How we shut down a fraud attempt on one of our ecommerce clients.
One of the sad realities of doing business online is that sometimes people try to use your store to perpetrate credit card fraud. Online stores provide an easy and accessible means for some unscrupulous characters to test out credit card numbers before going on a shopping spree.
While your business isn’t liable for this criminal conduct (provided you’ve been following PCI compliance standards), it never feels good to have used for such a purpose. Furthermore, it can cause disruption to your business, skew your sales metrics, and lead to other complications down the road.
We had to deal with this issue recently when one of our ecommerce clients noticed a series of suspicious transactions taking place on their website. Specifically, there had been approximately three hundred separate transactions of ten-dollar gift cards, each with a different credit card number but with the same (presumably fake) billing address.
While each of these transactions had been declined by our payment gateway (for reasons we’ll get to in a moment), they had managed to complete the checkout process on the store. This was a mixed bag, both for us and the fraudster. The fraudulent purchases hadn’t completed (a success), but they had gone far enough to disrupt our sales data (a failure).
As for the perpetrator, they weren’t able to complete the purchase, but they also weren’t able to tell if the failure was due to our systems stopping the activity, or to the card numbers themselves being no good.
We saw that we had a clear opportunity to improve our fraud prevention practices. This is what we did.
1. Ensure that Authorize.net has AVS enabled.
AVS (Address Verification) is what prevented the credit card transaction from completing. Every business should make sure their payment gateway has it enabled, as it is the first and easiest step to take in fraud prevention. All AVS does is check the billing address from the online order against the billing address on file for the credit card. If the two don’t match, the transaction is declined.
This is the feature that prevented the recent fraud attempt on our client from being completed. It would still be possible for someone to get around this, but to do so they would need to have the card holder’s billing address as well as their credit card number and security code. Most people trying to commit credit card fraud on a large scale don’t have access to that much information, so this will usually stop them in their tracks.
Even better, it requires no inconvenience on the part of the customer. (Note: the only address that needs to match is the billing address—not the shipping address.)
2. Instating a minimum purchase threshold.
Online purchases are rarely below a certain threshold because no one wants to pay more in shipping than for the product itself. In our case, the purchaser was attempting to buy $10 gift cards—again, a suspicious purchase for the store. To resolve the issue, we simply raised the minimum order to above ten dollars. We’re pretty certain that no legitimate customer has ever ordered less.
3. Installing the WooCommerce Anti-Fraud Plugin.
Another step we took was to install WooCommerce’s Anti-Fraud plugin. This plugin checks purchase for a number of possible red flags and blocks to purchase if it exceeds a certain fraud score. The factors it looks at include:
- The order’s country of origin
- IP address and number of orders made in the past 24 hours
- Whether the account uses a free email address
- Whether the order is a first order
- Whether the order is an international order
The plugin allows businesses to customize risk factors and set up automations based on what score the order achieves. If an order is by a first-time user with a free email address, that isn’t much of a risk. But if that user also has a Russian IP address that has made several dozen purchase attempts in the past hour, then the business can determine how to respond—such as blocking or suspending the order, or notifying an administrator.
Read our post: WooCommerce vs Shopify Plus: Which Is Better for SMBs?
4. Enabling reCAPTCHA on the checkout form.
So far, all our preventative steps have been behind-the-scenes measures that we wouldn’t expect a customer to notice. But there are two that do add some friction between the user and the checkout process, one which we added, and one which our client declined.
The first was to add a simple reCAPTCHA to the checkout form. While these can slow down the process and add some friction to the user experience, they will stop bots from being able to complete a checkout. Since bots are frequently used in fraudulent activity, this is an effective approach in many cases. And if a human is carrying out the fraudulent activity, it will still add another step to their process, which can also slow them down.
That said, we did our best to choose a reCAPTCHA that would be as user-friendly to legitimate customers as possible. In this case, we picked one that would require the user to select certain images only on their first purchase, but recognize them on subsequent purchases and only require them to click a check box.
5. Requiring user accounts for purchases.
Finally, requiring ecommerce customers to create a user account before completing a purchase can prevent credit card fraud by making it prohibitively difficult for the perpetrator to create new user accounts for every credit card they are testing.
Of course, some customers prefer to complete a purchase as a guest, and this would prevent them from being able to do so. Our clients in this instance decided that the measures we had put in place would be enough, and that in this case they could keep a popular customer feature without unduly exposing themselves to another fraud attack. But if it’s not enough, we still have this step in our back pocket.
Security and convenience are a tradeoff.
In many situations, businesses and customers alike must choose between security and convenience. A simple password is more convenient, but less secure. Multifactor authentication is less convenient, but more secure. The list goes on.
Read our post: 8 Website Security Tips for WordPress Sites
However, there are many ways in which security measures can be made more useable, and therefore more convenient, or where the inconvenience can be mostly born by the business instead of the customer. That’s why we work hard behind the scenes to make our websites as safe as possible: so that your customers can have the smoothest possible experience without compromising their security.