Now that we have taken a look at some broad strokes in fraud prevention, it’s time to get down to some specifics. What we suggest is a scorecard that can be applied to any purchase to evaluate the response needed.
The fifteen fraud attributes we suggest for the scorecard are these:
1. Bill To / Ship to (B2/S2) Mismatch
2. B2/S2 Mismatch, Both Names the Same
3. B2/S2 Mismatch, Both Phones the Same
4. IP Address Mismatch (Outside Area Code or State)
5. Billing Phone is a Cell Phone
6. Billing Phone Reports "Landline"
7. Billing Address Doesn't Verify
8. Billing Address / Name at Address Mismatch
9. Shipping Address Doesn't Verify
10. Shipping address / Name at Address Mismatch
11. Free Email Account Used (Hotmail, Gmail, Yahoo, AOL etc.)
12. Fast Shipping
13. New Customer
14. Order Value over Threshold
15. All Caps Only In Some Information Fields of the Transaction
Not all attributes carry the same weight. For example, ‘IP Address Mismatch’ isn’t as concerning as a ‘Bill to / Ship to Mismatch’ so we need to weight the impact of each attribute in order to arrive at a good and usable score. Our example uses a scale of 1 to 5 for the weighting where a 5 is the most serious attribute.
Informatics has an example spreadsheet that can be used as a basis for building your own scorecard.
Free Tools, Plus One
For the most part, verifying the information required to settle the questions raised with the fraud attributes above can be found using a handful of free tools and one fairly cheap one too. Two of the most useful tools are the website’s own Admin Panel and the Online Interface of the credit card processor. Using these two tools we can confirm items 1,2,3,12, and 15 above. We need to inspect the ‘raw data’ of the order to make sure of our information before committing resources to verify the purchase.
When it comes to phone number verification we have found the website www.whitepages.com to be very useful. Using this site we can determine if the phone number supplied is a cell phone or an IP phone. We can compare the address associated with the phone number to further pin down supplied information.
As a tool for cross-checking address information, we like www.melissadata.com/lookups. This is a site used by direct mail businesses to verify addresses in their mailing lists. We use the site to compare the address given with the purchase to the name of the person listed at that address.
Most e-commerce shopping carts record the IP address of the person placing the order. IP addresses are generally useful but aren’t terribly accurate fraud indicators. Here is what we mean. Most of the time a user’s IP address is going to locate them on a map fairly close to where they actually sit at their computer, but there are many exceptions. For example, almost all AOL email accounts show a New York IP address because that’s where the AOL servers are located.
An IP address is best used to verify that the purchase was actually made by someone in this country. A lot of fraud comes from overseas and by looking up the purchaser’s IP address we can quickly rule out a country of origin as a concern. To do this we like to use www.geobytes.com/IpLocator we plug in the IP address and the tool tells us where the purchaser’s computer connects to the Internet.
Finally, we inspect information about the purchaser’s email address. The tool we use for email discovery is the only suggestion we have that costs money. www.emailfinder.com costs about $2.00 per month which isn’t too bad considering the information it returns. Primarily, this tool is used to find out if the purchaser is using a free email account.
If, and this is a BIG if, the email owner has provided personal information on a directory site or a social network the tool might provide a phone number and address too. Ideally we should be able to find out if the email address has been around for a while or if it is so new that it has zero Internet foot print.
There are of course attributes found on sales that can immediately cause a decline:
- Three or more attempts to authorize a purchase using more than one name or credit card
- An IP address that is out of the country (if international shipping isn’t permitted)
- Obviously fake information, such as l;firstname.lastname@example.org, or (999)234-5678
- Known fraudulent credentials, from your own sales records and history.
In this section we discussed creating a scorecard to rate purchases for fraud potential. We next offered several free online tools (plus one low cost tool) that can help locate verifiable information on our purchasers. Next up we take a look at the last free step in fraud prevention - tightening up acceptance criteria on our credit card processor interface.