4 Steps to Identify Fraud in Shopify
Alexander Hall
Trust and Safety Architect - Sift | Fraud Strategy Expert | Consultant | Fraud Team Trainer | Public Speaker
When scouring the web to decide which e-commerce platform to use for an online store, one name is plastered over all of the results... Shopify.
Whether you are jumping on the dropshipping train, expanding a brick and mortar store to an online presence, or starting from scratch and hoping to service customers all over the world, many merchants feel that Shopify is the best platform for them.
When stepping into the e-Commerce environment, it is important for first-time merchants to understand that they are additionally stepping into a new set of rules, with new risks, processing requirements, etc. The risk that we are addressing today is Fraud, by offering some insight regarding the process of "Transaction Analysis" without the assistance of automated fraud prevention platforms. These platforms are very valuable and effective in the right scenarios, but that article will come later. For now, we are focusing on what small-businesses can do with the tools available in a bare-bones Shopify platform to prevent and mitigate losses incurred by fraudulent transactions.
There is no question that fraud has had an impact on the global market. In 2019, several reports indicate that the Fraud Industry was worth more than $140 billion. This amount was listed regarding the reported and confirmed cases of transaction fraud by merchants and consumers. The actual number outlining the valuation of the fraud industry is unquestionably significantly higher.
Step 1. Filter Suspicious Orders:
Whether you sell digital media or tangible items, it is important to identify what is considered "suspicious" in your traffic.
For retail merchants, an order with an AVS-Verified billing address in Topeka, Kansas, with an IP Location in Texas and a shipping address in New York would certainly be a good candidate for filtering and investigation.
Step 2. Analyze the Transaction:
In order to make a decision regarding the validity of the transaction, it is important to know what information is available and how the information gives insight to the order. Now we will cover the "Data points" that are available in a standard Shopify store.
Customer Name:
The customer name is considered a data point in itself. The name on the account will, of course be relevant to everything else that takes place throughout this customer's history.
Email Address:
Although email addresses are easy to create, leveraging your customer account on emails does have it's value. For example, an email of [email protected] for a new customer whose billing and shipping information is for a Chris Johnston, might be enough to raise an eyebrow and look a little deeper.
Phone Number
Similar to an email address, but more effective, a phone number requires a bit more effort to replace, thus leveraging the information provided in the phone number is useful. In addition to validating the customer account through a phone number, the area code is useful in determining the location of the customer and cross-referencing this with the billing and shipping information.
AVS-Response Code
The Address Verification Service, or AVS, is provided by payment processors on e-commerce platforms. It works by sending the information provided at checkout to the issuer of the payment card. The issuing bank then sends a response in the form of a response code. By checking multiple points of data in the field, this response code indicates the accuracy of the billing address provided.
The two codes that represent the highest accuracy are "
X - All of the data points line up with what the issuer has on file.
Y - Most of the data provided matches what the issuer has on file for the cardholder.
The worst, N, P and G, respectively.
N- Represents that none of the information is correct
P - No Information available to check against
G - International and equally unverifiable due to address formats in foreign regions.
Billing and Shipping Address
The analysis of the billing and shipping addresses relies on the AVS-Response code and an understanding of how they tie together. Most would assume that a matching billing and shipping ("B/S") addresses would indicate that the transaction was verified. That would be true, IF the AVS-Response Code for the order was "Y" or "X". This would imply that the billing address was successfully verified and that the order was being shipped to that same address. That's dandy.
However, if the AVS Response code in N, P, or G, this get turned on it's head. Matching B/S, with an AVS of P, states that the billing address has no information to verify. The customer could put any address in that field, for that payment method and receive the same result. Fraudsters often attempt to capitalize on this misconception by using foreign cards and putting any address they wish in the field. It is a responsiblity of the merchant to make sure these attempts are identified and handled appropriately.
Card Code Response:
Most people are familiar with the 3-digit CVV code on the back of their credit / debit cards (4 digits on the front of AMEX cards). In Shopify, the CVV response code is represented here. "M” represents that the correct CVV code was entered during checkout. The best practice regarding this code is to decline anything other than an "M".
Customer History
The customer’s history with your company is very important. After using the 6 data points outlined above, a customer’s history can completely over turn what would appear to be a blatant fraud attempt or perfectly reasonable transaction.
Step 3. Make a Determination
Considering the 7 data points here, you will have enough information to tell a story regarding any purchase in your system. For example:
Good:
The customer, John, placed an order on 08/02/2020, with an IP address within 1 mile of the Y-Verified Billing Address. The B/S match. The CCV code was correct, and based on John’s history, he’s making an the same order that he has every month, for the last two years.
Bad:
The customer, John, placed an order on 08/02/2020, with an IP address from New York, the billing information is Y-verified, but the order is intended to be shipped to Hong Kong. The CVV matched, but this is the 8th card used on this account and each order has been flagged.
Step 4. Make a Move:
There are a wide spectrum of possibilities between “Legitimate” and “Fraudulent” purchases. It is up to the merchant to decide how to move forward. There are 3 reasonable actions that can be taken once a determination is made.
Decline the order:
After running through the full analysis, you decide that it looks too suspicious and would rather cancel the order. This move has it’s particular benefits. The sooner a fraudulent order is analyzed, cancelled and refunded, the less likely it is that a chargeback will be filed by the account holder.
Approve the order:
After running through the full analysis, you decide that it looks good. Pretty simple. Enjoy the sale!
Request Additional Documents
After running through the full analysis, you are undecided and want to offer the opportunity to prove ownership of the payment method. We suggest that the merchant format a “Request for Additional Documents”, requesting a photo of the payment method (Only the last 4 of the account number must be visible), a photo of the “Customer” hold the ID matching the payment method, and then an up close photo of the ID, with sensitive data (such as the ID Number) redacted.
When the request for additional documents is sent, be sure to include clear instructions, and a deadline. 3 days works well.
At the end of 3 calendar days, evaluate the submitted documents, save to a folder for in use in the event of a chargeback, and move forward accordingly.
An effective defense against the many forms of fraud is dynamic. Each new technology brings with it new aspects of operation that stand to be exploited by fraudsters.
Don't wait to develop your defense against fraud.
Contact us today for a free strategy call!
I think Alexander Hall is on point with his suggestions, though it calls out that most of these skills are not core to a company's primary line of business. Working with a solution that removes liability for fraud as part of its solution puts the burden to manage fraud on the appropriate party - the vendor that created the tools to detect fraud. Good read!