Ever received one of those emails asking you to donate money to a fraudulent fund?
Yeah, I think we all have.
False stories designed to elicit a response and get you to hand over your hard-earned money to scammers have been going on for years now. There are even spam letters that are ‘sent by’ time travelers and killer demons, psychics, and more! Anything that you can imagine has probably been done. (By the way –if you haven’t already, check out James Veitch’s hilarious video to see what happens when you communicate with these scammers.)
But while you often come across stories of consumer victims of fraud, you don’t hear about business fraud as much. But this doesn’t mean that it doesn’t exist –in fact, as I learned the other week, fraud is an all too common threat to companies as well.
It turns out that smaller enterprises are more often the victims of fraud than consumers. According to an annual report by the Association of Certified Fraud Examiners, nearly half of all small businesses experience fraud at some point. What’s more, fraud costs organizations an average of $114,000 per occurrence. While the worst cases of fraud are often committed by employees, business fraud can come in forms. From accounting scams and asset misappropriation by employees, to customer data theft, e-commerce scams, corruption, and more.
Generally speaking, businesses have less protection than consumers do. In some cases, they could end up owing liability to banks and insurers, and –thanks to new laws, they can even be held responsible in the event of fraud by third parties, like data breaches.
The amount of businesses fraud is getting worse, both in terms of instances, and the money that’s lost. And it’s no surprise. With almost 700 publicly announced data breaches in 2015 alone, fraudsters have a tremendous amount of personal data available to work with.
With the stakes so high –and there’s usually quite a bit at stake when it comes to business fraud, it’s important for companies to be proactive in their fraud-fighting efforts.
Recently, my own e-commerce business was targeted. We had a couple of suspicious transactions come through, that we thankfully, were able to identify as fraudulent. This is the first time it’s happened to us, but we took some steps within our order management system, to help us flag questionable orders in the future.
Here’s a look at a few of the steps that we took, along with some additional tips for protecting yourself from fraudulent orders.
In North America, online fraud accounts for one percent of e-commerce transactions. Or, to put it another way, out of every 100 orders that you receive, one could very well be fraudulent.
There are also costs that are potentially incurred whenever a fraudulent transaction takes place –including, the cost of the purchase –to the owner of the stolen credentials, the lost product, bank penalties, and fees from credit card companies. Not to mention the time that you and your team have to spend trying to resolve the issue.
Brad Weimert, founder of credit card processing service Easy Pay Direct, recommends that businesses have basic cautionary practices in place to help prevent fraud. This includes asking for both the expiration data and card verification value for online payments. By requiring this information, you can increase the likelihood that the customer is actually in possession of the credit card being used.
Knowing what to look for can also help you to spot fraudulent orders. Here’s a list of some things that could be flagged as suspicious.
Billing Address and Shipping Address That Don’t Match
One of the most common forms of fraud is identity theft. Scammers using a stolen card will use the card holder’s billing address but have the item shipped elsewhere for pickup. In most cases, merchants have no recourse on chargebacks if they don’t verify that the billing and shipping address to be the same. So once the card’s owner discovers the fraud, and the chargeback happens –you could lose out.
In my case, the scammers used cards that had a different billing address than the shipping address. Fortunately, we were able to discover that it was a fraudulent transaction before sending the order out.
But what about customers who may have a legitimate reason for a different billing and shipping address? Some may want to purchase a gift and have it sent directly to a friend, while others may simply want to have their item shipped to their work address. Passing up on all these sales could represent a serious loss.
Some recommend placing a cap on the size of orders that you allow to use different addresses. If an order exceeds it, then consider calling or emailing the customer, and having them verify their identity by texting or emailing a photo of their debit card and photo ID. If, say, the ID and credit card were both stolen, and fraud still occurs, most banks won’t keep the chargeback funds, and will instead cover the costs themselves. So it’s a good way to cut down on fraudulent orders on your web store.
In my case, we’ve implemented a notification system. If we receive an order with different shipping and billing addresses, an email will be sent to purchasing department for us to check out.
Area Codes That Differ From the Shipping Address.
A phone number with an area code that’s different from the shipping address’ area code is another red flag and could be an indicator of online identity theft. Once a fraudster’s pulled credit card and address information, they could simply provide a fake phone number on the order form. If you suspect fraud; make sure you check the phone number to see if it matches the area code on the billing address.
Above-Average Order Amounts From New Customers
Large orders are exciting, but watch out for new customers who may be in a hurry to make a large one-time purchase before the victim cancels their card. Consider flagging above-average first-time orders. Weimert also recommends looking out for orders that contain large quantities of one item or a high sales dollar value ordered by the same customer.
Several Orders With Different Card Numbers
In addition to above-average first-time orders, if you have someone place several orders with different card numbers, but from the same IP address, this could also be a warning sign.
