When you have an online component of your business, experiencing ecommerce fraud is becoming the rule rather than the exception. No longer is it a matter of "if" this will happen to you but "when" it will happen to you. I did some quick research and was astounded at the extent of fraudulent transactions, especially given the poor state of the current U.S. economy.
My first major case of ecommerce fraud happened this past week. I was running a special promotion with my affiliates to see how this marketing strategy for additional sales might work out for me. Unfortunately, I got results I never expected in the way of too many sales happening in a short period of time, which made me suspicious.
Orchard Credit Card Sign In
After getting additional sales over the weekend, I decided to begin to call the people who were listed as purchasing a membership to my site. Just as I suspected, none of them had heard of me nor my site. In fact, my phone call to some of them was the first indication they had of their credit card information being stolen. This guy (I'm assuming it was a guy, based on how he registered his affiliate account with me) was very thorough in that he had the COMPLETE credit card record for the victims of this fraud, including name, complete address, phone number, credit card number, card expiration date, and credit card security code (verification number).
Even though I had address verification turned on as well as the credit card security code verification turned on in the settings for my online payment gateway, this did me no good. My merchant account provider informed me that when the thief has complete information, there's essentially nothing a merchant can do to prevent fraud. Setting your address verification at maximum may block legitimate sales, especially when the sales are outside the U.S. This leaves many online merchants stuck between a rock and a hard place.
One upside to this situation is that I didn't ship out physical products but was selling virtual items like ebooks and site memberships. I've heard horror stories of merchants losing tens of thousands of dollars in goods shipped to a fraudulent account. My thief's goal in this scam was in collecting affiliate commissions. He was hoping I'd pay out affiliate commissions on his "sales" prior to discovering that all of this sales were fraudulent. Fortunately, I didn't fall prey to that, as I would have been out even a greater amount of money than I already am.
The second upside in this situation is that my thief wasn't bright enough to enter fake telephone numbers. Because he generously provided me with the correct phone numbers of the other victims in this scam, I was able to contact them and let them know what was going on. Otherwise, I would have had to resort to direct mail to reach them if I wasn't able to find a phone number through directory assistance.
So, what were the indicators that these transactions might not be valid? Here are the 8 clues that tipped me off to the possibility of ecommerce fraud:
1. Emails don't resemble the name of the purchaser. I require an email address for a purchase. In the vast majority of cases, the purchaser's email addresses resembles some portion of her name or business. In my case, none of the emails from the recent purchases mirrored the given name of the purchaser. One or two I could count as an oddity -- 5 or 6 in a row made me very suspicious. In this case, all of the emails were valid, as the thief opted into my email marketing system with each email address. However, they weren't the valid email addresses of the people whose names were on the accounts.
2. Sales are exclusive to one affiliate. In this campaign, all of my sales were linked to one affiliate. I suppose he thought I would have other sales, as well, and his would blend in unnoticed with the others. However, he didn't realize that this was my first affiliate campaign, so his sales stuck out like a sore thumb.
3. Sales are all to one gender. By and large, I have more female members than male. All of the sales that I was making last week were from men. Again, one or two is expected, but not multiple ones consecutively. I'm assuming my thief stole card information from some company whose customers are exclusively male.
4. Too many sales of a particular product in too short of a time period. I know the sales pattern for my site. Sales typically trickle in unless I do a special promotional campaign to encourage buying. Granted, I was doing a special promotion at the time, but to sell the number of yearly memberships that I did in a short period of time wasn't usual, as most people choose to purchase the monthly membership option when they join.
5. Transactions occur from same IP address. Fortunately, my merchant account provider and online payment gateway provider capture the IP (web) addresses from which the purchases are made. When I logged into my merchant account, I quickly realized that each of the transactions of the day were all coming from the same IP address. The IP address changed the next day, however, so this won't be a very valuable tool to track the thief. However, I still had my web host block access to my site from these IP addresses as an additional precaution.
6. Too many declined transactions in too short of a period of time. Normally, if someone tries to join my site and their transaction is declined, I don't receive any notification of this. I'm not sure I can change that fact, but I'm certainly more motivated now to regularly log into my merchant account to check my number of declined transactions. Had I been doing this regularly, I would have realized the fraud that was taking place on my site much sooner.
7. Affiliate is in another country. Some countries have a reputation for being a hothouse for online fraud. As I checked the info my affiliate provided in his affiliate account, his address listing didn't seem quite right, and he listed himself as a resident of a country nearby to those known for online fraud. This fact added to my ever-growing list of suspicions.
8. Big ticket items. The sales that were made were consistently my highest-priced item. As mentioned earlier, that sales pattern is unusual for me, so it tipped me off, as well. My thief apparently wanted to rack up the greatest amount of sales in the shortest period of time by repeatedly "buying" my highest-priced item.
I'm still sorting out this mess. Because the card holders have all canceled their cards, I'm unable to refund the money from the fraudulent sales. I'm working with them and their credit card companies to try and rectify the situation from my end and prevent nasty charge backs from being issued to my account (too many of these puts your merchant account in jeopardy, as you then appear to be an unreliable business). My merchant account provider also encouraged me to provide all the info I have about this scam to the Internet Crime Complaint Center.
If your Spidey sense is triggered by unusual sales activity on your web site, don't delay in checking it out. At best, if your suspicions are groundless, you'll make a personal connection to your customers and they'll know you're diligent and you care. At worst, you'll nip this scam in the bud before it gets out of control.
Copyright (c) 2009 OnlineBizU.com
Top 8 Signs of ECommerce Fraud - How to Detect Fraudulent Credit Card Transactions
No comments:
Post a Comment