Chargeback Fraud – Customer Caught Red Handed (Finally!)

Without a doubt the most popular post I’ve written was last years post about chargebacks. Like most retailers, we feel pretty helpless when it comes to chargebacks, and I think that resonates with people.  Since the system at it’s core is very broken, retailers don’t have a whole lot of options.  Any system you put in place to reduce chargeback fraud invariably creates issues for legit customers. Creating new problems for all customers when a very small few are causing the issues, without guaranteeing any higher success rate, is what makes us tread very carefully. Dave wrote a post about this recently and I commented on a system we’ve seriously considered implementing, and there are about ten other things we’ve considered, but have always decided to hold back for these reasons. The only thing we’ve done – which has made a big difference – is stop shipping internationally. Now that we’ve done that though, I don’t think we’re going to make any other sweeping changes.

Still, we always try to stop fraud in it’s tracks.  Since we don’t ever win a chargeback case after it happens*, we try to stall suspicious orders in hope of having it still in our possession (or in the possession of FedEx) when we get the chargeback .  Until yesterday though, we never actually stopped someone.  Once, Greg we missed calling off delivery by minutes. He then tried calling the customer at the phone number they registered with and actually got someone on the phone, but they denied knowing anything.

Anyway, flash forward to yesterday. We finally got someone. Here’s my best account of the time line:

  • Middle of last week a customer places an order for an abnormally large quantity of one product.  His billing address passed verification (meaning that his billing address matched the billing address on his credit card) but of course he was shipping it to another address in another state.  He was smart enough to give the person in the other state the same last name. He also paid an exorbitant amount for expedited shipping.
  • Greg flagged it for all of those reasons.  We did have the inventory to fill the order, but it would have left us with next to nothing for the product, so we likely would have wanted to hold the order for a week or two regardless.  He put the order in our “pending” system and shot me an email asking my opinion.
  • I replied “Hmm.  His AVS and CSC both matched for his billing address. We could require that he ship the order to the billing address, which would pretty much 100% eliminate the possibility of fraud. When you email him to let him know they’re on backorder you could inquire as to what he’s using them for and if he’ll be ordering regularly so we can stock inventory accordingly.  That might give us a little more insight. ”
  • Greg contacted him and he replied quickly (less than a day).  He said he ran a business and was reselling them (which might have been true), and that we could ship it to his billing address, but it would really suck that he would have to then ship it again.  He was trying to guilt us into shipping it out.
  • And it worked.  We decided to finally ship it out on Monday.
  • Later that afternoon, Greg received an email from someone with the same name as the buyer.  The “real” customer never ordered with us, has had several other fraudulent charges on his card recently, has just canceled his card, and told us not to ship the order because it’s fraud.
  • Greg called FedEx and had the package re-routed back to us.  Scammer stopped.

Although we lucked into it in this case, we now have a new policy: large first time orders from people we don’t know must be shipped to a verified billing address. I think requiring this on every order is overkill.  It might even be overkill to require it on every single first order.  But on a big first order that’s not from a legit business this is a more than acceptable policy.

*in that post last year I wrote “Despite being able to provide tracking information to prove delivery for every single chargeback filed against us, we have lost all but one case.” I think I misspoke – I’m fairly certain that I confirmed later on with George that said “win” was a case of “blackmail” where the buyer rescinded the chargeback himself, which does happen from time to time.

39 comments on Chargeback Fraud – Customer Caught Red Handed (Finally!)

  1. Dave says:

    Good thing you guys caught it in time! Hopefully he can be reported to some sort of authorities there. I would be in the same boat…any larger orders like that would require a matching billing/shipping address that pass AVS. Otherwise the customer needs to pay via bank wire. It sucks to think about a potential large order you may lose, but that’s all part of the game.

    Did you guys still end up losing money from the shipping costs? Especially since you mentioned they were pretty hefty…

    • Adam McFarland says:

      Good question Dave. I think we will end up losing some money on the shipping cost and there’s also a fee to have it re-routed back to us. Still worth it though. At least we get our inventory back and keep the products out of the hands of the scammer.

  2. nethy says:

    Adam,

    What do uber-retailers (Amazon, Dell..) do about chargebacks? Do they just work 5-10% into their costs?

  3. Rob says:

    Well done on catching him. Did you call him on it? As above, hope he’s been reported to the police etc.

    @Nethy – 5-10%? is that really what it is? Shit.

    Another way the system could be improved (not on your end) is for shipping companies to require that only the person named can sign for an item and they have to show ID. Sure they could produce fake IDs too, but it’d complicate things a bit more. Whether it would be worth it is a different question.

