Great news! You can protect your business from the detrimental monetary effects of credit card fraud and chargebacks! This article will cover need-to-know terms, how you can proactively prevent fraud, red flags of potential fraud, and how to review potentially fraudulent orders.
Fraud: Criminal deception, with the motive of financial or personal gain
Credit card and e-commerce fraud is non-discriminant. It targets both merchants and consumers, and for businesses, the cost can be crippling.
Chargeback: A fee, charged by your payment processor, for each disputed transaction that was processed
When a customer disputes a charge, you, the merchant, will be responsible to pay a chargeback fee. These fees generally run between $15-$20, but can vary between payment processors. It is fairly easy for a customer to dispute a charge, and they have 60 days to do it. So, it is simple for them, doesn’t usually consume much of their time, and they have a decent amount of time to make the claim. On the contrary, the work and time you may have to spend upon receiving the chargeback, to prove the legitimacy of the charge can be astronomical. Yes, you have to prove that the transaction was legitimate and authorized by the cardholder. If you can’t prove it, you have to refund the monetary value in question.
This task can be arduous, especially with online orders. What’s more is that chargeback amounts can quickly accumulate, and if the dispute percentage becomes too high, your payment processer may cancel your services. If this happens with a new or small business, the fees and the lack of a payment processor may be insurmountable and recovery may become out of reach. Yet another factor that can be detrimental to your business is that in addition to you attempting to legitimize disputed charges, your business has experienced additional lost revenue due to the lost products you shipped and are now being disputed and the correlative shipping cost. Even more damaging is that the fraud may blemish the reputation of your business or brand, causing deleterious effects with past, present, and prospective customers.
If you’re using Stripe, tools like Stripe Radar can help prevent fraudulent transactions before they result in chargebacks.
Be Proactive: Eliminate accidental chargebacks
Whoa? What? I can eliminate chargebacks, even when they’re accidental? Yes indeed! Here’s how: Ensure your business name matches the name that will appear on a customer’s credit card statement. Are you wondering why it wouldn’t? Here’s one example: A customer purchases their lunch at ABC Sandwiches. Later that month, when reviewing their credit card statement, they notice a charge listed as XYZ Corporation. Unbeknownst to them, XYZ Corporation is the parent company of ABC Sandwiches and several other businesses. Because they don’t recognize the name on their credit card statement, they contact their bank and dispute the charge, honestly thinking they didn’t make a purchase with a company by the name of XYZ Corporation.
All too often, businesses struggle with chargebacks on legitimate orders, simply because their business name did not match the name on the customer’s credit card statement. If you have multiple online stores, ensure that each individual store has its own individual credit card processing account. This will create a recognizable charge on the consumer’s credit card statement and it will prevent accidental claims and chargebacks against your business.
For merchants dealing with chargebacks, understanding how to effectively dispute chargebacks as an e-commerce seller can significantly impact recovery rates and reduce financial loss.
Be Vigilant: Six red flags of potential fraudulent activity
1. Mismatched billing and shipping address
To begin, we’ll focus on understanding the lifecycle of intentional credit card and e-commerce fraud, and then we’ll move into why and how you would perform an address check.
Most of these criminal transactions are accomplished through “card-not-present” purchases. These types of purchases are achieved online and through businesses that accept telephone orders. In either scenario, the fraudster uses stolen credit card information to purchase products from a merchant. The shipping address is a location to which they have access. They pick up the items and proceed to resell the products for 100%+ profit on websites, such as Craigslist or eBay.
Here’s where we start to get into the importance of running an address check. When a purchase is made through your payment processor, the following information is collected:
- Card Number
- Cardholder Name
- Expiration Date
- Security Code (either a 3-digit number on the back of the card or a 4-digit number on the front)
- Billing Address
How does this information help you as a merchant? Well… the majority of payment processors extend to you the ability to set which elements on a customer’s credit card match, to be processed as a valid charge. Some payment processors default the settings to the minimum required:
- Card Number
- Cardholder Name
- Expiration Date
Perhaps you noticed, the two pieces of information that a fraudster cannot have simply by possessing a stolen credit card information—the security code and especially the billing address, are those that are not within the default, but if you ask for them, it will require a minimal amount of your time but can provide maximal savings for you. Requiring all five items, particularly the address of the optional, will greatly reduce fraud in card-not-present transactions.
The zip code component of the billing address is the most pertinent. When providing the billing address, it may not be an exact match to what the payment processor has on file (e.g. it may be entered as 123 E Main St vs. 123 East Main Street), so it may initially appear to not be a match. However, the zip code is what closes the deal for the address component, as it will help to confirm that it is the accurate address / zip code associated with that credit card. A quality payment processor will allow you to set a matched postal code as required for online and phone orders. If a customer does not know “their own” postal code, it should immediately be a red flag of potential fraudulent activity.
<<<Yield sign icon>>> If all of the details on the card, including the address, pass the initial processing test and you have subsequently processed the payment, you are not yet in the clear. If there was a red flag you investigated, you’ll want to go through some additional checks and balances prior to shipping. To be clear, just because an order fails one of these fraud checks, it doesn’t by default mean that it is a fraudulent order; what it does mean is that because there was a red flag, you should freeze the order and investigate further before fully processing and shipping the order.
2. Mismatched IP address and billing address
Another precautionary measure you can take is ensuring that the IP address of the purchaser matches the city of the billing address. There are free services, such as https://www.iplocation.net, which you can employ, to find the geographical location of an IP address, if your payment processor does not provide that information on their order dashboard.
