What can retailers do to minimise their exposure to online transaction fraud?

Ensure you are using proper automated payment processing and enable 3DSecure
3DSecure can scare off fraudsters who subsequently move on and seek out softer targets. Beware, however, that once 3DSecure is enabled, you will not know what level of fraud you are presenting to your acquirer and may be hit with very significant penalties via your processing rates if your account is judged “high risk” by the banks.Retain control of when payments are presented for settlement by using “pre-auth”
Transactions which are run as “pre-auth” are not immediately charged to the cardholder, instead you dictate when payment is taken (normally when you are ready to ship goods). This in turn means that you have opportunity to inspect transaction/order details and act to weed out fraud before it hits your bank. Again, beware that with 3DSecure, you have a more restricted window for taking settlement than without it.

Be immediately suspiscious of orders which only return either an AVS match or Security Code match only and do not match both.
Many gateways will not reject a transaction even if one of the two standard tests fails. Most common is the address match failure. Whilst it is possible for cardholders to enter their details in an odd manner which would cause the failure, it should be deemed as a “red flag”.

Inspect all details presented against the order looking for common fraudster traits

Email Address 
The most common trait is that of email addresses which have been created solely for these fraudulent orders. Most commonly, the fraudster will set up an email account with a free email service such as Yahoo, Hotmail, Gmail etc and as they are in a rush, they generally accept the first address offered, leading to addresses like “davidsmith0198@gmail.com” which they would have registered for a cloned card in the name of Mr David Smith. Yahoo, Hotmail, GMail etc and other free email service provider email addresses should be considered a “red flag”.

Telephone Numbers
Has the buyer only given you a mobile phone number? If so, I’d treat this as a red flag.

What happens when you google the telephone numbers? Take the dialling code (which gives the primary exchange) and the first 2 or 3 numbers of the main number and google it. What comes up? Ideally, you’ll get a list of businesses returned who all have phone numbers which start with the same sequence of digits. If those businesses are geographically nowhere near the claimed delivery address, you should treat it as a red flag.

Now google the whole number. Somewhere on the net (I can’t remember where I found it) there’s a list of know public phone boxes.

Post Codes
Google the postcode via maps. Does the post code belong to the quoted address? Street View it. Does the building look right for the value of item being ordered? If not, it could be a red flag.

Refer back to the phone number. Does it sit appropriately with the postcode? Remember, look at the businesses returned when you search those first 7/8 digits. Are they in similar post codes? If not, red flag it.

Other address details
Do you keep track of past frauds and compare new orders against that data?

IP Address
Check the IP address with online tools like this: http://www.all-nettools.com/toolbox/smart-whois.php

Does the IP address give you an indication of where the user is? Indeed, compare it to previous orders and see whether the same IP address crops up.

Alternative Delivery address requested
Is your customer requesting delivery to an alternative address and if so, have they explained why? If you DO offer delivery to an alternate address, be extra cautious.

Check proximity
Are the cardholder and delivery addresses within a reasonable distance of each other, in the same town or neighbouring town? The majority of people work within 30-40 miles of their home address.

Is the delivery address a company address? If so, call the company and ask to speak to the buyer.

Be particularly aware that NO bank accepts liability shift for 3DSecure transactions where delivery is not made to the registered cardholder’s address.

Other factors
There are any number of gut feelings which should never be ignored… Always investigate.

Like…
Cheaper elsewhere
You’ve got to wonder why an online buyer is ordering from you when the same item is available cheaper elsewhere online, particularly if the item is in stock with the cheaper competitor. Red flag.

No pre-sale communication
With reference to the above, the cheaper elsewhere may be mitigated if you have had contact with the buyer, but high value items (£200+) where you’ve had no contact should raise a red flag. Even more so where you are not particularly cheap.Just want to buy anything
Is there little concern for the product being bought, only it’s value; e.g. “I need a bike for about £750”. This is most common with telephone orders.

Call 07xxx xxxxxx about an hour before delivery
This is a common tactic. Fraudsters then sit outside a target property and appear to come from round the back when the delivery turns up.

Several orders in a short space of time
Fraudsters work on the basis that it can take a retailer anything up to 6 weeks to find out that they’ve been had. This often means that smaller “probe” orders are placed to see whether you will be vulnerable. As these orders come in, you may become complacent, often thinking “oh yeah, he’s been a good customer lately”. They’re just testing you ready to score the big one when your guard is down. By the time you find out, it’s too late.

This is another good reason for cross referencing order details over a 4-6 week period looking for all or some of the same details being used.

Multiple red flags
If an order raises more than one red flag, the probability of that order being fraudulent is dramatically increased. Only one red flag should not be seen as 100% safe as it is still worth exhausting all the investigations you can carry out. Better to be safe and lose a sale than sorry and out of pocket for a much larger amount.

Beware of intercept fraud
Typically, this occurs at the delivery depot, the “customer” having received details of the parcel tracking info the day you dispatch, then calling their local office to explain why they’ll not be available to receive the goods the following(?) day and can the consignement be held for collection from depot. In some cases, a different delivery address is given to the courier.

Beware of “soft” or “friendly” fraud
This is becoming more commonplace. In this scenario, the goods are signed for at the correct address, however the transaction is later charged back, the cardholder disputing the charge with their bank who will invariably take their side.

The scam works because the addressee is not the one to sign for the goods. It will be a family member, or someone else at the address. The buyer then disputes having not received the goods, requesting a chargeback. You have no recall against the courier since they got a signature, and you will get no help from the bank because the addressee didn’t sign for the parcel.

You can mitigate some of the above two risks by:
Ensuring all consignments are clearly marked:
NO DEPOT COLLECTION. ADDRESSEE SIGNATURE ONLY
With the above, if your courier fails to comply with your instructions, you should be able to claim the loss on the insurance.

All told, most fraud can be prevented by the use of a little common sense and belief in your own gut feelings. Indeed, my largest client sees fraud levels of just 0.02%, which when we were recently talking to a third-party fraud screening service (RED) left them a little non-plussed as their solution was aimed at reducing fraud levels to about 0.5%!

www.siwis.co.uk