Ecommerce payment fraud - 19 tips to protect your online store
This article was updated on 29/3/21
For every owner of an Ecommerce site, the realisation of payment fraud has to be one of the most sickening moments. You’ve just shipped a valuable order, only to be informed by a bank a few days later that the card used for payment was stolen. At this point you get a chargeback as the money is refunded to the card; you’re very unlikely to see the goods again, so you’ve lost money.
If ecommerce fraud happens to you a lot it might mean the difference between a profit and a loss, and in extreme circumstances could threaten the very viability of your business.
Chargeback is the return of funds to a consumer. It is forcibly initiated by the issuing bank of the credit or debit card used by a consumer to settle a debt. Specifically, it is the reversal of a prior outbound transfer of funds from a consumer's bank account, line of credit, or credit card.
In most cases the merchant will learn quickly from experience. This article fast-tracks and minimises the learning that new ecommerce merchants may need to avoid online fraud, and even for established ecommerce stores there may be one or two new tips which will be helpful.
Tip #1 – Be careful when shipping to an address which is not the card holder’s address
Most online stores will ask for a card holder's address and a delivery address. The card holder's address will normally be sent to a payment processor and in general two main checks are carried out. Firstly, does the 3-digit security code match (CV2) and secondly, is the card holder's address correct or partially correct (AVS)?
If the delivery address and card holder's address are the same, they have passed the security checks above and you have a signed-for delivery, then you are at very little risk. In the event that the card holder contacts their bank stating there was fraud you now have a paper trail which proves that they have the goods. You will then, depending on the time frame, be able to a) keep the money or b) get the goods back.
In the case where the delivery address is different to the card holder's address, regardless of the security code matching or card holder's address passing, and regardless if you have signed-for delivery as a merchant, you are potentially at risk. In the case where the card holder contacts the bank to claim the order is fraudulent you can no longer prove 100% that the card holder received the goods.
The following table lists the basic combinations that you may face.
Some online shops will take this principle forward and only ship to the card holder’s address, and only when the correct security code is provided with matching address. This greatly diminishes the risk of fraud.
However, before considering this approach it should be noted that a lot of genuine orders may be lost. I for one regularly buy items online and I will use the card holder’s address as my home and a delivery address at work. So do a lot of other people in the UK. Where I am faced with a site that prevents me from doing this I will often take my business elsewhere.
If the delivery address is different to the card holder’s address then you are at potential risk
Tip #2 - Use a risk matrix to work out if you need to take extra steps
The basic principle here is to look at lots of things that make up the order and score each item according to its risk level. Some items may score just a single point whilst others may score multiple points. You then set a warning threshold and also a “do not ship” threshold. Thus you can score the order to work out what is going on.
So along with the main address and security matches above, here are just a few small items that may be worth considering when assembling your matrix:
- The customer only leaves a mobile number. A few years ago it may have been rated as a higher risk factor but mobile usage has become a lot more mainstream and in some cases the easiest way to contact someone.
- The customer does not leave a correct phone number. It might be that they have not entered enough digits, or too many. Again we may have a mis-type here and providing they have left a good email address then you can at least contact by email and always attempt to get the correct phone number.
- Email address is a free one like Hotmail, Outlook.com, Yahoo or Gmail. Again, like the mobile number, this on its own shouldn’t be an issue so the score should be low on our matrix, however it should be noted that email accounts like these can be created with ease and can be difficult to trace if things should go wrong.
- Email address doesn’t use their name or appears random. If the order is from Bob Under and the email is firstname.lastname@example.org or email@example.com or something similar, this would be normal. If the email address for Bob Under is firstname.lastname@example.org then this should score highly.
- Delivery postcode is more than, say, 30 miles from card holder's postcode. Often a fraudulent order will have a card holder’s postcode and delivery postcode hundreds of miles apart so you may want to have a sliding scale on this. Again, even in the case of it being hundreds of miles apart it could be a legitimate order as it may be a delivery to someone on holiday or staying away on business. To find the distance between postcodes go to Google Maps and type in the postcode. Then click directions and type in the second postcode. You should get a rough idea of how far apart the postcodes are.
- If the time of day is unusual. For most UK businesses online orders will generally occur between 7 am and 11 pm. If you as the merchant suddenly get an order at 2 am then again, it should score some points.
- Postcode is for a high-rise in a city centre. Take the delivery post code, pop it into Google Maps, and look at the Earth view. If it shows a high-rise in a city centre then again, it should flag a few points.
- Information is filled out on the customer account in all caps or all in lower case. Again not normal behaviour.
- Most customer forms will also ask for optional information when a new customer buys something for the first time. We would be interested in cases where none of the optional information has been filled in.
