The internet has created opportunities for traders to sell to the world that did not exist 10 years ago, but it has also created opportunities for criminals too.
Once upon a time someone had to risk walking into a store with a fake or stolen credit card; but now they can attempt the same crime from the comfort of their home which may be in a completely different country. Internet fraud is so prevalent that it’s unlikely that you will find any law enforcement agency in your country with any interest in receiving notification of fraud attempts.
Consequently, it is up to you, the merchant, to defend yourself and ensure that you minimize the risks to your business while not inconveniencing or turning away legitimate customers.
11.2.1 How is fraud committed?
The vast majority of fraud attempts we encounter are made from overseas locations, especially SE Asia and Eastern Europe, and normally involve stolen credit card details from US or UK cardholders. In most cases the fraudster is in possession of the correct cardholder address and phone number,
suggesting that the details were probably obtained from another web site
(either by hacking or because the web site was a scam). Because the
fraudster has full card details, the ‘security code’ check on the credit card will almost certainly be passed. Therefore it is important to look for other signs that an order might be fraudulent.
11.2.2 Billing and shipping addresses
When trying to obtain tangible goods, a fraudster needs to have them sent to somewhere he can access to pick them up. For this reason, you should be cautious about any order where the destination of the goods is different from the billing address, and highly suspicious if the destination country is different from the billing address. Why is someone in the UK or USA ordering goods to be shipped to someone in Vietnam or Romania? Such an order is 99.99%
certain to be fraud.
11.2.3 IP address
With electronically dispatched goods (downloads), the fraudster’s task is easier since he can use the same shipping and billing address, safe in the knowledge that he does not need to pick up the goods from the physical address, but can instead get the account details sent to an email address.
Things are even better when the access or dispatch of the goods is granted instantly. For this reason, we suggest unchecking the instantdownload config setting unless you’re absolutely sure of your payment gateway’s ability to reject fraudulent transactions (see 11.1.1.4 for more information).
To help spot fraud attempts like this, CactuShop’s order notification email contains the customer’s IP address. There are many places on the web where this can be looked up, revealing where the customer is located, for example:
http://centralops.net/co/DomainDossier.aspx
(check the ‘network whois’ box)
The information returned may seem a bit overwhelming at first, but you will quickly get used to finding the country from this information. If the person ordering has entered card data for a UK or US resident, but the IP address suggests they are in another country (especially SE Asia or Eastern Europe), treat the order with extreme caution.
It is important to remember that the cleverer fraudsters know how to hide their IP by operating via a hacked server in the US or UK. In this case the IP check will show them to be in that country. For this reason, never rely on the IP check to confirm the order as genuine if other signs tell you to be
suspicious.
11.2.4 Email address
Fraudsters know that the email address is one of the few links to them and that they’ll probably have to change them regularly. Look at the email address with an order and see if it appears to match the customer. Very often
fraudsters set up multiple email accounts and then work through a list of stolen card details trying to obtain whatever they can. If you get an order from someone claiming to be called ‘Bert Smith’ with an email address of
‘[email protected]’, this should be treated with suspicion. If
selling downloadable items, you may decide to not accept any orders from free email addresses (hotmail, yahoo, etc.). Always check the email domain out to see what kind of site it is, as some fraudsters avoid the well known free email services because they know orders might be refused because of this.
11.2.5 Different names
Fraudsters will often start an order on CactuShop and then find the gateway rejects the first cardholder info they try. They will then work through their stolen card data until they get to one that the gateway accepts. If you receive an order confirmation from CactuShop with a customer name different to the cardholder name on the order confirmation from the gateway, it *could*
indicate fraud.
11.2.6 What is the customer ordering?
Remember that fraudsters are spending other peoples’ money. For this reason they are likely to order multiple high value items and select the most
expensive shipping option. They are also unlikely to exhibit the kind of caution most buyers would prior to ordering. You may sell an expensive item that legitimate customers would normally ask questions about first before parting with money. An order where someone orders one (or especially more than one) of such items without contacting you first might merit further checks.
11.2.7 If in any doubt, contact the customer
Sometimes you might receive an order than has some characteristics you associate with fraud, but others that you don’t. If in any doubt, an email or phone call to the customer is an excellent extra check. Genuine customers will rarely be annoyed by such checks.
With many orders, the fraudsters use the cardholder’s actual phone number that was stolen with the card info (otherwise the country and area code will reveal it as false). On several occasions we have called the phone number provided where we’ve suspected fraud only to reach the actual cardholder who was oblivious to the fact someone is using their card.
Do remember though that there are now systems where someone in one country can setup a ‘local’ phone number in another country and have calls routed via Skype or another internet telephony system. The country and area code with a phone number may no longer be a safe way to confirm
someone’s location. Also consider that in the UK and many other countries, it is possible to buy a mobile phone with cash and buy calling credit on a ‘pay as you go’ basis. Such phones are pretty much untraceable unless you can persuade MI5 to get involved.
If you follow up by email, it is almost certain to go to the fraudster himself, who will attempt to confirm he is genuine. Despite this, the reply can speak volumes. Fraudsters are nearly always in a different country and normally write very poor English. They spend so much time online committing fraud that their replies are normally short, sharp and impersonal whereas most genuine customers are more friendly and relaxed in feel. Look carefully at replies you get - is your customer’s level of written English consistent with his stated location and name? For similar reasons, a phone call is still a valuable way to confirm a customer is genuine, despite the fact that ‘pay as you go’
mobiles and internet land line numbers are pretty much untraceable.
11.2.8 Weighing up fraud evidence
We have outlined several things that you should check with orders if you wish to minimize fraud. When you’re familiar with these checks, they only take a minute or two per order. After time you will find that you rarely need to perform all checks; many orders are so blatantly fraud that you can discard them at the first or second check.
Some payment gateways offer fraud screening; this is certainly a useful service, but consider that in most cases the risk is still assumed by you the store owner. For this reason, you should always take ultimate responsibility for determining whether to accept an order or not.