Fraud prevention

MOSCMOSC Posts: 5Member
While I see Lightspeed has an extremely basic set of bullet points about preventing fraud here (https://ecom-support.lightspeedhq.com/hc/en-us/articles/115001881054-Minimizing-chargebacks-by-detecting-fraudulent-orders-NB-), it really only barely skims the surface.

In case anyone else needs a little more help, here are some additional points I've found along the way:

Authorize.net used to have a nice article about preventing fraud but they've taken it down.  Here are a couple of useful tips that were in it:

1) Bank BIN lookup https://binlist.net/ (first 4 digits of the card)
  • You can ask your card processor for the first 4 digits of the card used in a fraud; they identify the issuing bank.  When you call the card-issuing bank, have your merchant number, your phone number, the customer's full name, address, and phone number ready. You can ask the card-issuing bank to make a courtesy call to your customer to verify the charge. (CIBC refused to do this during our Cayan fiasco; they didn't seem to care the cards were being used for fraud.)
2) If you're based in the US you can file a complaint, here:
3) Establish a "holdover policy" for large orders. 
  • The dollar amount of the large order can vary depending if the order is domestic or international. Most credit card thefts are reported within 24 hours. Even after a phony card number is discovered by a retailer, it can take up to 24 hours for that number to be included in the databases that card processors use. (This did not help in a case where we had fake customers using real, stolen credit cards.  When I tracked down the customers via their name and address they looked at their accounts and told me there were numerous fraudulent charges, some of which were 14 days previous.)
Finally, the best (but not foolproof) method I've found for verifying a suspicious, large-value purchase is to use Google and try to track down the customers by name and address (In one case I found them by a family car dealership, another one by an obituary).  In both of those cases the credit cards used were stolen.  In another case I was able to verify a high-ticket purchase as genuine.

There is a user-curated list of fraudulent customers, here, that you can search: http://badbuyerlist.org/

And we've started passing the shipper's insurance surcharge through to the customers and requiring a signature on high-value purchases.  So far this seems to be helping.

6 comments

  • MOSCMOSC Posts: 5Member
    Some more tips for small webstores which have few enough suspicious high-ticket orders to vet them manually:
    1. Google the IP address of the transaction you're questioning in quotes such as, "XX.XXX.X.XXX" - In one case I found an address in a page cached in Portuguese from a third-party fraud-prevention site (https://webcache.googleusercontent.com/search?q=cache:My3K7i88w3YJ:https://www.maxmind.com/pt/high-risk-ip-sample/69.116.9.247+&cd=2&hl=en&ct=clnk&gl=us) - this kind of search will also sometimes uncover the address in an open list of high-risk IP addresses (https://github.com/firehol/blocklist-ipsets/blob/master/firehol_webclient.netset)
    2. You can do phone lookups here: https://nuwber.com/search/phonehttps://www.intelius.com/search/reversephone
    3. You can do person lookups here: https://nuwber.com/
    Unfortunately the problem is not going away (https://blog.maxmind.com/2018/03/22/rising-e-commerce-fraud-trends-and-how-to-combat-them/#more-384).  But hopefully getting the word out about vetting these things can slow down the crooks and save some other small merchants unnecessary chargebacks.  Eventually we may have to add an additional automated third party vetting service to our processing pipeline (beyond what Authorize.net already provides).
  • MOSCMOSC Posts: 5Member
    One other note.  You can try confirming an order using phone numbers listed on this site: https://www.fastpeoplesearch.com (A fraudulent order will never provide the correct billing phone number or email address)
  • JoeyJoey Posts: 93Moderator, Lightspeed Staff moderator
    Just wanted to say thank you for writing up all this useful information! We in support will make sure to point merchants to this post when they have questions about dealing with fraudulent transactions.
    Hopefully, other merchants will also post their experiences and workflows for all to learn and improve. :)
    eCom Support Team
    Lightspeed HQ
  • gregaricangregarican Posts: 137Member ✭
    Our companies use a middleman for e-com transactions called Riskified (https://www.riskified.com/). They run through a series of automated and manual fraud detection processes to vet these transactions.

    Any declined transactions aren't subject to a fee. Any approved ones incur a 0.7% transaction fee, but are insured by Riskfied for a 100% chargeback guarantee. For us it saved us manpower going through all of these very valid and helpful suggestions the original poster above submitted. After several years with Riskified we've never had an approved transaction kickback!
  • MOSCMOSC Posts: 5Member
    Thanks for the heads-up, Gregarican.  Riskified appears only to work with Magento, Shopify, CommerceCloud, and Stripe, at the moment.  I would love to find a service like Riskified that works with Authorize.net (unfortunately the built-in fraud prevention there still requires manual vetting).  This manual vetting is working for us now, but simply will not scale.
  • JoeyJoey Posts: 93Moderator, Lightspeed Staff moderator

    Starting today, the following fraud protection has been implemented into the Cayan payment integration:

    CVV Mismatch: Card Verification Value, is the three-digit number (usually) printed on the back of the card.

    AVS Mismatch: Address Verification System, the billing zip code used during checkout needs to match the zip code associated with the credit card.

    If there is a mismatch the customer will be notified that the payment has failed and asked to try again.

    As usual, the order will show as awaiting payment in the back office and automated payment notifications will be sent (if enabled) to encourage the customer to complete the order.

    This is a great step towards better fraud protection!


    eCom Support Team
    Lightspeed HQ
Sign In or Register to comment.