ID theft and credit card fraud are at an all-time high. To attract customers and provide service to as many clients as possible, businesses must be willing to accept payment over the web and mobile devices.
These methods of payment carry a risk greater than face to face payment transactions. Businesses need to be aware of these risks and prepared to protect against fraud.
ID theft and Credit Card fraud are major criminal businesses. The tactics continue to evolve as the number of payment options grows. If you see any of the fraudulent schemes below, stop the payment, contact the customer, and investigate the circumstances.
Many payment fraud schemes start with standard behavior. Be aware of the following red flags that might indicate fraudulent behavior:
- Credit card name doesn’t match the invoice name
- Zip code on the invoice doesn’t match billing address zip code
- Ship to address is a reshipper address
- Drop Shipping
- Paying for shipping up front
- Shipping instructions include reshipment
- Overpayment on an invoice
- Card owner ID unverified
- A large number of transactions in a short period of time
- Multiple credit cards with the same address
- Single name on credit card with multiple credit card numbers and addresses
You aren’t necessarily a fraud target if you see any of the above scenarios. But, if you encounter any of these when processing payments, your business might be at risk for a financial loss due to frauders targeting you. If you see this behavior you should take precautions to protect your business.
- Do not ship any product until you have validated your customer information
- Do not provide any service until you have validated your customer information
- Stop the payment (or stop further payment if the payment has already been processed)
- Contact the customer (and related parties)
- Investigate the behavior
Stop the Payment
Ideally, you can stop the payment if you see any of the above red flags. Unfortunately, you might not catch suspect behavior until the payment has been processed as most online payments are automated.
Put the customer on payment hold, and don’t ship the products, if you are unable to stop the first payment.
Keep the customer on payment hold until you can learn more from the customer.
Contact the Customer
Legitimate customers are usually happy to help you resolve any concern you have regarding fraudulent payments. Because customers want their products or services as soon as possible, you should get feedback from legitimate customers quickly.
On the other hand, fraudulent customers will generally avoid conversation, or avoid straightforward reasoning. Generally is an important point here as more sophisticated fraudsters may attempt to provide fake documentation and pass themselves off as legitimate.
Try to reach your customer in person, or by phone. Fraudsters can more easily maintain fraudulent activity over email, or other online communication.
If you operate a business where you know your customers personally, verbal contact will ensure that you have received payment from your customer, and not a fraudster attempting to impersonate your customer.
After stopping payment, and contacting your customer, investigate the red flag circumstances.
Each red flag could have a legitimate explanation, but it might be the first step in fraud on your business.
Your investigation tactics will vary depending on the fraudulent scheme. Use the below techniques to investigate suspicious activity.
Credit Card Name Doesn’t Match the Invoice Name
The fraudulent setup
If fraud is the cause for the name mismatch, the fraudster likely has stolen credit card information.
Criminals gain access to credit card information through a number of schemes (e.g. online hacks, physically stolen cards, phishing schemes, etc.).
If the fraudster has complete credit card information (name on a card, expiration date, CVV number, and billing zip code), he or she generally won’t be stopped by online payment processors.
Instead, identifying the name mismatch is the first pushback the criminal will face when attempting to purchase with the stolen card.
Stop payments. Contact the customer. Start an investigation to verify the purchase.
When you contact your customer, ask about the discrepancy between the name on the invoice and the name on the credit card.
Allow the customer an opportunity to explain. There are acceptable explanations for a name mismatch.
If you sell to businesses, a business name might be on the invoice, but employees might have company credit cards with their personal names printed on the card.
If you sell to consumers, the customer may be paying for a spouse’s purchase order or buying a present and the invoice name has the present recipients details.
If the customer’s explanation sounds legitimate, request one of three next steps:
- Ask for a driver’s license matching the credit card name – asked for this to be emailed in color in a timely manner so that any attempt to manipulate driver’s license details can be mitigated or easily identified
- Ask the customer to pay with a card where the name matches the invoice; OR
- Request that you reissue the invoice with the name and address of the credit card
A legitimate customer should not push back on this next step. In fact, customers might actually thank you for taking the time to prevent fraudulent transactions.
If the customer resists the extra step, this further indicates that the payment is fraudulent.
Zip Code on Invoice Doesn’t Match the Zip Code on the Billing Address
The fraudulent setup
If fraud is the cause for the zip code mismatch, the customer probably has stolen credit card information.
Similar to the name mismatch, if the fraudster has complete credit card information, your payment processor will likely complete the transaction.
