Information on Merchant Accounts,
Ecommerce and Credit Card Processing

March 17th, 2010 by Jamie Estep

30 Second Fraud Checklist for Ecommerce Merchants

Filed in: Ecommerce, Fraud, Merchant Accounts | 10 comments

Credit card fraud and online ordering fraud has hampered ecommerce merchants since the first credit card payment was taken over the internet. Because fraud is still successful, and because there is virtually no way to go after someone you suspect of fraud, it is still a plague to website owners trying to run a business on the internet. Online fraud is especially troublesome to online retailers, because they end up losing twice, first when the merchandise they shipped is not recoverable, and second when the real cardholder makes a chargeback. Now they lose the merchandise and the money they would have collected for it. There are numerous fraud screening applications designed to help ecommerce merchants prevent accepting and shipping fraudulent orders. However, many ecommerce sites aren’t even covering the most basic of fraud screening principals.

Here is 10 items that should be checked on every order before shipping. If you do nothing else for fraud screening at least cover these basic principals to help prevent some of the more obvious fraud.

If any of these are true, it’s a good idea to further review the order, or contact the person making the purchase before shipping.

  1. Billing and Shipping Addresses Don’t Match
  2. Requesting Overnight Shipping
  3. Order is for Multiple Quantities of the Same Item
  4. Items Being Ordered are Mainly of High Value
  5. Order is for Uncommonly Purchased Items
  6. Different but Related Products Being Ordered
  7. AVS and/or CVV Verification Failed
  8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved
  9. Customer’s phone number and/or email look unconventional
  10. Order is Being Shipped to Africa, Asia, or Eastern Europe

1. Billing and Shipping Addresses Don’t Match

This should be the first sign of potential trouble. While not impossible, it is rare for fraudulent orders to be shipped and billed to the same address. Someone making a purchase fraudulently will often have the item shipped to a forwarding address or other location that they are not personally associated with.

It is common for shoppers to ship to their home or business address which may be different from their billing address. Nevertheless, it’s a good idea to at least take a look at orders that do not have matching shipping or billing addresses. If an order is being billed to Omar Patel in Houston, and being shipped to John Smith in Seattle, you may want to ask why…

2. Requesting Overnight Shipping

While it’s completely reasonable for a customer to want their order ASAP, expedited shipping is a very common trait of fraudulent orders. The thief needs to get the merchandise as quickly as possible before a chargeback is made. With slower shipping methods, the merchant has the opportunity to halt the shipment if they receive a chargeback, or identify the order as fraud, which would make nullify the efforts of the thief.

3. Order is for Multiple Quantities of the Same Item

Many times, fraudulent orders are made with the intention of reselling the merchandise on eBay, Craigslist or locally. Multiple items make an easier sale and easier money especially if the items are in high demand.

Depending on your industry you may often get orders for multiple items, so this rule applies much less to some industries. For us, we often get orders for 10 or more credit card terminals as many businesses have multiple locations. Over time, you should be able to better identify common ordering trends.

4. Items Being Ordered are Mainly of High Value

As with above, since many fraudulent orders are placed with the intention of reselling the merchandise, the most expensive merchandise often yields the greatest rewards. The merchandise can be quickly sold and the thief can makes a decent profit even when discounting 50% or more. The higher the value of the merchandise to you, the higher the value to someone trying to steal it.

If your average order is $200, you should definitely take a closer look when someone places an order for $10,000. Also, keep in mind that the larger the order, the more damage to your business if a fraudulent order is successfully placed.

5. Order is for Uncommonly Purchased Items

I’m not entirely clear on the reasoning behind this, but it’s not uncommon for fraudulent orders to be for items that are rarely purchased. Most likely it is due to careless research on the thieves part. If you sell thousands of orders per year and have never sold some particular item, I would be suspicious when someone comes along wanting it. There’s usually a reason why some products sell a lot and why others never sell. It’s not common for only 1 customer ever to be interested in an item that you offer.

New ecommerce sites will have a hard time with this rule, but once you establish some sales history and if you really know your products, it’s easy to spot and flag orders with uncommon items in them.

6. Different but Related Products Being Ordered

Let’s assume you sell LCD TV’s online. It’s very common for someone to come along and purchase a single TV. Maybe you have a sale and someone purchases several TV’s on sale, still a completely reasonable scenario.