    • Adam McFarland says:

      I’m not sure if Greg called him on it, but my guess is no. We will cooperate fully with the authorities should the true owner of the card decide to press charges. We have an email address, IP address, user agent string, etc, but unfortunately all of those things are easy to fake, as is the address. This guy seemed like a pro so my guess is he set up an email address specifically for this order, used a proxy for his IP address, and sent the package to a freight forwarder.

      In terms of the 5-10%, it’s not that high with us (less than 1% would be my quick estimate), but I think in electronics it must be significantly higher. Those numbers wouldn’t shock me. The only company that I know for sure what they do is Newegg. They don’t ship internationally and they require address verification. I wrote a little more about them in last yrs post. However, I’ve ordered from them and had issues because my phone number had changed and the card wouldn’t verify…and it was a total pain to then work it out with one of their reps. So even having that system has it’s flaws because you’re putting a ton of time/effort into stopping people, and you’re pissing legit customers off.

      I’ve actually tried to ask the chargeback question to a few large retailers (split the difference between us and Amazon and that’s the size I’m talking about). Some of which I know sort of well, like I’ve exchanged emails with them before. Unfortunately no one has ever really given me a straight answer. Not sure if it’s because they don’t know as the owner of a larger entity, or they don’t feel comfortable sharing. It’s a shame. If the “big boys” teamed up to stop it they could legitimately try to change how things are done. They could use their lobbyists to try to get laws passed. As it stands though, it’s not quite a large enough number for them to care…at least that’s the conclusion I’ve arrived at.

      • nethy says:

        One thing that I found incredible when I first found out about it is that police just won’t investigate this kind of stuff, even when it’s easy. You can go down to the station with a name, picture and a reasonable amount of evidence and the police won’t even call them. It usually goes to special electronic crime units and these guys are so swamped I doubt they investigate 1/50 complaints. It makes some of these fraudsters incredibly brazen, like signing for a product then claiming they didn’t receive it or just ordering goods to their house. But, I think if police did up the pressure, it would just make them a little more sophisticated and bring the balance back to nil.

        It’s not just laws and policies though. Credit card companies and banks (in Australia anyway, in the US the bank/CC company paradigm is different) have pretty much got a system where they can dictate terms. They effectively offer their customers incredibly lenient purchasing insurance. Since they get have a lot of power over retailers, they can push a lot of the expense onto them. I guess the logic behind it is that retailers have the means to prevent fraud. If you shipped every order, didn’t do address matching or similar, shipped internationally and sold resalable stuff (say laptops), you could easily be shipping 10%+ fraudulent orders.

        I really don’t know a lot about the issue but I kind of have the feeling that CCs as a system of payment is actually fundamentally broken and unpoliceable. It’s just not very competitive, hard to get into and very profitable for the main players who make their money on interest.

        • Adam McFarland says:

          Well said Nethy. I think if I had a physical location and someone walked in and stole $300 and I had video evidence, the police reaction would be quite different than if I walked in and had proof of signature, name, address, and an IP address that matches.

          In a way, I hope someone becomes too brazen and tries some big huge scheme against one of the big retailers and that becomes public and brings more attention to the broken system. Unless that happens it probably won’t change though.

    • nethy says:

      I just made up that figure. However, like Adam says it wouldn’t be shocking in some markets like electronics where goods are easy to resell.

      • Rob says:

        Gotta agree that the whole system seems broken – seems very biased towards the consumer winning and the business losing. If all reasonable checks have been carried out by the business but they still lose out, even with tons of proof, what can you do? It’s disgusting that the police don’t give a shit. Surely it’s just coming at the identity theft thing from a different angle, and identity theft seems to get a fair bit of press.

        It’s like getting caught receiving stolen goods (presuming you’re innocent..) – you, as the unknowing consumer, lose out, and the crook wins. Even when they do catch the criminals I bet the rarely, if ever, have them settle their debts.

    • James Baker says:

      Is it possible to ship via fedex with a “hold at fedex location” box checked? That way, they would in fact have to show ID

      • Adam McFarland says:

        Good idea James! I just did some quick Googling and it does look like you can do that http://www.fedex.com/us/services/hold_at_location_overview.html Like any security measure, you’d have to weigh the inconvenience for the 99% of good customers vs. catching the 1% fraudsters. It is enticing though. On orders that match a pattern of fraud I could see us making them ship to their verified billing address OR hold at a FedEx location (some people are on vacation, away at school, etc which are legit reasons to not be able to ship to their billing address).

