Beware of Internet Fraud
How to Detect Fraudulent Orders
If you've checked your email recently, you've probably been contacted by a scammer. Typically, you see scams in the form of phishing, "you've won the lottery", Nigerian scams asking for help with getting money out of the country, chain letters, work-at-home schemes and mystery shopper offers. Most fairly educated internet users know these as scams and just delete them. But what about when it's a potential sale of your own products?
Getting the sale, especially a big sale, is a good thing. However, any sale, especially a big sale, that ends up unpaid is disheartening and damaging to your business. Making sure that every sale is valid and not fraudulent is important to your bottom line and the survival of your business.
Signs of a Fraudulent Order
There are certain warning flags that indicate an actual or potential order is fraudulent. Keep watch for the following signs.
- Vague "feeler" email: Often a potential scammer will first send a vague email to feel you out. The email may come from a free email account (gmail, yahoo or hotmail). Typically it asks for pricing or if you accept certain credit cards but does not mention the products or quantities they are interested in. They often, but not always, ask if you ship to a foreign country.
- Rush delivery: Many fraudulent orders come with the proviso that the order be shipped overnight, by Global Express mail or air freight. Not surprising if they are using a stolen credit card — they have to get it shipped out before the card is reported!
- Large quantity of high priced items: Fraudulent orders placed through eCommerce shopping carts are often for an unusually high quantity of one item, particularly a higher priced item. For example, 10 identical gift baskets or 25 of one type of soap. If you get the order and think, "What in the world are they going to do with that?", then you should check into it further before shipping the order.
- Different shipping and billing name or address: There are plenty of valid reasons for there to be a different billing and shipping name or address, but it can also indicate a fraudulent order.
If the order is for a gift basket ordered and paid for by Bill Smith and going to Martha Smith with a "Happy Birthday, Mom" card, that's logical and probably not fraudulent. However, if the order is placed by one person, the credit card is in the name of a different person and it's being shipped to Saudi Arabia, then you'd better check it out further.
- Billing address and phone don't match: If the area code for the phone number is in one state and the billing address is in a different state, that can be a red flag.
- Phone number not provided or isn't good: If the customer doesn't provide a phone number, that's a bad sign. If you try to call the customer to verify any information and the phone number is bad, that's also a major warning flag.
- Credit card AVS doesn't match: When you process the credit card (if the order gets that far), the address and/or zip code doesn't match, that's a sign that there might be something wrong.
- Check hasn't been received or isn't cleared: Hearing "the check is in the mail" is sufficient warning to hold the shipment until the check is received AND clears through your bank.
- Payment by Bankwire: If a customer, particularly an international customer, wants to make payment by bankwire, it may be an attempt to get your banking information. On the other hand, a bankwire is the best way to receive funds if the order is questionable.
Never give out your regular checking or savings account number. Instead, open up a separate account with the minimum amount and receive the bank transfer to that account.
- Desperate attempt to get the tracking number: If customer pushes for the order to be shipped by a particular shipper and then seems way too desperate to get the tracking number, it could be a fraudulent order. Sometimes scammers use the actual billing and shipping address for a stolen credit card and then try to use the tracking number to get the package re-routed. I had my first case of this several months ago (luckily the order hadn't shipped when the request came in).
Basic Fraud Prevention
There are some good business practices that will prevent most fraudulent orders and make sure you get paid in a timely fashion.
Get full information from your customer: Make sure that when you take an order through your shopping cart or over the phone that you get full information from the customer, including billing and shipping address, email, phone, and payment information. If you are talking to the customer on the phone, note the caller ID if possible and see if the name/number match what the customer is telling you.
Don't ship until the check clears: As a general precaution, any orders paid by check should be held until the check clears and the funds are in your bank account. A valid customer with a valid order will understand if you won't ship until the payment clears.
