September 10th, 2015 by Jamie Estep
Fraud Prevention Tips
Part 2 of our series on fraud, covers some tips to help identify and prevent the damages from fraud. Many forms of fraud can be prevented by proactive policies and often with common sense. While some schemes are so well planned that even seasoned professionals have a hard time identifying it, many types of fraud follow recognizable trends and can often be prevented. Here are some tips to help identify, prevent, and mitigate fraud.
General (applies to all business types)
- Create a payment acceptance guide / poster for all employees and keep it readily available. This should be a short, easy to read, list of how payments should be accepted. Anything that is outside of these guidelines should be considered against company policy without approval from a knowlegeable supervisor. Keep this as short and concise as possible, it should be something an employee can review in 20 seconds or less. Most fraud will require an employee to deviate from the normal method of accepting a transaction, and this is meant to immediately prevent the lowest hanging types of fraud.
- Talk to your employees about fraud and encourage them to notify you or a supervisor of anything suspicious or simply out of the ordinary with regard to accepting payments. This will keep everyone on the same page, and can help you and your employees develop better practices and a higher understanding of potential threats.
- Do not ever accept an authorization number from a customer or their bank. Only accept authorization numbers generated when you process a transaction or if you manually call into your credit card processor’s authorization line.
- Don’t allow issuing cash refunds on any credit or debit transaction that was processed as a credit card, and do not allow issuing a refund to any card other than the one used to make a payment. Basically, unless the customer entered a PIN number on a PINpad, only credit back to the original card used to make a purchase.
- Be especially vigilant of customers requesting refunds, credits, or abnormal transactions involving prepaid gift cards. Prepaid gift cards work differently from normal credit and debit cards and some issuers have been known to have large security and functional holes in their authorization and funding systems.
- If available at your processor, use a terminal that supports EMV, chipped, cards. EMV eliminates fraud occurring from cards that have been electronically stolen and copied to another card. Businesses with unattended card readers such as gas stations will see the greatest benefit from EMV.
- Make sure a supervisor is required for any returns or credits to a credit or debit card. A very large portion of fraud is committed by employees and customers in the form of issuing credits. The money issued during a credit can be difficult to impossible to account for without vigilant bookkeeping practices. Credits should always be strictly controlled.
- When the card is present, always check the back of the credit card for a signature, before asking for ID. If no signature is present ask the card holder to sign the back of the card, then ask for their ID and see if the name and signatures match.
- Although card brands do not permit requiring an ID as condition of accepting a payment, you can still always ask for one to verify the purchaser is the person standing in front of you and whose name is on the card.
- Be especially vigilant of cards that appear to be damaged, potentially altered, or cards where the beginning numbers don’t match the type of card being offered (Generally beginning with 4 for Visa, 5 for MasterCard, 3 for American Express, and 6 for Discover). After printing a receipt, you can also verify the printed card numbers on the receipt match the numbers on the actual card. When thieves make copies of stolen cards, they often encode them onto cards with a completely different number or an entirely different type of card than the one the numbers were stolen from.
- Be critical of situations where a customer’s payment isn’t typical, such as trying to pay with a series of cards that keep declining, refusing to show an ID, refusing to sign their card, etc.
Card Not Present
- Requesting the CVV code helps ensure that the buyer has physically has the card in hand, or at least had it in their hand at one point. Electronically copied cards will not have the CVV number. While not a guaranteed method, it’s a good step to help protect your business.
- Always use the Addresses Verification System (AVS). AVS verifies that the billing information matches what the card issuer has on file by matching both the street number and the zip code. However, AVS does not work with most international cards, so this may not be as useful to merchants who have a large percentage of customers paying with non-US issued cards.
- Any shipments to the customer should be shipped to the billing address when possible, and shipments with a high dollar value should require a human signature with the carrier. While this can sometimes cause convenience problems, it is the best way to protect your business and guarantee that at least a human was there to receive your shipment.
- Only use shipping services, such as UPS or Fedex, that allow you to cancel or reroute an item after it has been picked up. The only thing worse than taking a loss on fraud, is identifying a transaction as fraudulent and not being able to prevent the package from being delivered after it has been shipped.
- Orders requesting expedited or overnight delivery should be scrutinized more than orders requesting ground or other economy shipping. It is common for customers to want their items quickly, but thieves also want to get products in their hands as quickly as possible, and will almost always pay for the fastest possible shipping method no matter the cost. Anecdotally, in more than 15 years of operating ecommerce sites, we’ve never seen a confirmed fraudulent order shipped anything less than 2nd day air, the vast majority are shipping the fastest and most costly method possible, which is typically Next Day AM or equivalent.
- Searching the shipping address of an order in a search engine can often reveal if the order is being shipped to a forwarding address, an empty or for-sale property, or sometimes even just a vacant lot. All of these situations are a major red flag for potential fraud, and should require further review before fulfilling an order.
- Be especially cautious of orders where the buyer changes the shipping address after ordering. This is a common method used to circumvent AVS and other address based screening methods of identifying fraud.
- Online or phone orders where the buyer is indiscriminate about the cost of shipping or cost of the products being ordered should be considered highly probable for fraud.
- Additionally, any customer asking for a catalog and price list when you have everything on a website should be considered suspect as well. Unsolicited requests for prices, product lists, and what payment methods a business accepts, are often nothing more than electronically generated emails from scammers scraping emails off ecommerce sites.
Additionally, take a look at our 30 second fraud checklist for ecommerce merchants.
The information above is to give you a better idea of what you can do to help protect your business from fraud. Training yourself and your staff can go a long way to protecting your business, especially if you continue to keep that training up to date as your business moves forward. New technologies may help businesses limit their risk in some ways while opening the door to other possible threats, so it important that you keep up with, and understand, the relevant practices of fraudsters. Make sure you implement standard operating procedures within your organization so that you have a baseline to judge potential threats against. Fraudsters are not in the business of getting caught, so if they see a business operating in a manner that is not conducive to their success they will often move to another target.