The burden lies with you to question why a customer would use a credit card with a zip code that differs from his or her address.
Ask the customer directly why the zip codes don’t match.
The customer may have a legitimate explanation (e.g. recent move, a remote employee for a business purchase, multiple residences, etc.). A legitimate customer should be able to easily explain the discrepancy.
If you feel comfortable with the customer’s answer, proceed with the payment. If you have any doubt, ask for further proof that the customer is the rightful card owner.
If the customer recently moved, ask for a copy of a new power bill or lease. If the customer is an out of state employee purchasing for an employer, ask for proof of employment.
The method of proof you require depends on the customer’s reasoning. If the customer refuses to give an explanation, or cooperate with your investigation, consider rejecting the order as fraudulent.
Shipping Address is a Reshipper Address
The fraudulent setup
Reshipping fraud occurs when a fraudulent customer buys goods with a fake or stolen credit card, and orders the goods sent to an unsuspecting company that is in the business of repacking and re-shipping goods.
Reshippers and repackers range from small businesses to large enterprises like Amazon and eBay. Reshipping is a legitimate business, and especially helpful to customers buying goods in a foreign country.
However, criminals take advantage of such companies, because reshippers don’t typically have much interest in the underlying goods they are reshipping.
A fraudulent customer uses a reshipper to hide his or her location and identity from your business, and government authorities. The fraudster uses a reshipper address in one of two ways:
- The reshipper doesn’t know the products are being delivered and the criminal intercepts the shipment before the reshipper take possession, OR
- The reshipper has very limited instructions to forward the goods on to another address
In either scenario, unless the customer has a legitimate business purpose for using the reshipper, you should avoid shipping to them.
Search online for the reshipper address to start a reshipping fraud investigation.
Reshippers generally reside in nondescript buildings.
Their business description includes words like “repacking”, “reshipping”, “international shipping”, “freight forwarding”, or an alternative that indicates the company’s main business is to move goods, not use them.
If you suspect that the address is a reshipper address, contact the reshipper.
Ask the reshipper if it is expecting a shipment from your company for forwarding on to your customer. If the reshipment is legitimate, your customer should have already made arrangements with the reshipper.
If the reshipper is unaware of the order, you are likely dealing with fraud.
Other indicators for reshipping fraud include:
- The customer and the reshipper reside in the same country (generally, there is no need for domestic reshipping)
- Both the customer and the reshipper have limited online presences (indicates that the parties involved are hiding their identities)
If you suspect reshipping fraud, and the reshipper and customer cannot convince you otherwise, don’t ship the order.
Shipping Instructions Include a Shipping Redirect
The fraudulent setup
Although reshipping is a legitimate business, criminals will offer fraudulent reshipping work to individuals looking to make some extra money.
The scammer posts ads on job boards offering to pay money to individuals who will receive and reship packages to the scammer. The end goal of the scammer is to hide his or her identity and use the individual to ship the goods while remaining anonymous.
In most cases, the individual never gets paid, your business may not get paid, and the scammer’s identity is hidden from both parties.
Unlike the reshipper business address scheme, if you search for the reshipper address and find a personal residence, the person at the address may have fallen for the shipping redirect scam.
If you contact the reshipper, he or she may have limited or incorrect knowledge about the fraudulent customer. The instructions given were likely limited.
In this situation, investigate the customer directly.
Require the customer to provide a business reason, and meet certain business formalities to use a reshipper. Business formalities could include:
- Ask for a copy of the reshippers certifications
- Require the customer to use a reshipper with a DUNS number
- Require a copy of the customer’s purchase order or invoice with the reshipper
The more formal information you require regarding reshipment, the more unlikely the scammer can keep up the fraudulent activity.
Many businesses refuse to ship to reshippers altogether because of the scams in the industry. Depending on the internationality of your business, this may or may not be feasible.
Make sure you have a standard process in place to investigate shipping redirect requests.
Overpayment on an Invoice
The fraudulent setup
Overpayment fraud starts with a customer, or someone posing as a customer, submitting payment for more than the invoiced amount.
The customer then requests a refund for the the overpayment but requests that the funds be directed to an account different from which payment originated.
The customer may give an excuse for the overpayment. Common excuses include third-party agent fees, special shipping instructions, or a mistake.
Regardless of the excuse, if you encounter an overpayment, stop the order and investigate.
Ideally, you catch the overpayment before accepting the payment. If you catch before processing, reject the payment and require your customer to resubmit the order and appropriate payment.
If the order is legitimate, your customer will have no problem reissuing a purchase order and payment, as these are not labor intensive steps.
