One of the biggest fears new eCommerce website owners have is the worry of losing money to fraud attempts. This is a legitimate concern but not one that should stop you from participating in the online marketplace.
In my nearly 30 years of internet experience, including 16 direct years leading three different companies and four online operations, I have encountered thousands of attempted fraudulent orders. I’ve participated in law enforcement efforts to stop them, including a sting operation with a large city in the southwest United States, as well as working with the Canadian Mounted Police on fraud attempts. Two of the sites I led were awarded Inc. Magazine’s Fastest Growing Privately Held Companies distinction twice each (four times total).
While many of the tips I will list are simple and seem obvious, it is crucial to teach your staff to be as diligent as if it were their own money they’d be losing. The basics need to be drilled into those who are approving orders. Never simply pass over an order due to carelessness or distraction. Every order is a potential risk, even when it appears fine.
Fraudsters, the nice name we give to criminals who want to steal both products and money from you, are everywhere. They aren’t all from fraud centers in Nigeria. Sometimes they’re “mules” working from a house just down the road (something that literally happened to me). They live in houses or apartments, using their addresses to receive packages and then forward them up the chain of command, where they end up on eBay or other places.
Every order is a potential fraud. However, every order is also a potential long-term customer. Being diligent about fraud must also mean not going overboard and being overly fearful. Teach your staff to always be vigilant and not to jump to conclusions. It’s a balance that comes with experience.
New sites are always big targets for these criminals. They believe that you are naive and don’t know much about stopping them. A new eCommerce site will face a barrage of fraud attempts, which you really must watch for. Do not be discouraged. By using these tips and being diligent, you can turn them away. Once they find out you’re no pushover, they tend to move on to the next target. This doesn’t mean you won’t get occasional attempts, but once you get past the initial set of fraud attempts, it does get better. I’ve seen it happen several times, and you can trust me when I tell you it does get better.
Let’s discuss some of the basics of preventing losses in eCommerce fraud attempts.
Address Matching
Every eCommerce order has a “Bill To” (or “Sold To”) address and a “Ship To” address. For most residential orders, they are the same address. Often, and this happens most of the time with a business order, those addresses are different. A customer ordering for a business might be using a credit card with a home billing address, sending it to their business, or the business credit card bills to a PO Box. There are many valid reasons these addresses might be different, so a “mismatch” is not necessarily a fraud order.
However, this mismatch is often the first sign of potential fraud. The “Bill To” address is the credit card fraud victim’s real name and address. It’s also where your eCommerce system checks for security information such as the zip code and CVS. Virtually all credit card processing systems use this address to verify if the card is valid.
When the addresses don’t match, there can be a legitimate reason for it, but it’s also the first indication you need to dig deeper.
One of the first signs of potential fraud is an incomplete “Bill To” address or one that only matches the name and zip code (which is often how some credit card monitoring is set up).
My first tool is WhitePages.com. I encourage you to set up a basic account with them (currently $4.99/mo). There you can do reverse address and phone lookups. Their information is broad but not very deep and is often outdated, but it is a good reference tool to tie the order information to the legitimate people placing the order.
Using WhitePages.com, you can check both the Bill To and Ship To addresses to verify the order information.
ALL CAPS used in placing the order is also a strong indicator that the order was placed by those not from the United States. Such use of caps suggests the order was placed by those unfamiliar with normal American internet usage.
Orders shipping to Miami locations require special scrutiny. Miami is home to several freight forwarders. It should be a policy to not ship orders through freight forwarders unless you are completely familiar with the customer. There are valid reasons for using them (such as GSA contractors shipping to their customers in Puerto Rico). Almost all of those, however, require special coding in the addresses and you will know about them in advance. Fraudsters sending to Miami addresses will have you shipping to a freight forwarder so they can bundle many fraud orders and ship them overseas. Be extremely careful about Miami orders.
Phone Numbers
In my experience, never trust a phone number entered with an order. Criminals always enter a cell phone number that can’t be tracked. With the Bill To address, they will often enter a fake number or one digit off from the credit card victim’s legitimate number. For instance, for a legitimate number like “763-555-4534,” they might enter “763-555-4354.” If you use WhitePages.com for a reverse phone lookup, your brain often misses that minor difference. If you see this, it could be a typo, but in my experience, it means you need to dig deeper.
Mapping
If there’s any doubt about an order, I copy the Ship To address, right-click, and do a Google search of the address. Does a Google Map view look like the Ship To address? If it’s a business address, is that business located there? Can you see it in the photos or satellite views? Using street view, zoom in and out, and look for signs that it’s legitimate.
Also, check a basic Google search. If it’s a business, does that business’s address appear? Do they have a website? Does the phone number listed on Google or their website match what’s in the order (even the area code)?
IP Address
Order notes should include the IP address of the person who placed the order. There are several websites to check an IP address; I personally use WhatIsMyIPAddress.com. Check the IP address to see if its location is close to the Bill To address.
This is not foolproof, as a cell phone’s IP address might be in a completely different area. Larger ISPs might place you far from your home. My ISP shows me 30-35 miles from my home. Nevertheless, it is a useful tool as part of the puzzle to determine if the order is legitimate.