Any "bank checks" (a check written by the bank on behalf of a customer) should be held until cleared as well. Sophisticated scammers have counterfeited bank checks, which can sometimes even get paid by the supposedly issuing bank. It may not be until later, when an audit is performed that the counterfeit check is found — at which time they would probably come to you to get the funds back.
If you are concerned that a bank check (or other check) might be counterfeit or fraudulent, you can call the bank on which it is drawn to verify that the account exists. Although the bank is unlikely to tell you if there is enough money in the account to cover it, you can always ask.
With some diligent searching on the internet, you can find the phone number even for international banks. Remember the time zone differences when calling, and call during regular business hours.
Get the Card Verification Number: The card verification number is a 3 or 4 digit number on the back of the card that is not imprinted on the magnetic strip. Since most fraudulent orders are from stolen credit card numbers (not the actual card) requesting the card verification number can reduce fraud. Most online shopping carts can be set to require the verification number and most credit card processing systems use it to verify the order.
Remember, however, that you are not allowed to store the verification number. If you do take the verification number as part of the order, be sure to remove the information from your online database in order to comply with credit card security protocols.
Check the credit card AVS: Credit card processors check the street number and zip code to see if they match what is on file for the credit card ("AVS" = Address Verification System). If payment is by credit card, check the AVS to make sure it matches. If you receive payments through an on-line gateway, make sure the AVS is checked when the credit card is processed and that you can access the information.
Generally, if it looks otherwise okay, then it's a judgment call; if there are other red flags, don't ship the order until the validity of the payment is verified.
Some online merchants won't ship any order if the address doesn't match; others will ship anyway. If you use an on-line credit card processing gateway, you may have the option to automatically reject any payment where the AVS doesn't match. Whether or not you automatically decline credit card payment when the AVS doesn't match is a judgement call—it could possibly reject a few valid orders.
Check for declined credit card payments: If the order is through your shopping cart and was declined several times before finally going through, it could indicate that the person tried multiple credit cards. In this economy, that could just mean that their cards are maxed out, but it could be a scammer trying multiple stolen credit cards until one finally goes through.
Require large international orders be paid in advance by bank wire: If you do get a large international order that you think is valid, still make sure that the payment comes in. International checks take a long time to clear; using a wire (to a safe account, not your main account!) is faster and more secure. A valid international customer will understand and be willing to work with you.
Only ship to the billing address on international orders: For international orders, if you decide to ship them, only ship to the billing address unless you have a good reason to do otherwise.
Advanced Fraud Protection
There are also some more advanced ways to check out an order. If an order has one or more of the above warning signs, then it's a good idea to dig as deeply as possible until you are comfortable with shipping the order out. There are quite a few tools available to you to research the validity of the customer and order.
Reverse phone and address check: Reverse lookups (such as whitepages.com or 411.com) check an address or phone number and tell who is connected to it. If the information matches, that's a good sign. If it's not listed, it gives you additional information, but don't rely on a reverse lookup alone. The information in the databases can be 1 to 18 months old and some data is just not included at all. (The author's address, for example, was not listed in several of the databases, although she's lived there for 10 years.)
Call the credit card issuer: Call the credit card issuer to see if the information from the order matches the information they have on account. They typically say "yes" or "no" (but won't give out any other information). Occasionally a credit card payment will be approved, but if you call you'll find out it's a stolen credit card that hasn't entered the system yet. To get the name and phone number for the issuing bank, call your credit card merchant service and ask them (they can look it up based on the first 6 digits of the credit card number) or call the credit card issuer directly.
Google everything! You can Google the person's name, address, phone number, business name and email address. You'd be surprised and what you might get! If the person is a known scammer, others may have reported it. You also might find something that makes you feel the order IS valid.
If you discover the person is a Real Estate Agent, then it might make sense that they are ordering 10 gift baskets.
Use Google Maps
Google Maps is the next best thing to being there. Look up the billing and shipping address to see if it's reasonable for a person to travel that distance to receive their order. Use the satellite image or street views to see if the addresses look like what they should be. If the shipping address is a place of business, does the building look like it's a business? If the shipping address is in a port town, does the location look like it may be a shipping company?