Now, let’s say someone orders 5 TV’s, and every one is a different brand and size. This should immediately raise a red flag. Yes, it’s possible that someone wants 5 completely different TV’s, but purchasing products like this is not a common shopping or even human behavior and warrants further investigation.

7. AVS and/or CVV Verification Failed

While the majority of the largest ecommerce sites still do not require CVV, it’s a really good idea for you to. If your customers are US based, requiring a positive AVS zip code match is also a good idea. AVS verifies the address of the cardholder, and CVV verifies that the person placing the order has at least had the physical credit card in their possession. Even if  the card number was stolen, odds are the thief does not have the CVV number unless the entire card was stolen.  If the entire card was stolen, there’s a good chance that the owner would have canceled it already. CVV costs nothing, and I strongly recommend all merchants to at least require it to be submitted. Because the number can be worn off the card, I do not always recommend a positive match, but this is something you need to assess specifically for your business and your customers. When in doubt, require it!

8. Customer Made Several Unsuccessfully Attempts Before the Transaction was Approved

This works in conjunction with AVS and CVV verification. If someone is attempting to place orders using a stolen card, it’s common for several declines due to an incorrect address, expiration date, or CVV.  Keep a close eye on customers that submit multiple declined or AVS/CVV mismatch transactions. 1 or 2 errors may be common, but if you start seeing a group of attempts it may be a sure sign of fraud.

If you start seeing hundreds or even thousands of attempts it is almost certainly an entirely different type of fraud called carding. This type of fraud can be very costly to your business even if you never lose any merchandise, so it’s important that you promptly address and correct the situation that is allowing it.

9. Customer’s phone number, email and/or shipping information look unconventional

You wouldn’t believe how many times fraudulent orders use incorrect, fake, or just plain goofy email addresses, phone numbers, and ship-to information. If you get bounced receipt emails, see an email like fbi.gov, see phone numbers like 555-555-5555, or are shipping to Mickey Mouse, you should probably be concerned about the order being fraudulent. Additionally, if the phone number contains a country code, or incorrect area code, there’s a good chance that someone just typed the first digits they could into the phone number box.

Most business and personal land-line phone numbers can be researched just by entering them into a google search. At the very least you can figure out if the area code matches the billing or shipping address, and if the number is actually valid.

10. Order is Being Shipped to Africa, Asia, or Eastern Europe

I don’t want to discriminate against people in any particular country, but it’s a fact that a lot of fraud originates in a few select regions and countries of the world. Unless you have experience in international-commerce, it’s a good idea to only cater to your own country, or ones you know and trust very well. I wouldn’t even consider shipping a product to most African countries, East Asia, Eastern Europe and Russia. Also, some areas like Amsterdam are notorious for credit card fraud. Be very careful when accepting international orders.

Even if an order isn’t fraudulent, international orders can introduce a multitude of additional customs, credit card processing, and legal requirements, and can make processing returns very difficult. Something as simple as shipping from the US to Canada, can present a number of problems and costs that many website owners are not prepared to deal with. I strongly suggest doing a lot of research and finding someone who has real experience before venturing into international shipping.

Final words…

I can guarantee that every online merchant will face some form of credit card fraud. Credit card fraud is a minor inconvenience to some, and will end others’ online ventures. Not all merchants need to use some of the more advanced fraud screening methods out there, but everyone should cover the basics.

10 Responses to “30 Second Fraud Checklist for Ecommerce Merchants”

  1. Heru Kurniawan March 22, 2010 at 3:22 am

    I am really like to read some articles in your site. I got a lot of information from you. So, I have bookmarked your site.

    I like no 7..
    Granted, an enhanced AVS validation would not help much with account takeover or identity theft (in cases when a new account has been opened), but in other cases I could see it taking a serious bite out of fraud. Since most of the burden of such a program would rest on the shoulders of the major Visa/MC issuers, do you think they’ll consider it? Do you think the card associations will ever sponsor such a system?

    I don’t know about you, but I think it’s about time to retire AVS and use something a little beefier in its place.