Example mini-risk matrix with dummy orders
- Warning threshold: 5
- Do not ship threshold: 10
|Item||Order 1||Order 2||Order 3|
|Email address free||0||1||1|
|Email address random||0||0||5|
|Action||Ship||Ship||Do Not Ship|
Create a risk matrix to score your orders on a scale
Tip #3 - Get signed delivery
This should be qualified in that a lot of merchants will take small value orders and ship without signed delivery because it is cheaper and for some customers the postage costs will put them off making the order. Take the example where I might want to buy a book for £7. I am unlikely to want to spend the same again on a signed-for delivery option. However the fact remains that as a merchant, you will be at risk as you will lack the proof that someone has your goods.
A recommended option is to make it mandatory to have signed delivery on orders over a certain value.
Tip #4 - Know your average order value
Once you have had 40-50 orders through your website you should be able to work out your average order value with a great deal of confidence. To do this, simply add up the total of all your orders and then divide by the number of orders. Let’s say our average order value is £35. If we suddenly get an order through for £800 from a new customer then we will want to investigate. If the card holder’s address and delivery address match, along with the basic security information, then it may be time to celebrate. If they don’t then proceed with caution.
Calculate your average order value
Tip #5 - Has this customer bought something before?
Having an order history that stretches back more than a few months is normally a good sign that the customer is safe. Indeed you may be able to relax some of the other rules for this type of customer.
The time period of a few months is used as this is the kind of time-frame needed to discover any chargebacks. For some people, if their card is stolen they may not notice it until a) they try to use their card and it is declined because the card is full or b) when their postal statement comes through.
Existing customer accounts may be safer, but stay vigilant
Tip #6 – Is the country you’re shipping to high risk?
For merchants that provide international shipping, be aware that certain countries will carry a lot more risk. For example an order from Nigeria is going have a greater potential for being fraudulent compared to an order from Norway.
Using Transparency.org overview you can check which countries are perceived to be corrupt. Using their 2020 figures we would manually review any country with a score under 60 to decide if shipping is allowed.
Your content management system should allow you to remove countries that you’re not confident shipping to. A stricter approach is to disable shipping everywhere as a starting point and then enable shipping to countries you are comfortable with.
Don’t ship to high risk countries or at least be very, very careful.
Tip #7 – Is the address being shipped to real, or is it a mailbox?
Using a mailbox is a favourite technique for fraudsters, as it makes it harder to track where the items have actually been delivered to, or where the real final destination is. It should be noted here that delivery to a mailbox is not compatible with selecting a signed-for delivery shipping option. Thus you need to check if your content management system will then force non-signed-for delivery to cope with the mailbox when actually you may not want to process the order at all.
For customers that want to ship to a mailbox, in particular new customers, treat the order with great caution.
Be careful shipping to mailbox addresses
Tip #8 – Be wary of orders that request the quickest and most expensive delivery method
A lot of online merchants offer a variety of shipping methods to meet their customer needs. There might be next day delivery, or even next day before 9 am. Typically, those delivery methods will carry a higher charge.
A favourite trick of fraudsters is to select the most expensive and quickest delivery method. The idea here is to try and rush the order through before you have had time to carry out a thorough check.
Remember, it’s not their money so why not spend more and get the goods quicker?
Look out for orders that request express delivery
Tip #9 – Look out for a series of small orders before a large order in a short space of time
This is a common technique, where a fraudster will send through a series of small test orders knowing that because of their value you may well be less suspicious. Then they will send a large one through. Normally the orders are only a few days apart and before you might expect a chargeback to occur.
Essentially, they are testing you to see what they can get away with. As mentioned previously you should only trust an account that has been running for at a least a few months, and even then it’s still worth being vigilant.
A typical pattern is to send a small order or orders through and then a large one in a short time frame.
Tip #10 – If your product range is small, high-value goods, consider deferring payments
Typically a merchant will be able to set up their online shop so that they either take the money up-front, or when the goods are actually dispatched. In the case where you take money up-front and you get a lot of fraudulent requests, it can be confusing having to refund cards or process chargebacks.
By moving to deferred payments you will essentially only be releasing funds for correct orders, thus minimising the chance of a chargeback.
You may want to defer payments if your product range is high value and small.
Tip #11 - Check that the country from where the order was made matches the cardholder’s country
When an order is made the IP Address of the customer can be logged. You can take this IP Address and enter it into a site such as Ripe. This will then tell you the country that the IP address is from and thus which country the customer made the order from. If this does not match the cardholder’s address that the customer fills out, then you may have an issue. For example, if the cardholder has a United Kingdom address but the order is made from a Russian IP Address then you may have a fraudulent order.
Does the country they made the order in match the cardholder's address?
Tip #12 – Make sure your customer has agreed to your terms and conditions
In the case that there is a problem with the order, you will have some framework to fall back on if the customer has agreed to your terms and conditions. For example, your terms and conditions may reference a more detailed returns policy which states how goods should be returned and that they should be in their original condition.
