Online retailers have a significant probability of being the intended target of order fraud. An online buyer has the perception of anonymity, which makes it psychologically easier for a person to commit fraud against the merchant. Essentially, the fraudster is looking to obtain merchandise from the merchant without paying for it. Online fraud schemes cost the merchant a loss of the product or service provided, and in most cases will incur the expense and exposure of a credit card chargeback.
A disciplined system of online fraud protection and prevention can eliminate almost all fraudulent orders and subsequent losses. If you are a loss prevention professional for a company that transacts sales online, the methods are different from in-person purchase fraud prevention.
Primary Defense: Observing Red Flags
The majority of fraudulent transactions have some common elements. Depending upon the business and industry category, these will vary. Individually, the red flags do not always mean a fraud, but taken together the prediction is fairly accurate. Following is a list of red flags that need attention:
- Order time
- IP address
- Physical location
- Email address
- Telephone number
- Customer name
- Product mix
Order Time. The first item to look at is the time the order is placed. This does not mean any particular, absolute time, but refers to a time frame outside of the normal order pattern. For example, an office supplies merchant may get most orders during business hours. An order placed at 3:00 a.m. might be the first indication to look further at the order. On the other hand, if the company sells surfboards, late-night orders might be normal. The 7:00 a.m. order might be the unusual pattern for this demographic
IP Address. The order time might also lead to the next factor, which is IP location. At first, disregard the physical address on the order and look at the IP address. If it is outside the U.S., especially in a high-risk location, this is worth more investigation.
Next, compare the IP location with the physical address provided. If the order was placed from California, and the billing and shipping address is in Texas, it is worth a closer look. It may be that the customer is on vacation, but it is worth noting to make sure it matches the circumstances.
Lastly, run a search of the IP to see which ISP it returns to. If it is an anonymous proxy or other high-risk entity, it might be worth immediate action; otherwise, note the provider for later comparison.
Physical Location. Is the physical location a valid address? You can check the address on the following sources to reduce risk:
- Public records—does the customer own the property?
- Google Earth—is the property an empty lot?
- Street view—is the property a warehouse or empty building?
- Realtor.com—is the house a vacant or for sale home?
Email Address. Next, look at the email address. If it is from a mass account provider such as Yahoo or AOL, it makes the order more risky since it is more difficult to track. If the ISP matches the email address, the risk goes down, since most fraudsters would be uncomfortable with making that connection. You can run the email address in several places to find out more:
- Google search—listing on web sites can point towards a location or affiliation
- Craigslist or eBay—does the person have anything for sale, such as new products like what you are selling?
- Spokeo—what name does the email come back to, or other accounts it is used for?
Run variations of the name, as some fraudsters think ahead enough to not use the same name twice. For example, if the email address provided is bigtimejoe123@gmail.com, then check out bigtimejoe120, 121, 124, etc. Also try other suffixes, such as bigtimejoe123@yahoo.com,@live.com, etc.
A database of common free email providers can be used to append the user name to each provider to determine if the user can be located in other online locations. Look for a pattern to use as a root variable. You can automate the process of creating the variation by using the “concatenate” function in a spreadsheet such as Excel. Be especially wary if the name is completely different from the customer name. A customer Jack Jones with an email address of maryharris123@yahoo.com might be a red flag.
Telephone Number. Take a look at the phone number to see if it resolves to an address directly. A land-line phone adds security to the order. A cell phone line by itself is not fraud, but added with other factors might make a merchant require more verification before shipping a large order. Check to see if the phone number provided matches the physical location of the IP address and the shipping address. If you have a few red flags already, you might want to call the number to make sure it resolves somewhere. Many times, a fraud order will have a bad phone number that could have been discovered by a simple phone call.
Customer Name. The customer name is an obvious field to observe. Is the customer name legitimate? Too common of a name can be a factor to pursue. A simple cross-reference of the name using investigative databases, such as IRB or Accurint, can verify an identity for a low cost. Alternately, Internet “white pages” sources can filter the majority of names for free.
Product Mix. Last, check the product mix on the order to see if it makes sense. For example, a clothing order with the same item in multiple sizes might need more examination. A large auto parts order for items that go to many different types of vehicles might need some additional explanation before putting them in a shipping box. Each individual industry and business has regular patterns that appear in most orders. Understanding these patterns, either anecdotally or by database analysis, is the first step to noticing deviations from them
Retailers can automate online fraud protection systems by creating an algorithm that measures these indicators and then flags an order when certain combinations are presented.
Secondary Defense: Researching the Information
The next step in online fraud protection and discovery is research. Now that you have noted the primary information from the order, you can do more advanced searching. The simplest way is to run the names, addresses, and emails on Google. You can find connections to the identifications that either confirm or dispute the rest of the order information.
Look at online forums for the industry you serve. If a company sells scuba equipment, running the names or emails in a text search of a scuba diving discussion board could confirm that person as a diving enthusiast, or return warnings from those in that community to beware. You may find “for sale” postings of items similar to what you are selling, and notice similar identification information about the seller
We have seen fraudsters actually using product images from an online retailer to post “for sale” ads, and take pre-orders for goods they intend to scam from a merchant.
See if the person exists on Facebook, LinkedIn, or other social networking sites. If they do appear as an actual person, the risk level goes down. If all of the prior items do not connect anywhere, and there is no record of the person anywhere, it might indicate the need for more verification.
Advanced Online Fraud Protection
Look into installing a customer-contact system onto your web pages. In addition to providing a venue for online customers to chat with your sales department in real time, you can monitor the navigation of customers from one page to another, even with the chat function turned off and not visible on your site. The pages they visit can indicate possible intentions. A fast navigation to a certain product page with no other surfing might be a red flag. On the other hand, lingering on the shipping page might indicate the surfer is looking for loopholes in the merchant’s fulfillment security.