If you don’t notice the overpayment until you have accepted the payment, refuse to refund the overpayment in a method other than the method by which the original payment was made.
If the payment was made from a particular credit card, refund the payment to the same card. Do not redirect the funds elsewhere.
A fraudster may act like you are causing frustration by not redirecting funds. But, a legitimate customer will understand that you are in the business of selling your goods and services, not brokering money to third parties on your customer’s behalf.
Card Owner ID Unverified
For brick and mortar purchases, an ID check seems like the simplest guard against credit card fraud. If your customer can’t produce a valid, matching ID, reject the payment.
Unfortunately, it’s not quite that simple. Many credit card companies (e.g. Visa and Mastercard) disallow merchants to require ID if the card is signed.
IDs include personal information (name, address, birth date). Credit card companies don’t want their merchants requiring customers to share personal information simply to make a purchase at your business.
What to do?
When possible, use EMV (chip) card readers. With EMV systems, customers must input their pin number to use a credit card. This bypasses the ID requirement but still helps guard against credit card fraud.
If you don’t have EMV card readers, go ahead and ask for the ID. Most customers don’t know credit card merchant rules. Even those who do won’t hesitate to provide proof of their legitimate identity.
Finally, keep receipts for your business records. If a customer challenges the charge after leaving your business, your receipt is the only proof you have that the customer made the transaction. Without any evidence, you may lose the payment and the goods or services you sold.
A Large Number of Transactions in a Short Period of Time
A customer with a stolen credit card will often try to make as many purchases as possible before the card is reported stolen. If you see a single customer purchasing at a high volume in a short period of time, the customer may be using a stolen credit card.
Often, the individual purchases will be small, because the criminal doesn’t know what the credit limit is. If you see such behavior, stop accepting the charges and investigate
No one knows your typical customer purchase rate better than you do.
Regardless of your customers’ typic purchase rate, the rapid purchases that indicate a stolen credit card should stick out. The transactions will be so close in time, that they should have been put on a single purchase order.
If you see such purchases, contact the customer. If the customer claims the purchases are legitimate, ask the customer to place a single purchase order for all of the items needed. If the customer declines, this is an indication that the customer doesn’t know how much credit is left on the card, and the card is stolen.
Few business models include small, repeat orders rapidly placed in the same day. If you see such behavior, start with the assumption that the transactions are fraudulent and investigate.
Multiple Credit Cards and Addresses From the Same IP Address
The fraudulent setup
Multiple transactions from the same IP address indicate that the purchases originate from the same computer. If a single IP address uses different credit cards, bill to addresses, or shipping addresses, this suggests fraud.
A criminal may be testing out stolen credit card information. The fraudster acts as different people. By varying his or her identity through different cards and addresses, the criminal attempts to avoid detection by the payment processor’s fraud prevention system.
But, the repeated IP address shows that the transactions are likely a single person.
If you see such behavior, block the IP address until you can investigate.
An IP address alone won’t easily lead you to the fraudster. Instead, start with the assumed customer name and address. Call each one individually, and ask what relation the customer has to the other customers.
If the orders originate with a single IP address, there is some relation between the customers. If the first customer you call understands that you suspect fraud, and that customer is the fraudster, you won’t get answers to your other calls.
However, if your industry commonly uses buying agents for various customers, you may learn that the single IP address is a buying agent making purchases. This would show a legitimate reason for the behavior.
In this could, you could continue releasing orders associated with the IP address after receiving proof that the agent is authorized to make purchases for the end customer.
Single name on credit card with multiple credit card numbers and addresses
The fraudulent setup
When a criminal has incomplete data for stolen credit card information, he or she may try different variations to complete online purchases.
Variations include different credit card numbers, billing addresses, and combinations of the two.
Some criminals use sophisticated software that automates this testing process. If you see a single name using different combinations, beware you may be the target of fraud.
The average consumer has three or fewer credit cards. Accordingly, if you see the same customer name with a growing number of credit card numbers, stop accepting payments and investigate.
You will likely have trouble getting this type of criminal to talk with you. Fraudsters attempting different combinations of credit card numbers and addresses primarily work online.
Typically, the fraudster is targeting you, and many other business owners with the scheme. By placing a massive number of orders with various combinations, the criminal hopes that one will slip through payment processor fraud prevention systems.
If you can’t get the customer on the phone, block all future payments from the customer. If a future legitimate customer with the same name can’t make a payment, the customer will reach out to you when payment is blocked, and you can resolve the issue.