Certain Products
Certain products are big draws for criminals. In the office products business, it’s HP brand ink and toners. In golf cart parts, it’s battery chargers. These and other products are easily sold online and can bring in big dollars. Watch for these fraudsters to place a test order and, if it gets through, start buying the same product repeatedly. Watch for patterns in the products they order. Even if the orders seem clean, patterns like this indicate fraud.
Credit Cart Testing
A common tactic of fraudsters is to place a very small order to verify that the credit card is working. For instance, a Logicblock customer this past weekend had five small orders placed for a single pen or similar. A $1.75 item and a $9.99 shipping charge. Obviously, this makes no sense on its own. The reality is, though, is that the fraudster was testing the card using an amount that the card owner might miss as they review their bank account. Once the fraudster knows the card is good, they’ll hit you with a much larger order in the hopes they receive the product before the card owner knows it happens. Watch for trends like this, a bunch of small orders that make no financial sense and consider the idea they might be fraud.
Repeated Declined Transactions
You’ll notice in the order notes automatically produced notes telling you that a card has been declined and the reason. Often, it’s just user error, or the fact that their billing address may be different than they remember (a PO Box vs a street address, for example). Sometimes, though, you’ll see multiple declines in a row. That’s not usually a genuine client. These deserve very in-depth scrutiny. It’s my experience that these are often fraud, and I decline the order. If the customer is indeed genuine, they will call you for help.
Quotes
Criminals with fraudulent intent often send emails asking for quotes. They’ll claim to be the “Procurement Manager” (or similar title) for a big-name company. Their return email address will have a domain name extremely close to the real company (e.g., instead of logicblock.com, it will be “logixblock.com”). Often, they’re supposedly from a college or university.
Good eCommerce companies with salespeople are called their leads. These fraudsters are very good and will take your call. They’ll sound legit, have great answers, and excellent phone skills. They’ll work with your sales staff down to the end, convincing them they’re real. Then, as they are ready to place their order, they want to change the shipping address.
We encountered an order like this. It was from a real university in South Carolina. Our salesperson got the lead, it looked real, he talked to them at length, and was convinced it was real. It was for $15,000 in HP toner. We received an excellent “purchase order” from them. Without my knowledge, the salesperson received a change of address at the last minute and shipped the order. That same day we discovered it was fraud, but it was already out the door. We tracked it from Ohio to New York to a freight forwarder in London. It was gone, unrecoverable. Fortunately, our insurance company covered it, but it was a huge lesson learned. As the company director, I took on the role of reviewing every potential email lead before they were acted upon. As a business owner, you need to take on this role as well. Be extremely suspicious of email leads (especially those in “Times Roman” or using terms such as “Procurement Manager”).
Look up the websites of those who ask for quotes. Don’t be afraid to call the main number from a legitimate website and ask for this person. Confirm everything. Valid people requesting a quote aren’t insulted that you are working to prevent fraud, especially if their name is being used.
Where’s My Tracking and Other Issues
Fraudsters are desperate for tracking numbers. If they don’t get that number, sometimes by the end of the same day, they will either call, use live chat (their favorite), or email. On the phone, they are very insistent, almost desperate. They want to know if you’ve been fooled so they can start telling others in their group to start placing orders with you. Don’t be rushed or intimidated. You control the situation, not them. Tell your staff to stay calm but take note that such contact could indicate fraud.
They also don’t care about shipping costs, especially on larger orders.
Another tactic is demanding to pick up their orders immediately. While pickup orders can be legitimate, confirm all the information before accepting the order. By placing the order internally (often these pickup orders are called in), you lose the element of IP address confirmation.
Phone Relay Services
This used to be a bigger issue, but we determined it would be our policy to not accept such orders. Not to be insensitive, but these services are easily used for fraud.
How to Respond
It might sound daunting to spend all this time scrutinizing every order through the lens of these warnings. However, over time you get better at spotting fraud attempts.
Remember that most of your orders are from regular people wanting to buy from you. They are potential long-term customers, and you need to treat them with respect. This means not being overly cautious in your responses.
Some years ago, a well-meaning customer service person wanted to prevent fraud orders from getting through. In her diligence, she was flagging orders that were not fraud. She would send emails saying, “Your order didn’t pass our fraud system,” which sounded very harsh and led to negative reviews. Working with her, we toned down that language to say our system (or credit card company) had security measures and flagged this order with potential issues. We offered the customer the option to pay via PayPal since they offer Seller Protection. If PayPal accepted the order, we would too. This gave us fraud protection. This wasn’t perfect, but it was a balance between avoiding big losses and offending a few customers.
For larger orders, valid customers are never offended if you contact them. You can call to thank them, verify shipping information, or let them know you’re working to prevent credit card fraud. No one is offended by these actions.
Conclusion
Fraud is real. One fraudulent order can wipe out all your other gains for a single day and be demoralizing. But if you follow these guidelines diligently and teach your staff to treat every order as if it’s their own money, you will navigate these challenges successfully.
My first website was one of those targeted. We launched it in November of 2007. By January, we were gaining traction and suddenly faced fraudulent orders. We knew nothing about how to prevent fraud and were hit by a barrage of fraudulent orders. Over time and thousands of orders, I learned these lessons the hard way. In the end, we got so good at spotting fraud that we rarely got caught off guard. In 2023, I don’t believe we had more than two or three orders that slipped through. Diligence pays off.
John Jordan
Director of Customer Growth and Experience
About John