Criminals are constantly improving their strategies and tactics for stealing and then using credit card information for fraudulent purchases. It is a high-stakes arms race between the e-commerce merchants and service providers on one side and the hackers and fraudsters on the other. It is a struggle that can be seen very much in evolutionary terms: you either learn to constantly evolve or you will perish.
Compliance with the requirements of the Payment Card Industry (PCI) Data Security Standards goes a long way towards ensuring that sensitive account data is well protected against hackers. We will review the PCI DSS requirements again in the near future, as there have been some recent changes that need to be examined.
In this post, however, I will focus solely on how to recognize a potentially fraudulent transaction, so that you can flag it for a more detailed examination, before processing it.
9 Telltale E-Commerce Fraud Indicators
Following are 9 of the most typical fraud indicators for e-commerce transactions. Keep in mind that the presence of any single one of them does not necessarily mean that fraud is under way. It simply heightens the probability of the transaction being fraudulent. So if you have identified two of these indicators, the fraud probability rises further and so on. You should develop a policy for investigating such transactions, based on their fraud risk and verify that both the card and the cardholder are genuine before processing the payment. So here are the signs:
- New customers. Needles to say, you need to be careful here. You need as many new customers as you can get and the last thing you want to do is antagonize them. At the same time, criminals are likely to only use stolen card information once in any given store.
- Unusually large orders. As the card account whose information is stolen is typically quickly shut down, criminals will try to use up as much of its credit line as possible in this limited time frame. Placing large orders is a way to do that.
- Ordering multiple identical or similar items. This is another tactic for maximizing profit in a stolen credit card account’s limited life span.
- Expensive items. Expensive merchandise has correspondingly high resale value, which is what makes it attractive to criminals. Incidentally, this is also a major reason merchants with high average ticket amount are categorized as high risk by payment processors.
- Overnight delivery or other expensive shipping option. As criminals do not spend their own money and are solely interested in getting their hands on the merchandise as quickly as possible, shipping charges are of no concern to them.
- International orders. A disproportionately large number of fraudulent e-commerce orders are placed from outside the U.S. Some countries are higher risk than others and you will have to decide whether or not to accept orders from their residents in the first place.
- Similar card numbers. Fraudulently generated card numbers are often very similar, only different by a digit or two. Your system should be designed to identify such numbers.
- Multiple orders with the same shipping address. This is a very strong indication that a stolen batch of account information is fraudulently used.
- Multiple orders with different cards, but from the same IP address. This may be an indication that the orders are placed from the same computer, even if multiple shipping addresses are used.
Your fraud detection system should be able to identify each of the above items. For evaluation purposes you may want to assign different weight to each one of these indicators and adjust it as you collect more data. So if, for example, you discover that orders with overnight shipping result in fraud more often than orders for expensive items, your transaction review process should be adjusted to account for the difference. But don’t stop there, as what holds true this month may well change the next and so should your fraud review process.
Image credit: Procuria.net.