I once got a questionable order and checked it on Google maps. The order was for a large quantity of identical items (who needs 25 foot creams?). Google maps showed the address to be a suite in an office building in a "bad" section of a large city, and the name of the company indicated it was an export company. A subsequent phone call and email were not returned, and when the order was not shipped the customer didn't seem to care.
Look up the email address: Email addresses can be useful to help determine if an order is legitimate. A scammer tends to avoid email addresses that can be easily linked to them (so they can remain untraceable). Most fraudulent orders come from free email address providers like hotmail, yahoo, gmail, or aol, but those are also used by millions of people who place valid orders online.
An email address from an ISP (internet service provider) like optonline, Comcast, Road Runner, or Verizon usually is attached to an actual account, making it more difficult to create an untraceable account. If the email address is a government (.gov) or military (.mil) one, they are much more difficult to fake. Business emails are usually as legitimate as the business is.
For unfamiliar email address types, you can copy the end of the email address and paste it in your browser to see what shows up. For example, if the email address is Joe@ElectronicCommerce101.com, copying and pasting "ElectronicCommerce101.com" into your browser will show you the website attached to the email. If it appears to be a valid website, you know that the email is coming from someone associated with this website. If nothing else, in the event there is any problem you could contact the company that owns the website to track down who placed the order.
IP Address Check: The IP address is the address of the server that the customer is using to connect to your website. If your shopping cart collects IP addresses, check them!
If the IP address is in Nigeria, and they want the order delivered to an address in Miami, the order should be checked out more carefully.
Keep in mind that sophisticated thieves can spoof IP addresses to make them appear local and that the IP addresses for some internet service providers show the location of their primary server (which may be in a different location than the person connecting through that service provider). For example, the author's IP address tracked back to a different (but nearby) city to the actual billing address.
In any business, customer services is a major factor in your success. It's important to find the right balance between servicing your potential customers and still not getting sucked into time-wasting exchanges concerning potentially fraudulent orders.
When you get a "feeler email" you have to decide if and how you are going to respond. With some experience (and seeing the commonality between certain requests) you'll probably be able to identify the scam requests and will feel comfortable deleting them. However, if you are unsure, replying with your international shipment policies and making payment options very clear will usually deter a scammer from continuing, while still providing a real customer with the information he needs. They are looking for the easy mark, and if you obviously don't fill the criteria, they'll move on.
If you get a questionable order, you can always call the person and talk to them in person. Inability to reach the customer on the phone or a disconnected phone number tells you the order shouldn't be processed. However, if it IS a valid order, the customer may be impressed with the high level of customer service, giving you a more dedicated customer who is likely to reorder in the future.
Protect your business
Small fraudulent orders, if they get past all your fraud checks, can be upsetting and annoying, but aren't likely to collapse your business in the long run. On the other hand, a large fraudulent order can be potentially devastating to a small business.
Getting the proverbial "big order" is exciting and will boost your business into a whole new level. On the flip side, a big order that isn't paid for could potentially put you OUT of business.
If you are contacted about a large order, particularly an international one, get all the customer information and while you are working out the details of the order, check it every which way from Sunday using every advanced fraud detection tool you have. Get a written contract spelling out exactly what is expected of each party. If you have reservations about it, consider getting a deposit up front. Not only does that commit the customer, it gives you funds to work with.
Even if you require payment in full before the product is shipped, carefully consider whether you should make a lot of product or invest money for personnel, ingredients or equipment just to fulfill one order. Be realistic about your orders and capability.
Even if an order is big and valid, if it doesn't fall within your vision of your business, think carefully about changing your vision to fit the order. Remember, this is YOUR business. You have the right to decide not to take an order if you want. Always protect your vision and your business!
(Originally published in March of 2010 in Soap Guild Journal.)