Fraud Detection

How to detect fraudulent transactions

As of right now I have five online ecommerce shops selling fitness supplements.  Pretty much anything you’d find in GNC is listed on my websites.  Since I work with another middleman company that stores most of the inventory and does the packaging and shipping for me, margins on my end are very slim.

After the first year in business my company received seven or eight chargebacks, which occurs when anybody that owns a credit card goes to their bank and says “I didn’t purchase this” or “I’m not happy with the product or service I received.”  Chargebacks are a whole post in itself, so I won’t ramble too much about their pain right now.  Anyway, this past year we’ve received one chargeback and it wasn’t because of a third party fraud, the guy ordered a product that was on backorder and wasn’t happy that he was too ADD to notice the website or read the email stating the product was on backorder.  Anyway, I’ve become much more acute to identifying fraudulent transactions as they arrive in effort to minimize losses, but I’m not perfect by any means.  I’ve probably canceled a valid order or two in the past year because the risk of filling the order was too high.  Today for example, somebody ordered $15 worth of product and paid $55 for second day air shipping.  I stand to earn about a buck… no, actually, I’d lose about fifty cents if all goes well, and risk losing $70 plus bank fees, which can be up to $50 depending on how mean your bank is, on this order it it were fraudulent and the card owner performed a chargeback.

Methods I use to determine fraudulent transactions:

1. Require the customer to enter the CVV code on the back of their credit card. The idea is that the customer would have to have possession of the card in their hands at the time of the order.  This is not foolproof by any means because they might just be an untrustworthy online merchant that stores all this data in plain text.   The CVV code may deter some fraud, but in reality, this information can be just as easy to obtain as the credit card number itself.

2. Use Address Verification Service (AVS)

3. Pay attention to the products ordered. With most fraudulent orders, the customer will order a high quantity of just one product.  They will not order a variety of products or be very selective or price conscious.

4. What speed of shipping did they choose and how much does it cost it relation to the product cost? Speed of delivery is important.  We offer 1-3 day UPS ground shipping on our sites, but still offer UPS 2nd day air and UPS 1 day air delivery options.  Typically, what would cost $10 to ship via UPS ground will cost $50 UPS 2nd day air and $100 UPS 1 day air.  The scammer in these cases cannot get the product in their hands fast enough; they will choose an upgraded shipping option as the cost means nothing to them.  Occasionally a valid customer will order $50 worth of product and pay $50 to have it shipped, but it’s about 1 in 250 orders.  I do have a regular customer that buys $30 worth of product and pays $22 for UPS 2nd day air instead of $7 for 1-3 day shipping.  The more reliable delivery date is worth it to some people.  However, be very weary of these transactions, especially if it’s the first time a customer has ordered from you and the shipping prices is as much or more than the product total price.

5. Watch for a customer that tries multiple declined credit cards right after one another.  The most likely reason they’re being declined is because they’ve been reported stolen.  I’d be cautious of anybody that must use three or more credit cards to submit  valid transaction.

6. When is the last time the customer ordered from you? It’s common that you’ll have new customers and it’ll be the first time they’ve ordered from you, so don’t get too worried about that.  With my sites, I estimate 50% of our orders are first time customer orders.  The one to watch out for is if the customer placed multiple orders with you with a short time span between orders, say less than four days apart.  Back when I was a rookie at this, I had a guy place an order for over $300 worth of product, then placed another large order, which contained many of the same products as the first, only two days later. Then a third order was placed shortly thereafter.  I was very excited to get a few great orders, but really just had the blinders pulled over my eyes.  By the time I received the chargeback for the first order a month later, I’d sent him over $1200 worth of product and he was long gone.  That’s a $1200 out of pocket mistake I don’t want to make again.

7.  Attempt to communicate with the customer either by email or phone. More often than not, somebody who is out to scam you wants no communication with you whatsoever.  They might provide a very odd looking email address and phony phone number.  I have received email responses from some frauds and they’re usually very short emails; about half the time they respond with one word.  Calling the customer and verifying the billing address on the credit card is a pretty good way to catch them off guard, if they gave you their real phone number.  If they hesitate on the billing address, don’t send them anything!

8. Email address should not be that of the person on the shipping address. The person ordering the product will usually provide their email address in case of any billing issues. Be very cautious if the email address belongs to the delivery person as that indicates they’re in charge of the purchase while using somebody else’s credit card.

9. Phone number should not be that of the person on the shipping address. This is for the same reason as #8. Look up the area code on google and find what state and cities the phone number could be from. Be cautious of it matches the delivery city/state and not the billing city/state.

10.  Validate the shipping address and phone number on This website will tell you who lives at the residence.  It’s a useful tool to help guide your decision, but it’s not foolproof by any means.  A lot of my customers live in apartments and hop around frequently, so the records are many times out of date.  You can do the same with a reverse phone number lookup, but it doesn’t work on cell phones.

11.  Require that the customers Enroll in Verified By VISA. This program allows customers to assign a password to their credit card so the password must be entered each time when making a purchase online.  If all merchants required this, it would be a great success.  The customer will complain because it’s a few extra clicks and pecks on the keyboard and takes an extra minute, so you will most likely see an increase in abandoned orders during the checkout process.  The bad news is, even as a customer, if you enroll in Verified By VISA, the scammer will simply purchase products from a site that does not have this program implemented into their checkout.

What is Address Verification Service (AVS) and does it work?

What is AVS?

AVS verifies if the billing address is the same as the billing address the cardholder’s credit card company (visa, mastercard, etc).  More specifically, the street number and the zip code is verified individually and the results are reported back.  Use AVS (address verification service) through your gateway such as  Firstly, require the customer to provide two addresses – the billing address their credit card company has on file and their shipping address.

Does AVS work?

Most thiefs are dumb.  They’ll acquire stolen credit card(s) and start using them with little regard to the billing address b/c they don’t care about the billing address; they only care about the shipping address of the order.  I’d say 85% of transactions the billing address the customer provides matches the billing address on the credit card completely.  Most mismatches occur with college aged students who are off to college or anybody that has moved recently and the billing address at their credit card company hasn’t changed yet.  AVS is not a foolproof.  There are a few ways the thief could have your billing address such as by acquiring data from another online purchase you made, looking you up in the phone book, or they’re somebody you know personally that is aware of your address once they’re obtained your credit card details.

What can I do?

As a merchant, you have the ability to automatically decline transactions that fail one or both of these tests during the authorization process.  This method is not fool proof by any means, but will help you deter some fraudulent transactions.

Is AVS worth it?

AVS will cost the merchant usually between 5-10 cents per authorization.  To me, I’d say yes, it’s worth it.  AVS a tool I check on a daily basis when scanning for fraudulent transactions.  Below is an excerpt from the email I receive from my online merchant outlining details of the transactions.  The AVS results are included.