  4. Jonathan says:

    Why would a legitimate reseller buy from a middleman instead of the supplier? This alone should’ve raised a red flag unless I’m missing something…

  5. Rob says:

    Plenty of reasons – perhaps they’re just testing the water with a new product, perhaps DI is the exclusive distributor, perhaps it’s a product that a high minimum order, perhaps it’s a foreign supplier and importing isn’t worth the effort, perhaps they thought DI were the only distributor, perhaps they thought DI could get it to them faster etc. etc.

    Or perhaps they were just trying to find someone to scam.

    • Adam McFarland says:

      Great answer Rob. I was about to type the exact same thing. I can see how at first glance that might not be logical, but in reality middlemen are everywhere in every business and they make sense in many circumstances. We fill both roles – we buy some stuff from them for the reasons you listed, and we also supply detailers and detail shops for those same reasons.

  6. It is true that many available services and products designed to prevent the occurrences of chargebacks do deter legitimate customers, however, phone verification products are generally well received. They do plenty to prevent chargebacks and other forms of fraud and are quick and painless to encounter as a user.

    • Adam McFarland says:

      Matt. I took a look at your product and it looks pretty interesting. I’ve added it to the potential services we may consider in the future. I personally have had some issues with telephone verification (the card has my home or business # when I think they have my cell, or vice versa), but in general I do think it’s a good option for certain orders (first time, large orders, etc)

      • Rob says:

        Looks like a tidy system. I’ve used this kind of thing before when changing the password or other particulars on my cable account. Adam, you’re a good programmer – why not do split testing with a few different mechanisms as a part of the checkout process and see how it affects sales/abandonments and fraud.

        • Adam McFarland says:

          Definitely. I think we’ll get to it, just probably not for a little while. As much as I love to bitch about chargebacks, there are still a lot higher programming priorities that will make a much bigger difference.

          • Rob says:

            There always are. Of course it makes business sense, but it’s for a similar reason this problem will continue – there are more “high profile” and clear cut cases for the cops to spend their time on. Until it becomes more of a problem, it won’t be more of a priority.

          • Adam McFarland says:

            Yup. I was thinking the same thing as I was typing it. It would be nice if Amazon or someone with $$$ devoted themselves to solving the problem. I’d love to devote my entire efforts towards stopping it, but it just doesn’t make business sense right now. I do think that if you gave me unlimited money tomorrow, it would be the first business I would start. Some sort of anti-chargeback initiative working on it from the programming side and the legal side. It’s such a large problem. I don’t think I’d get bored trying to solve it 🙂

          • Rob says:

            Ah, a true entrepreneur. Even with unlimited money you’d still be working!

  7. Adam,
    Glad to see you are interested. Your number one priority should be to evaluate what types of customers and behaviors are risky, and then act accordingly. As you mentioned, using a service such as telephone verification is often a great idea when presented with orders over a certain amount or first time customers. The free eBook “50 Ways to Spot a Fraudster”, by TeleSign should be of help to you. At the very least, it will enable you to recognize risks that you may have not been aware of in the past. Here is the link: http://forms.aweber.com/form/57/157670457.htm

    Thanks,
    TeleSign Matt
    http://www.TeleSign.com

  8. TeleSign Matt says:

    All,

    Curious to know if the tips contained in the eBook provoked any additional thoughts on the direction and evolution of telephone verification and perceived benefits to other industries?

    Thanks,

    TeleSign Matt

  9. merchant says:

    has anyone ever used services like badcustomer.com? Do they work?

    • Adam McFarland says:

      We haven’t installed it on our site, and I’m not sure if we’re going to, but we’ve definitely searched their database before when a suspect order comes through. That’s available for free without registering https://www.badcustomer.com/blacklist.htm In terms of whether or not displaying it on your site actually turns away fraudulent buyers, I cannot say for sure. I would caution that if you decide to implement it that you pay very close attention to the customer feedback and any changes in your conversion rates – you don’t want to scare away legit customers and make them think twice at the moment they’re excited to make a purchase.

  10. Rob says:

    Has anyone here got experience with 3D Secure from a merchant standpoint? I’ve used it as a consumer and it seems ok (even though I ALWAYS forget my verified by visa password…) Anyway, apparently it can be tricky to set up, but it completely absolves the merchant of risk of chargebacks.

  11. r-merchant says:

    >> 3D Secure … it completely absolves the merchant of risk of chargebacks

    I would be *extremely* interested if this is actually true. Can anyone confirm this?