In the case where you have a chargeback and the goods have been delivered to the cardholder you can show the cardholder’s bank evidence of:
- Any missed time frames
- Goods not being returned correctly
- If goods are damaged etc.
Make sure the customer agrees to terms and conditions when making the order.
Tip #13 – Don’t be afraid to contact the customer to ask questions / get reassurance that everything is legitimate
If you have a suspicious order try to phone the customer, if only to check their order is correct. By doing this you are proving the phone number is correct and that there is a real person there. If the phone number contacts someone who has no idea about any order then you know there is something wrong.
A genuine customer will be only too happy to answer any questions/confirm the order details.
Here is an example conversation (you will notice that I am getting them to try and tell me what the order is – again, a fraudster is not likely to remember).
Me: Hi Bob, its Tim from Pipes Ltd. Thank you for your recent order, I just wanted to check a few details here to make sure we have everything correct for you.
Me: Can you just confirm the names of the product or products that you ordered?
I can then go on and ask any other questions or mention if there was an issue with any part of the order, such as a security code not matching or delivery address problem, etc.
If in doubt try phoning the customer to get more info.
Tip #14 – Keep detailed customer notes
However you do it, keep a record of any extra customer interaction including phone calls and emails, and log this against any relevant order. That way if there are problems in the future you avoid the case of “he said”, “she said”. Each note should be time-stamped and logged against a person in case you need to produce a timeline to fight a chargeback.
Keep notes of all communications in case it is needed later.
Tip #15 – Train every member of your staff
There is little point you being a whiz on spotting fraudulent orders if your staff, the people on the ground, are the people doing the processing. Make them read this document as part of their training program and keep a copy pinned to a notice board. The more people that can spot fake orders, the less chance that something will slip by.
Make sure everyone knows how to spot fraudulent orders.
Tip #16 – If you discover fraud, act quickly
You may be lucky and the goods have not been dispatched. If so, get the order stopped. They may still be with a courier awaiting delivery; again, get it cancelled.
Quick action may allow you to stop goods being delivered.
Tip #17 – If a fraudulent order gets through, turn the account off
In the case where one slips through the net, get the account turned off so they can’t come back and try again in a few months’ time when everyone may have forgotten!
Turn the account off.
Tip #18 – Log any fraudulent orders to help spot future patterns
Again, if you do suffer a fraudulent order, get it logged in a simple spreadsheet along with any others so that you can build up a data-set to help spot other patterns. For example, you may find that all your orders are from Yahoo email addresses. This will allow you to be more vigilant for this email address in future.
Keep a log of any fraudulent orders that slip through to build your own data-set.
Tip #19 – Trust your instincts!
Over time and with enough orders you are likely to get a gut feel about orders going through - it becomes second nature. If your gut tells you there is something off then don’t ship! At the very least contact the customer for more info. If you are still not sure, revert to only shipping to a cardholder’s address that has basic security matching, and even then, it may be best to just cancel the order and move on.
Trust your gut reaction!
An example risk matrix
Below is a matrix taking into account the above points. Every online shop is different and you may need to adjust the threshold figures / basic scoring to suit.
|5||Delivery address different from card holders address|
|5||Card holder’s security code doesn’t match|
|3||Card holder’s address partial match|
|5||Card holder’s address no match|
|5||Phone number not correct|
|1||Email address a free one|
|3||Email address is random|
|2||Customer profile all lower case or upper case|
|2||Time of day after 11pm and before 7am|
|1||Distance between card holder’s and delivery address per 20 miles|
|2||Above average order value per £50 difference|
|-10||Customer has bought more than 2 months ago|
|5||Express delivery selected|
|15||Mailbox for delivery|
|20||Country of the IP address does not match card holder|
|15||A small order just before a larger order|
We have assumed that you do not allow orders to be shipped to high risk countries, and that all orders over a certain value will require signed-for delivery.
- Warning threshold: 15
- Do not ship: 40
The above is a guide only. If you want to use something similar for your own business then we suggest you put together a spreadsheet (see below) with real orders from your shop. This will allow you to add extra criteria as you see fit, tweak the scoring system and thresholds so that you can fine-tune the matrix.
Also it is worth nothing that you should consider this matrix as something that may need continual tweaks and refinement.
Sadly, ecommerce fraud is very much a part of life for the online world. As a merchant you will never fully eradicate it. You should be aiming to keep fraudulent payments to an absolute minimum, and in the case where something is missed and you lose money, make sure you learn from it.
It should be noted that some sites offer goods less likely to targeted for fraud whilst others offer desirable or readily disposable goods that attract far more attention from fraudsters. The amount of attention you give fraud will often depend on your goods and the default options you choose throughout your ecommerce payment process.