Online store fraud protection
Looking to protect your online store from fraudulent orders? Daniel Williams explains how you can succeed, using his own personal lessons. If you’re thinking about setting up an online store […]
Looking to protect your online store from fraudulent orders? Daniel Williams explains how you can succeed, using his own personal lessons.
If you’re thinking about setting up an online store there’s two things you need: a heightened sense of paranoia; and nerves of steel. I know this from personal experience because a decade ago I ran an online store that fell victim to significant fraud and ended with the store’s closure.
At the time I was excited to receive and fulfill orders, naively believing that online fraud wasn’t a risk in New Zealand, and that shipping to New Zealand addresses was all the protection I needed. I’ve always considered myself pretty streetwise but on this occasion what they did was actually quite clever, and it was my complacency that played right into their scam. Let me explain…
I ran a dropshipping business selling computers and accessories. For those unfamiliar with dropshipping it’s when you find a wholesale supplier and have them ship products directly to your customers when they order through you. It’s a massively popular business in the modern era with the likes of Alibaba rampant with dropshippers. It means you never need to hold any stock yourself, nor deal with any shipping – you simply add your margin and provide customer service.
The business was doing well for the first three months, but when I started receiving daily chargeback queries from overseas card holders I knew something had gone terribly wrong. But what? I had orders going to New Zealand addresses, so whose credit cards were these? Surely people weren’t using stolen credit cards to then have products shipped to their houses?
This mystery took some unraveling, and once solved I felt quite foolish to have allowed it to happen. With TradeMe’s help I discovered someone overseas was listing my products on the auction site and purchasing from me with stolen credit cards. They had the buyer pay money into a mule bank account and I would ship the product to the unwitting buyer. Quite clever.
It was a hard lesson to swallow and in hindsight there were a number of steps I could have taken to prevent the fraud. Here are some of the checks and processes you can use yourself:
- Run your site on a secure server (the URL shows as https) and use a PCI-compliant, secure, and trusted shopping platform.
- Capture customers’ IP addresses and use a free geo-location service to check what country the purchase came from.
- Check that the buyer’s name matches the name on their credit card.
- Only deliver to physical addresses and avoid PO Box or post office addresses, which can make receivers of goods untraceable.
- Check for a change of delivery address for trusted customers as accounts can be hacked or stolen.
- Be extra wary of customers with disposable contact details, e.g. Gmail accounts and prepaid mobile numbers.
- Require the customer’s credit card CVV – it’s not allowed to store these 3-digit codes so only the physical holder of the card should know it.
- Require your customers to use strong passwords for their account by adding rules for the types of characters and length required.
- Be wary of low-value transactions that build your trust, followed by high-value transactions.
In my current business we use a flagging system that checks a number of these criteria and if flagged will automatically email the customer requesting a photo of their credit card (with the first 12 digits covered) and a copy of their ID. Once satisfied with these we process the order. It can cause some annoyance for customers but we’re yet to suffer a fraudulent transaction in three years of trading.
Daniel Williams (pictured) is managing director at Domains Direct www.domainsdirect.nz