  2. Paul March 22, 2010 at 9:08 am

    While each of the 10 points you list indicate a slight increase in the risk of fraud, they do not indicate a probability of fraud, with the exception possibly of #6. This distinction is important, because if you treat everyone who wants to ship to a different address than their billing address as if they were a criminal, you’ll end up with a lousy shopping experience for the 99% of customers who are legitimate (especially at Christmas).

    Or, to take another example, purchase of uncommon items is actually very common on the internet, precisely because they are hard to find in traditional stores. Or, looking suspiciously at overnight shipping as a red flag — often I buy online because I’ve run out of time, and if I don’t have it shipped overnight, I’ll miss a birthday or an anniversary. Does that make me a suspected fraudster? If you don’t get it to me overnight, I guarantee you’ll never see me darken your virtual door again.

    The real problem that you face with CNP fraud is that many of these very things you want to flag as suspicious are the exact behaviors that your best and highest value customers exhibit. In fact, it frustrates me no end that I am caught up in bad fraud screening at least 4 or 5 times a year. I spend 10s of thousands online annually from travel to gifts to electronics to subscriptions to furniture, yet get rejected or pushed back, sometimes even called for additional information a surprisingly high percentage of the time.

    Simplistic rules of thumb, and even simplistic fraud screening tools are not the way to go for a merchant who is trying to build their business and earn enthusiastic customers. This list reminds me of the nightmare that is airport security — we pay billions for useless procedures and people and equipment that are mostly unnecessary, and all that happens is that the legitimate passengers end up annoyed, late for flights and running through airports with no belts or shoes and computers falling out of unzipped bags, after overzealous rent-a-cops frisk you in places that you tell your kids not to let strangers touch.

    The simple fact is that the terrorists have won — they have changed our lives irrevocably. Will merchants allow fraudsters to win in the same way? Will you make the online shopping experience so unpleasant that your best potential customers refuse to do business with you?

  3. Green News March 25, 2010 at 3:43 pm

    Thanks for the great post. Best wishes on the continued success of your blog. I’ll be back for updates often, you have a new reader.

  4. pegr April 12, 2010 at 2:45 pm

    Um, no, you don’t lose twice when you are scammed. You lose the product.

    If what you said was true, you’d lose the product every time you made a legitimate sale.

  5. jestep April 12, 2010 at 6:09 pm

    Let’s say you have a product that cost $100 and you sell it for $100.

    What I’m referring to is losing the money when the real cardholder makes the chargeback (-$100). If you also shipped a product, you’re out the product as well, which you now need to replace (-$100).

    This fraud cost you $200 to refund the card holder and replace the product.

  6. Goose April 13, 2010 at 2:49 pm

    Thanks for posting this up. It’s always really important to know what to look out for when you suspect a fraud. Your article had a lot of valuable information.

  7. Merchant Data Systems April 21, 2010 at 11:45 am

    Agreed, excellent post! Fraud is definitely a big problem within this industry but it’s important that you find a merchant company that can protect you and your interests.

  8. Merchant Data April 26, 2010 at 9:20 am

    Great information! Thank you for your hard work on this blog… I’ve referenced a number of our customers to your web site.

  9. wiserNow May 11, 2010 at 1:58 pm

    Double check orders from customers that use pseudo domain email addresses such as auctiva and ecrater. They’ll put the name from the stolen credit card in the email address to make it look legit but really they get email to anything@pseudodomain.com. Here’s the scam. They have an auctiva or ecrater website but no real inventory. When a customer orders, they order from legit merchants using stolen credit cards for which they have ALL the billing address information and CVV. They use a pseudo domain email address so they get the shipping tracking number and can forward it to the customer. The customer ends up with stolen merchandise and you can’t shut down the fraudulent site because the police departments in the various states want you to report in person. VISA does nothing because they make more money on stolen credit cards because of the additional chargeback fees. We now check IP address against billing and phone the questionable ones because the number usually not real but close to the credit card victim. Here’s one site that defrauded us out of hundreds of dollars: http://meranski2519.ecrater.com/

  10. keith June 21, 2011 at 1:31 pm

    These are the things in my new agent welcome package that are listed to watch out for

    blank Schedule of fees

    Contracts Cancellation fees

    Annual fees

    Partial Application with no schdule of fees

    Small Companies with no track record

    No phone systems home answering machine

    Companies that do not list wquipment prices on their sites

    Companies that outsources customer support and deployment