    • Adam McFarland says:

      Interesting. I had not actually heard of it before. Here’s the Wikipedia page http://en.wikipedia.org/wiki/3-D_Secure I’d potentially be interested in trying it out down the road provided the implementation wasn’t too difficult

      • Dave says:

        It has much more adoption in Europe I believe…less so in the US, although I’d be all for it if it was widely adopted.

        • Rob says:

          Ah, didn’t realise that. What with Mastercard and Visa being the driving force and them being American companies I’d expect that it is there/is coming there. We’ve had it about 2 years.

          From a customer standpoint, the first time you use it you have to set up an account with visa/mastercard. It asks you for your DOB, various account numbers etc. and gets you to set up a challenge code and response. When you come to use it, you begin the checkout process as normal from a merchant, then in the last stage you’re redirected to a verified by visa site (either a redirect or an iframe) and you see your own challenge code (to prove it’s legit) and give it your password. Then it sends you back to the merchant and confirms the sale.

          From what I can find out from reading, the merchant doesn’t face any risk of chargeback, presumably because the customer entered their password. The customer is also absolved of fraud risk through phishing.

          As for the actual implementation, I think paypal payments pro/payflow can integrate 3D-secure. The set up is a bit messy from the customer perspective (having to enter your DOB the first time, having to enter your WHOLE password when asked… it’s completely against all the security advice we’re given as consumers), however, it’s become a trusted and known brand and people on the whole seem to get on with it. Only problem for me is that I’m always forgetting my password, getting it wrong 3 times, then having to reset it… it won’t let you use the same password as before either, so it’s a continuing problem (for me at least!). Doesn’t put me or anyone I know off purchasing though – I feel better using it than not, because of the feeling of added security.

          Dunno if I mentioned before, but lots of banks here are now giving away security software and anti-phishing software free. HSBC’s “rapport” software seems quite good. Reading the smallprint of my account, if I’m a victim of fraud and I’ve made purchases online without anti-spyware etc. and without mastercard securecode/verified by visa, I may be liable for the loss.

          • Adam McFarland says:

            Thanks for all of the info Dave & Rob. I find it interesting that banks are now trying to alleviate themselves of the liability. I think part of the reason we have a chargeback problem is that banks have made it so easy to do so (and advertised as much)…if they make it harder, as they should, I *think* it will have a positive impact on merchants.

  12. Rob says:

    A little more on this – http://www.bbc.co.uk/news/uk-11571766

    Shows it can be worrying for the user as the security is on in a new frame/page, and of course there’s always opportunities for scam artists to replicate pages. However, about 2 minutes in you’ll notice them saying that Visa flat out would not process a refund for her. For legitimate merchants this is great.

    • Adam McFarland says:

      Great video Rob. Thanks for sharing. It’s very interesting how the bank refused to refund a purchase that was “verified by Visa”. Like you said, for legit merchants this seems like a great thing. I wonder if this will ever be adopted more commonly in the US? Seems like it could cut down on fraudulent claims by quite a bit. Customers would be less likely to threaten “chargeback blackmail” if they knew the transaction was “verified” and they had almost no chance of getting the charge reversed…as compared to now when it seems you can basically have any charge reversed with a quick phone call.

      • Rob says:

        Yeah fingers crossed! I see no reason it shouldn’t be adopted there. I was pretty surprised when you hadn’t heard of it, given that both backers are American companies! Maybe they’re testing it on us Guinea pigs first?

        Tis stupid that its on a different domain/frame and asks for your full password rather than just a few characters though. That’s totally against everything we’re taught as web consumers.

  13. r-merchant says:

    This is very promising. If one already has the merchant account, what is the quickest way to get setup with this program?

    • Rob says:

      No idea. Suppose you’d call your merchant account provider and ask them about 3D-Secure (umbrella term) or Mastercard securecode / Verified by Visa (brand names).

      Please do let us know how you get on!

  14. Rich Ghost Wolf says:

    And, perhaps unsurprisingly…badcustomer.com itself turns out to be…a giant credit card scam.
    http://www.creditcards.com/credit-card-news/bad-customer-i-works-scam-enforcer-busted-ftc-1282.php

    Makes me really wonder if I can trust anyone these days (sigh).

    • Adam McFarland says:

      Rich – thanks for posting that. I agree: sigh. I’d like to believe that something like BadCustomer could be done legitimately, maybe by the government or as an open source project, but who knows.

Leave a Reply

Your email address will not be published. Required fields are marked *

Commenting Rules

I'm honored that you found this post interesting enough to leave a comment. Before posting, I have a few ground rules:

  • Please keep your comments as relevant to the post as possible.
  • No personal attacks or any other nastiness.
  • Your first comment is subject to my approval.

Thanks!