't find it on the WP web site, and I don't remember ever having any info from them about this option?

What stinks id that the companies have these demographics figured in. They do not care to stop it, but are quick to tally you for such repeated activity. Good stance on your part. If it walks, talks, and acts like a duck...it is a duck. An obvious fraud.

"I had the same thing happen to one of my clients. This guy ordered 1000.00 worth of coffee and put it on some bogus card. He was from Nigeria."

Nigeria is a major coffee producing country! That's like getting an order for tea from China. Fishy, eh?

Some blame rests with the sellers. Too greedy and inexperienced. Reminds me of the people who mindlessly jumped into the stock market a few years ago and are now blaming everyone but themselves for their losses.

Heck, do you see Wal-Marts opening in Lagos or McDonalds? Yet, tiny inexperienced web retailers shipped stuff there with little hesitation.

---
One darn good piece of advice: Never mention on your site that you're new to e-commerce (many sites do). Make it sound like you've been on the web for years.

>>In effect it is Visa/Mastercard/AMEX who are allowing it
>>to happen and they are not doing enough to stop this from
>>happening.

visa and mastercard are introducing the pin number schemes whereby they or the cardholder take the risk and customers cannot chargeback. sounds great, but it's not like visa or mastercard to help merchants out in any way, so i reckon they've been pressured into making changes to protect cardholders and merchants.

i think it could be worth reporting frauds to visa / mastercard. if nothing else, the extra admin work it causes them might push them to protect merchants and cardholders more.

there's a US based anti-fraud site called merchant911.org - they have a mailing list sending out fraud alerts, another list for anti-fraud chat etc. it's still a small site, but it's definitely the best and most active anti-fraud site i've found and can be very useful. there's a small UK based anti-fraud site supposedly doing much the same but i can't remembr the name of it offhand - i'll dig around and let people here know if i find it.

>>P.S. Anyone using WorldPay can apparently use the
>>callback facility to automatically accept payments while
>>leaving others on a manual authourisation.

what you're talking about is full-authorisation (automatically authorised) for most transactions and pre-authorisation (manual authorisation) for anything strange, like from certain countries or over certain values etc. this is very easy and it's done in the shopping cart prior to payment, not from the callback which is following payment. the shopping experience is identical for all shoppers regardless of whether transactions are pre-auth or full-auth.

you need 2 pairs of account IDs (not 2 worldpay accounts, not 2 installations, just 2 pairs of account IDs), test+live and test+live. one pair will be for full authorisation, the other pair for pre-authorisation. any worldpay customer with pre-auth will normally have their first pair of account IDs "suspended". you can email worldpay (pre-auth@uk.worldpay.com?) and tell them you want pre-auth AND full auth and ask them to make both pairs of account IDs available for use.

you'll need to specify the account ID and authMode to use in every transaction using extra hidden fields. modify your shopping cart with simple "if" statements to determine which account IDs to process payments through (full-auth or pre-auth) and to insert the appropriate values in the hidden fields.
for pre-auth use:
authMode="E"
accId1="12345678" (use your own pre-auth ID, not this one!)
for full-auth use:
authMode="A"
accId1="23456789" (use your own full-auth ID, not this one!)

that's about it!

>>It happens to me all the time. Indonesia, Nigeria, former
>>Soviet States. Even the people at my bank said they don't
>>want to hear about it.

that's the way it is - it's no different to running a bricks and mortar shop - your back won't care what nationality the people that walk into your shop are.

something you can do with your website is block visitors from certain IP addresses or remove certain country codes from your shopping cart or redirect these undesirable internet users to a "go away, we won't serve you" page. if you're with worldpay you can also use their worldalert to prevent payments from those IPs or from certain email addresses or domains (ie hotmail.com) etc.

but remember, no matter how hard you try to prevent fraud, you can't stop it all. it's no different to bricks and mortar stores tagging all items, using CCTV and security guards - no matter what they do, they still suffer some shoplifting.

Here's a story that might cheer you up. I know it made my day a couple of years ago.

I got an order with the cardholder's address in California, but the shipping address to Massachusetts.

I called the cardholder, asked him about the order, and he was totally surprised. Someone had stolen his credit card information. It was a new card, used once, so he knew it was stolen from a particular on-line retailer.

He then said: "They messed with the wrong guy this time."

Turns out he worked for a security firm that specialized in electronic fraud.

He wouldn't tell me the details, but I got the impression he was planning something big. All I knew was that he was REALLY PI$$ED!

Three hours later, he phoned to let me know that he had all the thief's information - real name, home and business addresses, phone numbers, shipping addresses, and more than 30 email addresses the thief was using.

Not only that, he found other fraudulant orders, some from merchants located near the thief's home address in Connecticut. He emailed all the merchants with the info, including home address.

He also traced the info on the company that stole his credit card number, and phoned the police in each area. They were really interested, since it looked like a theft ring.

I don't know what happened after that, but I sometimes dream of the bad guy getting pounded by a few of the local merchants who, like me, wish just once, they could find the clowns trying to rip them off.

"In effect it is Visa/Mastercard/AMEX who are allowing it
>>to happen and they are not doing enough to stop this from
>>happening. "

Once again I agree and someone please correct me if I'm wrong on this, but I think this could at least be one of the reasons if I'm right (I'm not a banker, so I'm into drivel now)...

These companies do make a small percetage of each transaction.

The banks wind up toting the debt of fraud at times to..

the FDIC usually in the end scheme?

So perhaps they don't really care to take a "pro-active" position?

Does anyone know if the big three refund their fee to the financial institution in the event of fraud?

Another thing to do is to send the customer a form as an email attachment that gets all the cc details all over again, billing address and shipping address, phone numbers for both and a signature. Ask them to fax the form to you, on receipt of which you will process the order. They won't - cos the fax is usually an international phone call for the thief if he is in Nigeria or wherever...;-)

We get orders over $1000 at least once every month from Pakistan. The order also invariably asks us to say that the package is a donation and has no commercial value. We just do nothing. No follow-up whatsoever. We never hear from them either.

So everyone agrees that about 100% of orders from Nigeria and Indonesia are fraudulent.

Next question: Do you people make any profit on shipments to other 3rd World countries? Is shipping tangible items to places like Korea, Argentina, and Poland worthwhile? (I'm not talking about software downloads or e-books)

jsinger. south korea is not a 'third world country' though north korea is. South korea has one of the highest on-line populations in the world and in the top 10 of economies world wide with average salary levels higher than the US. South Korea is one of the largest and richest consumer markets in the world, so best not to ignore south korean orders out of hand if you are seriously marketing internationally.