As an online retailer, you may want to set up a page that has information about how you bill and ship, with links written to indicate that there is information about your security on those pages. Those “honey trap” pages can set a cookie to flag the order.
Take a look at your declined orders to watch for repeating IP addresses or product mixes. Cross-reference those with new orders to see if the visitor places a successful order with a new name and email address.
Chargeback Fraud
A few buyers have discovered the ability to obtain merchandise, and then file a chargeback on their card claiming it was not received or they never ordered the items. This is sometimes hard to catch in advance, but there are methods to correct it after the fact.
If you are selling an intangible product, such as software or data, you can install a tag to the delivered file to indicate that it was accessed, along with the time and IP address. You can track that IP to a provider using a service such as SamSpade. If you receive a chargeback, you can send a letter to the customer that you are investigating potential fraud, and inform them of your findings so far. In many cases the customer will suddenly “remember” placing and receiving their order when they learn that the merchant is serious about investigating the chargeback, and not blowing it off.
Once a customer has placed a chargeback, they are sometimes reluctant to be contacted by you. You can use third-party information to locate other addresses and relatives. By sending letters to these locations with notice that you are investigating their recent credit card fraud, you can increase the odds of a response. Sometimes, the receipt of a letter by a relative will induce the customer to withdraw the chargeback.
If there is difficulty connecting a customer’s phone number to an actual address or tracking a customer to a specific phone, the use of a phone trap can be helpful. Blocked phones, unlisted numbers, and private phones all show up on trapping services, such as trapcall.com. You can forward your regular number to a trap line, and even have it forwarded back to you. The subject with a blocked phone will not know you are able to determine their actual calling line.
Order-form warnings and statements on the website can dissuade those who plan a chargeback in advance from even placing the order. Carefully written warnings will not have a negative effect on honest customers.
If you are hit with a chargeback, start by presenting all of the documentation to the merchant account provider. Send a recital of when the order came in, along with background on the customer, and the IP address it came from. Remember, the response file you send to the card provider will normally be sent to the customer as well. A customer who receives a 15-page reply with the shipping receipt, IP address to their house, list of previous addresses of the customer, and other background information will know you mean business. Unless the order was a true identity theft via credit card fraud, it is likely they will withdraw the chargeback.
If the chargeback defense fails, and you believe that the customer has actually received the product, do not overlook the value of filing a lawsuit. Even if your customer is out of state, you can normally file a small-claims lawsuit by mail for a nominal fee. You may not actually have to travel to the state to prosecute the suit. A summons to court for a lawsuit for a significant dollar amount might be sufficient motivation for payment. Be sure to make the amount for damages to include the product and shipping losses, chargeback fees, investigation costs, and the projected amount of damage from increased processing fees from the chargeback.
It is a low threshold of perceived risk to scam an online merchant for a few hundred dollars of merchandise. However, most individuals would not like to face the court system if they can avoid it, and have a different level of courage when the court system is involved. If you are able to file a police report with local law enforcement, attaching this to the copy of the civil court summons magnifies the effect. If you succeed in receiving payment, you may be able to provide the documentation to the merchant bank to have the chargeback reversed from your percentage.
Investigating a Successful Theft
If a product or service is stolen from a merchant using a chargeback scheme or stolen credit card, there is still opportunity for reimbursement. Keep in mind that as the merchant, you still have some contact information for the individual. Often, a subject will lower their guard after some time has passed since the chargeback. Depending upon what the subject will do with the product they obtained, there are several methods to pursue the individual.
Watch for attempts to sell the item—Check Craigslist postings in the area where the customer is located, or use eBay for a nationwide search. Look for a series of items listed by the same seller that matches the exact product mix you sold; it will certainly have some kind of contact information for the seller.
Observe direct use of the item—For high-ticket items direct surveillance may be warranted. Even for small purchases, you can use virtual surveillance via social media accounts, as these are portals into the lives of their users. The first thing many people do when they get something new is to take photos of themselves using the item and brag about it to the world.
Request warranty registration from the manufacturer—If the item is a serialized product, the manufacturer may be able to release any warranty registration of it to you as a dealer.
Investigate purchases of parts or accessories—For products that are prone to breaking or customization, a new buyer may purchase accessories. While they may not go back to you as a source, you may be able to work with competitors to exchange information on chargebacks. Alternately, you can send a postal mailer with a “special offer” on parts or accessories using a different company name and contact address. It is possible to set up a UPS Store address in another state for $20 per month that you can use for this and other purposes. This and a Skype number with a corresponding area code might catch a buyer looking for another score.
Place a follow-up call posing as a third party for survey purposes—You can either do this yourself or hire an outside firm to call the subject to do a survey on how they like the product. Whether they like it or not, it does confirm they have it, which can lead to more investigation.
Loss-Control Profit Center
Online fraud protection is a layered approach for web merchants. The individual factors that represent red flags are not each a smoking gun by themselves. However, taken in context and compared with the normal operation of your business, they can make one order stand out from the others. It may not mean canceling the order, but indicate a further need for investigation.
Keep a file of frauds and attempted frauds, to build a matrix of common elements. Over time this matrix of data can be mined to create a fraud score specific to your industry and even your particular business. Check the laws in your state to make sure that any of the methods you employ for online fraud protection are legal.
Loss prevention in online businesses should be looked at as a profit center, not as an expense. A properly managed online fraud protection and security department will have a higher return for every dollar spent on time and resources than almost any other department, even sales.
The trend towards more online transactions is accelerating both for web-only retailers as well as omni-channel retail sellers. As online transactions increase, businesses can create a competitive advantage by developing an online fraud protection plan for this type of loss-control profit center.
This article was originally published in 2010 and was updated November 10, 2016.