With COVID-19, many of us have seen an increase in our online traffic. Throughout this pandemic, we are doing what we can to keep afloat. As we keep our heads above water, so are the dishonest.
Our industry is subjected to ransomware attacks, hacking, theft of sensitive information and theft of physical product.
Online fraud protection is a layered approach for web merchants.
Our primary defense is observing the red flags. The majority of fraudulent transactions have some common elements. Depending upon the business and industry category, these will vary. Individually, the red flags do not always mean a fraud, but taken together the prediction is fairly accurate.
The following is a list of red flags that need attention:
Order Time. The first item to look at is the time the order is placed. This does not mean any particular, absolute time, but refers to a timeframe outside of the normal order pattern. For example, an office supplies merchant may get most orders during business hours. An order placed at 3 a.m. might be the first indication to look further at the order. On the other hand, if the company sells surfboards, late-night orders might be normal. The 7 a.m. order might be the unusual pattern for this demographic.
IP Address. The order time might also lead to the next factor, which is IP location. At first, disregard the physical address on the order and look at the IP address. If it is outside of the U.S., especially in a high-risk location, this is worth more investigation.
Next, compare the IP location with the physical address provided. If the order was placed from California, and the billing and shipping address is in Texas, it is worth a closer look. It may be that the customer is on vacation, but it is worth noting to make sure it matches the circumstances.
Lastly, run a search of the IP to see which ISP it returns to. If it is an anonymous proxy or other high-risk entity, it might be worth immediate action; otherwise, note the provider for later comparison.
Physical Location. Is the physical location a valid address? You can check the address on the following sources to reduce risk:
- Public records — does the customer own the property?
- Google Earth — is the property an empty lot?
- Street view — is the property a warehouse or empty building?
- Realtor.com — is the house a vacant or for sale home?
Product Mix. Check the product mix on the order to see if it makes sense. For example, an apparel order with the same item in multiple sizes might need more examination. An order of 100 of the same pleasure product (and you are not a wholesaler) might need some additional explanation before putting them in a shipping box. Each individual industry and business has regular patterns that appear in most orders. Understanding these patterns, either anecdotally or by database analysis, is the first step to noticing deviations from them.
Unlimited supply of money. For those in the webcam/service industry, does the user have an ample amount of credit? Are they a new user? These red flags warrant a deeper look.
Chargebacks. Not always the case but if you observe a pattern, it is worth investigating. A few buyers have discovered the ability to obtain merchandise, and then file a chargeback on their card claiming it was not received or they never ordered the items. This is sometimes hard to catch in advance, but there are methods to correct it after the fact. If you are selling an intangible product, you can partner with your provider for help.
If you are hit with a chargeback, start by presenting all of the documentation to the merchant account provider. Send a recital of when the order came in, along with background on the customer, and the IP address it came from. Remember, the response file you send to the card provider will normally be sent to the customer as well. A customer who receives a 15-page reply with the shipping receipt, IP address to their house, list of previous addresses of the customer, and other background information will know you mean business. Unless the order was a true identity theft via credit card fraud, it is likely they will withdraw the chargeback.
Best Practice:
Loss-Control Profit Center. Online fraud protection is a layered approach for web merchants. Unfortunately, there is no solid KPIs or metrics that can predict future threats. The individual factors that represent red flags are not each a smoking gun by themselves. However, taken in context and compared with the normal operation of your business, they can make one order stand out from the others. It may not mean canceling the order, but indicate a further need for investigation.
Keep a file of frauds and attempted frauds, to build a matrix of common elements. Over time this matrix of data can be mined to create a fraud score specific to your industry and even your particular business. Check the laws in your state to make sure that any of the methods you employ for online fraud protection are legal.
Be well and stay safe!
Jason Dayal is the owner of Sugar Cookie (SugarCookieOnline.com).
