An order had just come in through your Web site. The credit card number had cleared. The address was verified. Your fraud detection software isn't returning any warnings, so there's no reason to think this isn't on the up and up. But, wait: Everything on the online order form - from the name through the address - is typed in lowercase. Believe it or not, this a red flag. "All lowercase typing is a trademark of fraudsters," says Julie Fergerson, co-chairperson of the Merchant Risk Council (MRC), a non-profit organization of online vendors. "That alone should be setting bells off."
If you want a share of the growing online market, you had better be prepared to spot a wide variety of signs like this one, because unlike with in-store transactions, credit card fraud liability rests with the merchant, not the card issuer. Getting a credit card number has never been a problem for thieves, so what are you doing to ensure the person using one is who they say they are?
As consumers get more comfortable shopping online, it's an exciting time for small business owners, who can now expand their market far beyond their own backyard. But with this great opportunity comes great risk. Fraudsters constantly roll out new schemes in efforts to grab a piece of the $144 billion in online retail sales Forrester Research projects will be generated in 2004. Roughly $2 billion was lost to online fraud in 2003, according to Avivah Litan, research director for Gartner Research.
While the scourges of online commerce most often look to blend in with the masses and attack the large vendors, small business owners should know they're showing up on the radar, too.
"Small businesses are generally behind the large ones in terms of protecting themselves," says Litan, "which is why the problem is beginning to move downstream, where the small are being targeted more and more."
Some businesses are so eager to open up new markets that they lose sight of the dangers. Fergerson says nearly a quarter of small businesses (those with online revenues under $100,000) surveyed by the Merchant Risk Council spend no money on online fraud protection. Those numbers improve as you move up the food chain, but even there the MRC found some are lax with security. Of those polled, a startling 10 percent of companies with $1 million to $25 million in online revenue spend nothing.
If you expect your online business to grow, chances are you're going to encounter someone trying to rip you off. But you can institute basic procedures to protect yourself. Some of these are grounded in science and others, just as importantly, in common sense. Here are some pieces of advice and telltale signs to lookout for:
- Get ALL the information -- The government's Internet Fraud Complaint Center (IFCC) says you should not accept orders without complete information. That means full addresses and phone numbers.
- Hotmail and Yahoo! are great for sharing pictures, but... -- Watch out for orders coming from free e-mail services. There is a much higher incidence of fraud from accounts anyone can establish, according to the IFCC. Ask for an alternate e-mail address.
- If it's too good to be true, it probably is - Large orders containing a number of the same product should be viewed with caution. The IFCC defines "large" orders as those in excess of your typical order amount. Fraudsters go after easily resold, high-value items, according to Fergerson at the MRC. They may only get to make one purchase with a card and they want to make the most of it. The most popular items are electronics and ink jet cartridges for printers.
- What's the hurry? -- Next-day delivery is often a sign of potential fraud, warns the IFCC and MRC.
- Don't usually do much business in Moscow? -- International orders are risky. Half of all fraud cases originate in West Africa, Russia, Indonesia and Malaysia, according to Daniele Micci-Barreca, director of fraud solutions for ClearCommerce Corp., which creates e-commerce order-processing software.
- How many people live there? -- The MRC says to watch out for several orders on different credit cards going to the same address.
- The address is in Miami, but the computer is in Sweden -- Make sure you capture the Internet Protocol (IP) address with each order. It can tell you if the order is coming from the same area it's shipping to. Also, you can see if several orders on different cards are coming from the same IP address. Fraudsters often use freight-forwarding services, most commonly located in New York and Miami, says Micci-Barreca.
- Get it in writing -- The IFCC recommends that you require anyone using a different shipping address than their billing address to send a fax with their signature and credit card number authorizing the transaction. This might seem like an inconvenience, but it's in the interest of the consumer and yourself.
- This customer can't get enough -- Multiple orders coming in rapid succession on one credit card over a short period of time might be a fraudster attempting to find the limit on a card, according to the MRC.
- Tell them you mean business -- The MRC recommends that you make it clear on your Web site that you have every intention of prosecuting fraud to the fullest extent of the law. Even this simple act might stave off some attacks.
Hopefully, business is booming and you won't have the time to personally review each order, so it might be necessary to lean on technology as the gatekeeper. There's no saying exactly how much you should be spending on software and services to protect your business. However, the more traffic and visibility your site garners, the more likely you are to be victimized.
Third party vendors such as ClearCommerce allow you to forward your orders to them for a "fraud scrubbing" before fulfilling the order. These services often charge on a per-transaction basis. If you have a big enough budget, high order volume, and would prefer a fixed cost, you can have software specifically configured to your type of business. This software performs tasks such as fraud risk analysis and can access a directory of known "bad" addresses.
Beyond anti-fraud software, there are several other tools at your disposal. Fergerson recommends that you arrange the following services with credit card companies:
- Address Verification Service -- This is part of the authorization process. You can submit a request to the card issuer to verify the billing address. While this is a good measure, the card issuer rejects correct billing addresses 10 to 25 percent of the time, notes Micci-Barreca. Additionally, the service can only verify addresses in the U.S. and Canada.
- Card Verification Code -- This is a code that can only be found on the credit card itself. MasterCard and Visa cards have a three-digit number after the end of the account number on the back of the card. American Express cards have a similar four-digit number on the front.
- Real-Time Credit Card Authorization -- This will ensure that the credit card hasn't been reported as stolen.
If you've applied all of these layers of protection and something still doesn't feel right, call the customer to verify the order. Ask for the name of the bank that issued the card and verify the address again. Your customer will appreciate the extra attention. If this doesn't assuage your fears, contact the Internet Fraud Complaint Center immediately.