From the March 2001 issue of Entrepreneur

You thought a hearty "Congratulations!" would be in order. Your online business was still in its first week and had already received a whopping $5,000 order. There was just one catch-it had been placed with a stolen credit card number. The tip-off came when you saw that the order, ostensibly placed by a credit card holder with a U.S. billing address, was to be shipped to faraway Indonesia. A quick phone call to the real card holder, who told you she didn't have the foggiest idea about the order, confirmed your suspicion.

Sometimes, sniffing out fraudulent transactions can be a matter of common sense. While online fraud tactics are be-coming increasingly sophisticated, preventing credit card fraud doesn't have to require expensive monitoring tools. Much of fraud prevention lies in knowing how fraud works.

Take, for example, this loophole in shipping companies' customer service policies: Any allegedly legitimate buyer can ask his merchant for the tracking number of his shipped order; the customer can then call the shipping company with the number and change the shipping address. This allows a person with a fraudulent credit card to clear a merchant's antifraud Address Verification System (AVS), which ensures that the customer's credit card billing and shipping information match bank records and each other. After having his or her order approved, any poseur can obtain his or her package's tracking number and change the original delivery address to his or her own.

Developing a policy of withholding the tracking numbers of overnight packages until delivery time has passed can serve as a simple but effective part of your strategy against electronic credit card fraud.


Mie-Yun Lee is the founder and editorial director of BuyerZone.com, an Internet purchasing hub for small businesses. Kaukab Jhumra contributed to this article.

Risky Business

Online merchants take on much higher risk than their brick-and-mortar counterparts: Nearly 10 percent of all Internet transactions are fraudulent, compared to less than 1 percent of credit card transactions in the physical world, according to a 1999 report by Meridien Research. (The company does, however, expect Internet fraud to drop to below 5 percent in its 2000 report.)

Internet merchants also assume higher penalties for credit card purchases than do physical stores, paying as much as 2.69 percent and 30 cents (compared to 1.5 percent and 20 cents) on every Net-based transaction. Why are online fraud rates so high? Unlike face-to-face transactions, where a signed receipt serves as a contract protecting the merchant against identity fraud, transactions made over the phone or online do not guarantee the card user's identity. This means anyone with access to old credit card receipts or illegal software that generates authentic credit card numbers can attempt to use those numbers to buy online. Even worse, the merchant must assume all the risk in such non-face-to-face transactions.

Julie Ferguson, co-founder and vice president of emerging technologies for e-commerce software company ClearCommerce in Austin, Texas, and founding member and board member for the newly launched nonprofit Worldwide E-commerce Fraud Prevention Network, says the total costs of e-fraud add up to far more than just the cost of goods sold. In fact, merchants are fined for chargebacks, or reversals, against disputed credit card sales. E-fraud costs thus include the cost of the order, bank and card processor fees (including higher discount rates, chargeback fees, fines and even termination of processor service for excessive chargebacks), the expense of manually resolving bad trans-actions and the decline in customer loyalty.

Anti-Fraud Measures

You can fight back against online credit card fraud by investing in fraud-detection software, either separately or as part of your credit card processing service. So-called store-in-a-box solutions can provide a generally easy and inexpensive system for processing credit cards, including pre-authorization with Visa and Mastercard. (For more on stores-in-a-box, see "Bizstartups.com".)

If the anti-fraud tools that come bundled with your e-commerce so-lution provider or your credit card pro-cessing service aren't as robust as you want, however, you can invest in separate anti-fraud software and integrate it with your payment-processing service. These tools typically include real-time authorization capabilities to ensure the card number and expiration date are valid and customer funds are sufficient. Within the United States, tools also include AVSes. More advanced anti-fraud tools incorporate rules systems that are able to flag certain types of transactions based on customizable if/then statements (such as "IF the order is above $1,000 AND the shipping is express THEN review the order") and statistical models that learn by example and correlate trans-action attributes with known fraudulent activity.

Businesses serious about their fraud prevention often develop in-house historical databases that capture past orders, customer names, and valid and invalid shipping information. They may also use systems to rate each transaction for the likelihood of fraud through a series of checks.

Helping Hands

Over the past two years, two nonprofit industry groups have formed to help merchants shield themselves from the slings and arrows of online credit card fraud. One is the Internet Fraud Prevention Advisory Council, supported by the Internet di-vision of HNC Software, a San Diego provider of Internet fraud risk management solutions. The other, the Worldwide E-Commerce Fraud Prevention Network, with free membership for all merchants, is being spearheaded and funded for the first year by American Express. Both groups aim to educate online merchants about anti-fraud practices as well as research and identify developing trends in Internet fraud and promote new fraud detection technology. The Fraud Prevention Network also offers helpful tools such as the "Fraud Test"-a quick, self-diagnostic questionnaire on its Web site that helps you pinpoint where your e-business may be most vulnerable to credit card fraud.

If you can't afford anti-fraud software, Ferguson offers tips on how you can gather what she calls the low-hanging fruit of fraud prevention. The best anti-fraud defense you can have, she says, is awareness of typical fraudulent behavior. Require all order-form fields to be filled in, and make sure credit card numbers match the card type (Visa, MasterCard or American Express). E-mail a receipt of the order to the address provided or call the consumer-you'll soon find out whether the contact information is fake. And be careful when you receive an order form with a free Internet-based e-mail account, as such accounts can be registered quite easily. Know your average order amounts and be suspicious of extraordinary orders as well as large-dollar orders of many low-priced items. Flag large orders that ask for express or P.O. Box shipping.

While one element alone may not be a telltale sign of fraud, a combination of a few could spell trouble. If several card numbers are attempted from the same IP address (a computer's location on the Internet) before one is finally accepted by your system, be very suspicious, Ferguson says-they could be mathematically generated from illegal, easily downloadable software. Encrypt data maintained on da-tabases or files accessible from the Internet, and immediately investigate and report to your credit card merchant any suspected loss of account or transaction information.

Online credit card fraud cost U.S. merchants $400 million by the end of 2000, according to Meridien Research. Developing an anti-fraud strategy now could help lessen your share of the burden.


Contact Sources