Selling goods and services online can be an excellent way to build a business, says BRENDON WILLIAMSON of PayGate — but online retailers must get the security basics right to avoid being taken for a ride by fraudsters.
“There’s a thriving global market in stolen credit card numbers, and fraudsters know exactly how to use them to make a quick, low-risk profit,” says Williamson, who is PayGate’s general manager for business development. “Fortunately, there are some relatively simple precautions that online retailers can take to protect themselves. One of the most important is to know what the red flags are that indicate possible suspect transactions.
These are the top ten red flags Williamson recommends online retailers watch out for:
1. Understand your business norm Fraud often shows up first in unusual patterns — but you won’t spot them if you don’t know what the normal patterns are. Only you as the retailer know if it’s normal for your customers to buy three TV screens at once, or fly three times in one day, or order ten bottles of perfume.
2. Unusual delivery locations If most of your sales are to a particular country, city, or type of location, look for orders which break that pattern. If you usually sell only in South Africa, a delivery in Moldova or Brazil is worth a second look: if most deliveries are to homes, a delivery to an industrial park should raise your eyebrows. You can use net tools such as Google Maps to look up the actual delivery locations.
3. Credit card from an unusual location As above, if you normally sell to customers in a handful of countries, look out for credit cards from countries you have never sold to before — especially if they don’t share a language with your website.
4. Clusters of orders from a single location Google Maps is your friend. If you’ve never sold a single item to Bloemfontein before and you suddenly get ten orders from the same Bloemfontein suburb — you either have one very evangelical customer, or a potential fraudster using stolen cards.
5. Unexpected spikes in sales If you normally sell five or 500 items a day, and that number suddenly increases to 20 or 2000, don’t celebrate too soon. If you haven’t been running a special campaign to drive traffic to your site, it could be a sign of fraud.
6. Sales at unusual times If your sales are normally during, for example, business hours, look out for spikes late at night or on weekends.
7. Obviously bogus names Take a look through your spam folder and pay attention to the names: You’ll spot some combinations that seem very strange indeed, like “Ulysses Smith”, “Salvatore Carpenter” or “Porfirio Levine”. If names like that show up among your customers, think twice.
8. IP address, billing and delivery address don’t match up When someone with an IP address in one country is buying something to be delivered to an entirely different country, with a billing address in yet a third country – it might be a person buying a gift for a distant friend or relative while travelling abroad, or it might be a fraud.
9. Multiple customers from a single machine ID A Machine ID uniquely identifies a computer on a network — so if you get multiple customers all sharing one Machine ID, that should be a red flag. You can have positive Machine ID flags when multiple users are interacting with your website from an internet cafe, but this should still be monitored closely.
10. A spike in very small transactions In the market for stolen credit card numbers, there are people who specialise in testing numbers to make sure they will work – they can then sell these verified numbers on at a profit. One way to do this verification is to find a site where they can make small transactions, and then run a large batch of numbers through the process to check them. This process is commonly referred to as washing cards or card testing. So if you notice a sudden spike in transactions for your low priced items this should be monitored closely.
None of these indicators on their own is enough to confirm that there’s fraud going on, says Williamson – but if you get three or more red flags going up in one day, it’s probably time to drop everything and take steps to protect yourself. This could include calling the customer “just to check the delivery address,” delaying shipping until you’re sure the sale is legitimate, or in the worst case refunding the transaction and not shipping at all.
This is all a lot of work. Fortunately, says Williamson, there is an alternative: “Make sure you’re using a payment services provider who can run all these checks automatically on your behalf, as PayGate does with our PayProtector programme.
To access PayGate’s risk assessment checklist, visit the link here and should the final score equal -20 or more, a second level of risk assessment is required.
* Follow Gadget on Twitter on @GadgetZA