Suspicious International Orders
If you ship internationally, keep an eye out for suspicious looking international orders. International fraud is a major concern for e-commerce stories, and the risks are higher too. International banks and PayPal tend to be less helpful on chargebacks, and you could get stuck with high shipping costs and customs charges as well. Consider asking customers with large international orders to wire transfer their funds or pay by check if you’re concerned that it might be fraud.
Multiple Cards in Quick Succession
Once an order’s declined, a fraudster will often attempt to use multiple cards in rapid succession, looking for one that works. This is usually because they have access to a number of stolen cards, and they’re trying to find one that won’t be declined. Most credit card processors offer what’s known as a ‘credit card velocity’ feature, to block multiple transactions that occur in rapid succession. Weimert also mentions that multiple orders placed with various cards that all ship to the same address is another flag to look out for, along with multiple transactions that are made with one card.
Beware of urgent buyers! While it’s true that people generally want to receive their purchases in a timely manner, fraudsters will often try to rush ship especially large orders through. This is because they’re trying to beat the clock –they only have a limited time until the card is canceled. Large orders with customers who are in a hurry could be a warning sign.
One issue that my team noticed; was that all of the fraudulent orders were placed by anonymous users –or ‘guests,’ users who didn’t bother to set up an account. While anonymous users in and of themselves aren’t necessarily a warning sign, when this happens in combination with another red flag –like different shipping and billing addresses, it’s worth assessing. In my case, we decided to go ahead and implement a notification system to alert us of anytime someone with an anonymous account places an order.
Use of false information in the order—such as a fake name, or phone number, or spammy sounding email address, could be another warning sign. And any mismatch between billing names, phone numbers, or email addresses should be a red flag.
Suspicious IP Addresses
Weimert also recommends that companies track IP addresses. If the IP address country and the billing address country don’t match, it could be a case of stolen credit card information. He also urges companies to compare billing and shipping addresses.
“By collecting billing address and zip code information, using an Address Verification Service (AVS), you can not only add an additional layer of security to the transaction but also catch red flags in conflicts between the billing and shipping information,” Weimert says. With an AVS, you can include the billing address and zip code in your authorization request for the transaction, adding an additional hurdle for fraudsters in possession of stolen credit card information.
A transaction that’s attempted from an IP address in a high-risk country, such as Russia, Malaysia, or Ghana could also be suspect.
Look for Patterns
I’d also recommend looking for patterns. In my case, we noticed that all of the fraudulent orders used American Express cards. (Sorry Amex users!) As such, we’ve decided to go ahead and set an alert to notify us whenever an American Express card is used. If you notice something that seems to be a recurring theme with your instances of fraud, whether it’s a certain type of card, a zip code, or type of email address, I’d advise you to pay close attention to any future transactions that have the same characteristics.
Finally, keep in mind that simply having a different address or phone number doesn’t necessarily indicate fraud. However, if there are multiple red flags, then there’s a good chance that it could be. It’s always a good idea to try to build a strong case before you block purchases, but if you suspect that something may be off, it’s worth spending the time to verify that everything’s legitimate.
Use Care With PayPal
While PayPal is an essential payment option for most e-commerce stores, keep in mind that you’ll almost never win a PayPal chargeback if the billing and shipping addresses don’t match. This is the case even if you get their photo ID. Additionally, for most customers, PayPal doesn’t seem to have an option to set shipping and billing to match as a requirement on checkout. In the case of large PayPal orders with an address mismatch, you may want to consider offering your customers a discount if they check out with a different form of payment, to reduce your risks.
Consider taking advantage of available fraud monitoring apps, including:
These apps make it easier to spot cases of fraud. Since they take into account a variety of fraud-related factors and data points whenever a customer makes a purchase, they can alert you when there’s a risk. So, for example, FraudWatch scores purchases based on 12 indicators –including IP address, mailing address, and bank identification. The app then assesses the risk of fraud, and gives you a score between 1 and 10, indicating how severe it deems the risk.
Weimert recommends using iSpyFraud, to detect fraud before it happens. With iSpyFraud, you can set filters for red flags such as high transaction volume per customer, sales dollar amount per order, and discrepancies between billing and shipping information, allowing you to detect suspicious transactions before they’re approved.
Think of the Customer
Finally, while fighting fraud is extremely important, it’s important to balance out your fraud protection measures with ensuring that you’re providing your customers with a good experience. Your legitimate customers, that is!
According to estimates by Javelin Strategy, almost $118 billion of legitimate orders are incorrectly rejected each year by credit card companies and retailers alike, who mistakenly flag them as fraudulent. This doesn’t even take into consideration the orders that get delayed while the merchant verifies their identity.
Keep in mind that treating valued customers as fraudsters can damage your relationship with them. Not only will you lose the sale, but you risk losing future ones as well. When implementing fraud-protection measures, finding a balance between preventing fraud, and providing an excellent customer experience is always a challenge, and should be at the forefront of all of your fraud-fighting efforts.
Have you encountered fraud in your e-commerce business? What steps did you take to help prevent it from happening again?