How to Identify Fraud in Your Shopify Store

Alexander Hall

When scouring the web to decide which e-commerce platform to use for an online store, one name is plastered over all of the results… Shopify.

Whether you are jumping on the drop shipping train, expanding a brick and mortar store to an online presence, or starting from scratch and hoping to service customers all over the world, Shopify has you covered.

There is no question that fraud has had an impact on the global market. In 2019, one report showed that the Fraud Industry was worth more than $140b.

In this article, we will outline how a Shopify store owner can complete transaction analyses on orders in their system.

Filter Suspicious Orders

Whether you sell digital media or tangible items, it is important to identify what is considered “suspicious” in your traffic.

For retail merchants, an order with an AVS-Verified billing address in Topeka, Kansas, with an IP location in Texas and a shipping address in New York would certainly be a good candidate for filtering and investigation.

Analyze Transactions

Alanyze Transactions

In order to make a decision regarding the validity of the transaction, it is important to know what information is available and how the information gives insight to the order.

Now we will cover the “Data points” that are available in a standard Shopify store.

Customer Name

The customer name is considered a data point in itself. The name on the account will, of course be relevant to everything else that takes place throughout this customer’s history.

Email Address

Although email addresses are easy to create, leveraging your customer account on emails does have it’s value. For example, an email of A.Smith@Yahoo.com for a new customer whose billing and shipping information is for a Chris Johnston, might be enough to raise an eyebrow and look a little deeper.

Phone Number

Similar to an email address, but more effective, a phone number requires a bit more effort to replace, thus leveraging the information provided in the phone number is useful. In addition to validating the customer account through a phone number, the area code is useful in determining the location of the customer and cross-referencing this with the billing and shipping information.

AVS-Response Code

The Address Verification Service, or AVS, is provided by payment processors on e-commerce platforms. It works by sending the information provided at checkout to the issuer of the payment card.

The issuing bank then sends a response in the form of a response code. By checking multiple points of data in the field, this response code indicates the accuracy of the billing address provided.

The two codes that represent the highest accuracy are:

X – All of the data points line up with what the issuer has on file.

Y – Most of the data provided matches what the issuer has on file for the cardholder.

The worst, N, P and G, respectively.

N- Represents that none of the information is correct

P – No Information available to check against

G – International and equally unverifiable due to address formats in foreign regions.

Billing and Shipping Address

The analysis of the billing and shipping addresses relies on the AVS-Response code and an understanding of how they tie together. Most would assume that a matching billing and shipping (“B/S”) addresses would indicate that the transaction was verified. That would be true, IF the AVS-Response Code for the order was “Y” or “X”. This would imply that the billing address was successfully verified and that the order was being shipped to that same address.

That’s dandy. However, if the AVS Response code in N, P, or G, this get turned on it’s head. Matching B/S, with an AVS of P, states that the billing address has no information to verify. The customer could put any address in that field, for that payment method and receive the same result.

Fraudsters often attempt to capitalize on this misconception by using foreign cards and putting any address they wish in the field. It is a responsibility of the merchant to make sure these attempts are identified and handled appropriately.

Card Code Response

Most people are familiar with the 3-digit CVV code on the back of their credit / debit cards (4 digits on the front of AMEX cards). In Shopify, the CVV response code is represented here. “M” represents that the correct CVV code was entered during checkout. The best practice regarding this code is to decline anything other than an “M”.

Customer History

The customer’s history with your company is very important. In fact, it can completely change a determination derived from the 6 data points outlined above. What might appear to be a blatant fraud attempt can be viewed as a perfectly legitimate transaction given the customer’s transaction history.

Make a Determination

Considering the 7 data points here, you will have enough information to tell a story regarding any purchase in your system.

Examples of analysis:

Good

The customer, John, placed an order on 08/02/2020, with an IP address within 1 mile of the Y-Verified Billing Address. The B/S match. The CCV code was correct, and based on John’s history, he’s making an the same order that he has every month, for the last two years.

Bad

The customer, John, placed an order on 08/02/2020, with an IP address from New York, the billing information is Y-verified, but the order is intended to be shipped to Hong Kong. The CVV matched, but this is the 8th card used on this account and each order has been flagged.

Make a Move

4. Make a Move:

There are a wide spectrum of possibilities between “Legitimate” and “Fraudulent” purchases. It is up to the merchant to decide how to move forward. There are 3 reasonable actions that can be taken once a determination is made.

1. Decline the order:

After running through the full analysis, you decide that it looks too suspicious and would rather cancel the order. This move has it’s particular benefits. The sooner a fraudulent order is analyzed, cancelled and refunded, the less likely it is that a chargeback will be filed by the account holder.

2. Approve the order:

After running through the full analysis, you decide that it looks good. Pretty simple. Enjoy the sale!

3. Request Additional Documents:

After running through the full analysis, you are undecided and want to offer the opportunity to prove ownership of the payment method. We suggest that the merchant format a “Request for Additional Documents”, requesting a photo of the payment method (Only the last 4 of the account number must be visible), a photo of the “Customer” hold the ID matching the payment method, and then an up close photo of the ID, with sensitive data (such as the ID Number) redacted.

When the request for additional documents is sent, be sure to include clear instructions, and a deadline. 3 days works well.
At the end of 3 calendar days, evaluate the submitted documents, save to a folder for in use in the event of a chargeback, and move forward accordingly. An effective defense against the many forms of fraud is dynamic. Each new technology brings with it new aspects of operation that stand to be exploited by fraudsters.

Don’t wait to develop your defense against fraud.

Like this content? Like, share, etc.