Well, we've been extremely lucky not to experience a proper chargeback so far (in fact....in my whole time as hosting manager I have never had to deal with such a case), but now its come along I am really not sure what to do with it. Let me explain the situation:

We had a user signup for an account. They paid via PayPal, everything was normal. We then saw their site. It was quite blatantlya phishing site. It was made to look exactly like an eBay product page and processed bids telling the user they had won it and offering them a payment page.

Obviously our immediate action was to suspend the account and contact the user with a request for more information. We also threatened to terminate the account if they did not respond within 7 days.

This morning I woke up to find that our PayPal account has been issued with a chargeback from this user. The chargeback says that "the buyer's card was used to make a purchase without the buyer's knowledge." This is a blatant lie. Their payment was processed by WHMCS. We have the user's name, address, phone number, IP Address etc.

What do you advise we do? I have a lot of common sense, but its difficult to decide what is relevant evidence. I have an idea of our next step, but it wouldbe nice to get some feedback.

Ive been in a very similar situation. Respond to PayPal and choose to dispute it

Include all the WHMCS details and a link to your TOS and AUP

I won mine and was quite a large sum of money

Include all the WHMCS details.....

How would you advise we do this? Screenshot or just copy and paste each part of detail?

Fortunately our Privacy Policy covered for this, we can share details if there are legal reasons to do so.

Copy and paste is what I did. Took 3 months but we got £XXX back

You may have the clients name IP address and such, but do you know if the paypal account was used by a third party who stole or phished the paypal username and password to gain access?

Not too long ago, I experienced a fraudulent order which was paid for via pay pal. The account was used by a third party who had stolen the login info, most likely from a phishing scam. Does the name on the order match that of the PayPal account used?

The one i had matched PP details

1. Learn your lesson -- if the user slaps up fraudulent stuff, terminate and refund the account immediately.

In almost every case it is very unlikely that it's a legitimate paypal account. It's either stolen or the funds are stolen from another paypal account.

Live and learn, let it go.

Just seconding David J. here. The account was probably hijacked, which means that the money that you received was not sent by the account's owner. Really, the best course of action is to refund and move on. And, if you already suspended the account (and did so almost immediately), you shouldn't be out much money.

Sorry for the loss, but this seems to be a part of the industry.

Just to chime in further regarding my experience.
I've noticed that the lower the prices -- the increase in fraud goes up exponentially.

At 3.95 a month a few providers I was employed by would average 2-3 (if not more some days) fraud orders a day. With phone verification in place we'd reduce the fraud damage down to about 0% (it's almost flawless, although becoming problematic with VoIP).

When we increased our pricing 3x fraud stopped. Instantaneously.
The market that the lower pricing attracts is definitely a different breed :)

Consider increasing your prices if it continues to persist ;)