If you are a small business owner that sells online chances are you have dealt with the frustrations that ensue after receiving an order that was placed with a fraudulent credit card. Unfortunately, online merchants usually find out too late and the order has already been shipped out and delivered. Most people don’t know that it is the small business merchants that bear the burden of credit card fraud. Not only do they lose the merchandise, the shipping cost, and the money, but they also usually end up paying a chargeback fee to the merchant bank when the actual card holder disputes the transaction. On top of that, the merchant banks and banks that issue the credit cards do not offer much in the way of support to help merchants determine if an order they received is legitimate or not. The two main fraud detection tools that are offered AVS (Address Verification System) and CVV Codes (security numbers printed on credit cards) are both severely flawed in terms of helping merchants detect fraud. Therefore, when a small business receives an online order, it is up to the owner, manager, and employees of the e-commerce business to detect, evaluate, and determine if a suspicious looking order is legitimate or not. This article will focus on some tips and tools online merchants can follow to help avoid shipping an order that could have been placed with a fraudulent or stolen credit card.

GoPromotional - Credit Card Fraud

Why are AVS and CVV Codes Flawed Methods of Fraud Detection?

Both the Address Verification System and the CVV (also called CID or CVV2) Codes have some serious holes in the plans for them to help merchants determine if an order has indeed been placed by and authorized by the card holder. They do not take into consideration the online buying habits of online shoppers nor do they account for the cunning of thieves.

First we will explore the AVS (Address Verification System). When a merchant receives an order, there is a tool with codes that lets merchants know if the numbers of the street address and the zip code match what the issuing bank has on file for that card holder. Many legitimate consumers order online and have packages shipped to alternate addresses whether it is their work address or the address of a gift recipient. So, if an order comes in and the AVS codes match but the shipping address is different, there is no way to know whether the card holder is shipping their order to themselves at work or to someone as a gift. Conversely, if a thief has stolen a credit card from the card holder’s mail box, they have the billing address as well as the CVV or CID security code, but we will get to that in a minute. The issuing banks for credit cards could help alleviate the issue by letting card holders register alternate shipping addresses. Another problem with the AVS system is that many banks do not have this system configured for countries other than the United States. So if the card holder is outside the U.S., chances are the address verification system is not supported and is a moot point.

The security codes are the 3 digits printed on the back of Visa, Mastercard, and Discover credit cards or the 4 digits printed on the front of American Express Cards. If the security code does not match, merchants are alerted to this problem. However, if the fraudster has the credit card in their possession, they can plainly see the number, enter, it, and the merchant has no recourse because the number matched.

GoPromotional - Magnetic Stripes - EMV Chips

Technology has advanced enough that many countries already and digital chips or pin numbers are protecting some credit cards. Unfortunately, only a small percentage of credit cards in use have this advanced encryption and protection. Until new security measures are implemented worldwide, merchants will still continue to absorb the burden of the costs inflicted when fraudulent orders are used to place orders on their websites.

What Makes an Online Order Suspicious?

There are a few signs that can tell a merchant that an order might be a problem and it needs further investigation. Of course, no one particular item on this list definitively means an order is fraudulent, sometimes it is a combination of factors that makes it evident or proves it to be legitimate. An important tip is that people who are committing fraud rarely return emails or answer phone calls. Here is a list of scenarios that can throw up that red flag and warrant a closer look:

  • If the CVV or CID security code does not match, do not ship the order until receiving more information and legitimate proof that the order is not fraudulent.
  • If the address verification does not match, do not ship the order until receiving the correct billing address that returns an AVS match.
  • If the AVS code matches, but is being shipped to an alternate address, look for the presence of other suspicious factors to warrant more investigation or lack of suspicious factors to clear the order for shipping.
  • If a free email address is used such as a Hotmail or Yahoo email account, it adds to the suspicion factor. People who are utilising stolen cards usually do not want to be traced, so they would not use a paid email service, Google Gmail, or a domain email address.
  • If next day, express, or the fastest shipping method possible is chosen, this can be cause for alarm. If the order is delivered before the merchant realises that there is a problem, there is no way for the merchant to re-route or cancel the shipment.
  • If an order looks larger than your normal order or has an odd mix of products, this can mean that it is fraud and they are just ordering a collection of things to sell at a flea market.
  • International orders are not always bad, but certain countries (Singapore, Malaysia, Nigeria, and Vietnam) have a much higher probability of fraud and you might consider not even shipping to the countries in this list.
  • Check out the shipping address, if it is a mail box store or a freight forwarding company, this is often cause for concern that it is fraudulent because it cannot be traced back to a place of residence.

How to Investigate Suspicious Orders

GoPromotional - Evaluating Credit Card Fraud

Once you have determined that an order is suspicious and warrants further investigation, there are a series of steps you can take to rather quickly clarify whether you want to fill the order or cancel it. Even though this may seem like a great deal of work, it really takes about 10 minutes or less.

  • Google is your friend! The almighty Google knows so much and so many. Search for the address, name, phone number, and email address in Google. The results can immediately tell you a great deal of information. If you search the customer’s name and see results including their Facebook page or LinkedIn profile and the details on their social profiles match the shipping details on the order, it should be good. If you can see the street view of the house on Google Maps, the order is probably going to be alright; but if Google Maps shows you an abandoned building or empty lot, that should be proof enough it is no good.
  • Search for information on the address. Zillow.com is a website for U.S. address that will actually tell you how much a house is worth in addition to facts like if it is for sale, or even in foreclosure. In addition to looking on Google maps, searching the address can help you determine more about the order and make a decision.
  • Check the Phone Number Area Code. Is the billing information actually attached to the card holder? Check the location of the area code of the phone number and Google will tell you what city that is in. Additional resource is the Yellow Pages online and other sources that come up during a Google search of the phone number. In some cases, if the phone number is attached to a business, you will see that in Google results. If you can determine that the phone number is connected to the city or location of the billing address but an order is shipping elsewhere, you can be certain that by calling the phone number you should reach the card holder and can speak to them to determine validity. For the most part, credit card thieves will not answer emails or phone calls. If the phone number is disconnected or the email bounces back that is also another reason to cancel the order.
  • Calling the Issuing Bank. The reason why this is last on the list is because issuing banks are usually not very helpful to merchants. Most phone representatives do not understand why a merchant is calling them or what the merchant wants. If you get lucky, you might get someone that is understanding and helpful, but it is rare. The banks are usually so focused on card holder security, they cannot answer whether or not the address or phone number you have matches what they have on file. However, you can ask the phone representative to call the card holder and verify the charge. This can be a last resort if you are truly unsure about an order. In addition if you have determined an order to be fraudulent, you can also call them to alert them that a credit card has been compromised.

Summary

Once you perform these series of searches and investigate a few orders, you can get a better understanding of what to look for. As time goes on it also becomes easier to spot potential problem orders. Developing a routine and a policy of which type of orders to evaluate and investigate will help you find fraud before shipping and also save staff from wasting time. If you are a merchant that is frustrated with the system, the best thing you can do is to voice your opinion to merchant banks and credit card companies in hopes for industry wide changes to come soon.


If you require further information or have any specific questions, don’t hesitate to give a member of the GoPromotional team a call on 0800 0148 970 or simply email us today.