If the IP address does not, at minimum, match the country and state of the billing address, flag the order as possible fraud and freeze the order for further review.
The geolocation data on a IP address may include multiple smaller towns and cities, so go through the list of possible cities, and be aware that the location will be localized and will not be associated with any other state or country. If the IP isn’t in the list of possible cities or at least reasonably nearby the billing address, flag the order as possible fraud for review. Also note that if the shipping address is in another country than the billing address, this is almost always fraud.
3. Larger-than-average orders
Know your customer base, so you can more easily identify irregular patterns. If something about an order seems out of the ordinary, flag it for review. The investigation may end up confirming it is a legitimate order, but it is better to err on the side of caution if you suspect possible fraud.
New customers who are purchasing a larger-than-average order, compared to other customers, especially those who choose the fastest shipping option may be fraudsters. These fraudsters, who resell products, only get paid if the package arrives prior to the fraud being discovered, so they will pay for expedited processing and shipping.
It is also good practice to set a value limit for orders, where they are automatically held for review, prior to processing and shipping. Setting the threshold to 50% greater than your average order is a good starting point.
Most e-commerce orders allow for custom statuses. Providing cautionary statuses to your team, such as “suspected fraud” or “on hold for review” will clearly convey to your team that the order is not to be processed any further at that time.
4. Numerous cards with multiple declines
If the customer attempts to make a purchase with multiple attempts on numerous credit cards, and receives several declines prior to successfully completing an order, this is a red flag. Many times, criminals do not know if a card is valid, active, has sufficient funds, or a spending limit before attempting a purchase, so they will try multiple cards, until they achieve a successful transaction. This is almost always a sign of fraud.
5. Multiple orders and/or shipping addresses with one billing address
There are two actions that can occur to raise this red flag.
- The customer places multiple orders to multiple shipping addresses with one billing address
- The customer makes one order with one billing address, but with multiple shipping addresses
Fraudsters use multiple shipping addresses to delay law enforcement and to increase the likeliness of some of the package deliveries being successful. This is especially true of, but is not limited to, criminal syndicates.
A variation of this fraud tactic is when a customer makes multiple purchases with different credit cards in a short period of time. This should be viewed as highly suspicious. You might be wondering: How would I know if one person, in a short period of time, is making all of these purchases, if they’re using stolen credit cards from multiple people? You can do so by comparing the IP addresses from each transaction. Revisit Red Flag #2 above for more details.
6. Getting too many orders without a corresponding reason
Like making money? Me too! However, if you unexpectedly have a large influx of orders without a justifiable reason, such as an extensive marketing campaign, the orders should be flagged for review. Here again, you could use a status for your team, such as “suspected fraud” or “on hold for review.” The short amount of time it will take you or your team to review the suspicious orders, despite your eagerness for that big payout, will save you in the long run if your review does reveal criminal fraud.
How to handle a potentially fraudlent transaction
Call the phone number listed with the billing address on the order
Criminals make every attempt to be untraceable. So, two things could possible with the phone number associated with the billing address. One possibility is that the actual cardholder already had an account with you. If this is the case, if you call their phone number, the cardholder will be able to confirm or deny that they made that purchase. The other possibility is that the actual cardholder did not have an account, in which case the fraudster would have to create an account with you. In either case, because criminals do not want anything leading back to them, it would be unlikely that the fraudster would provide you with their phone number. So, there again, when you call the number listed, it would ring through to someone else, and you will find that the person on the other end will either tell you that you have dialed the wrong number, or the actual cardholder will deny the charge if it is not legitimate.
When you do make that call and someone answers, you could phrase your inquiry like this: “Hi. This is Eirik from YourCompanyName. We recently received an order from SomePersonsName and I wanted to confirm the shipping address.” How do you decipher from the phone call whether it is legitimate? What should you do after the phone call? Let’s talk about it…
If the person on the receiving end of the phone call either does not know the person whose name you provided, or does not know the shipping address, mark the order as fraudulent, refund the cardholder and immediately contact your payment processor concerning the fraud
If after calling the phone number associated with the order, you still feel the transaction may be fraudulent, it is better to err on the side of caution by refunding the charge and contacting your payment processor. It all boils down to when in doubt, refund the money and contact your payment processor
Utilize fraud prevention technology
Some payment processors offer integrated fraud prevention technology. You would want to speak with your payment processor regarding their options, terms, plans, charge types, etc., but even if there is a fee for this service, with a cost/benefit analysis, you may find these services to be of great value, as it could save you from monetary losses due to fraudulent activity, especially if you are a new or small business. Stripe, for example, offers a free service called Radar with every account. This can be a great option if you are looking for a new payment processor, especially if you want the ability to customize the fraud prevention rules to fit your needs. PayPal also offers integrated fraud prevention for merchants, with protection on the full sales amount. This protection does not apply to digital products, but aside from that, it may be a fitting service for your business model.
Protect your infrastructure
All in all, regardless of your business model, the products and services you offer, and the payment processor you choose, it ultimately is you who will need to make decisions as to what measures and protections against fraud you choose to embrace. It is up to you to determine how to best protect your infrastructure. You can use a similar thought process to when you’re making a purchase as a consumer… if it seems to be too good to be true, it probably is, and remember, being proactive is better than reactive. If a fraudster does find a way to penetrate your implemented security system, following the advice within this article can help you navigate through the investigative process to determine whether the transaction is legitimate or fraudulent. Always remember, if there is any doubt, it is better to err on the side of caution. Worse case scenario, it was a legitimate charge, and then you can just push the order through once the customer validates the charge.
