Web Hosting Talk : Web Hosting Main Forums : Running a Web Hosting Business : Fraud - What do you do about it?

[Mercurial]

I'm interested to here what processes/procedures other companies have in place that help them deal with fraudulent orders. Particularly those based in the UK.

I'm sure we all have different methods for detecting, and lets face it some of these criminals are fairly obvious about it. I'm not so interested to hear about how you detect (as that might clue them up a bit) but what you do once you have discovered its a fraudulent order.

At the moment we just cancel the order and as our payments are on an pre-authorise basis no money is taken.

We probably get a couple of fraudulent orders per month, which is quite low, but then we are only allowing sales to UK IP's/customers.

I'm fed up of these people "getting away with it", most of the time it seems to be for phishing sites. Is there any kind of central resource for reporting these? I can't imagine the local bobby would be very interested?

[larwilliams]

We use a variety of checks, notably MinFraud by Maxmind...

[WO-Jacob]

Quote:

Originally Posted by Mercurial

I'm interested to here what processes/procedures other companies have in place that help them deal with fraudulent orders. Particularly those based in the UK.

I'm sure we all have different methods for detecting, and lets face it some of these criminals are fairly obvious about it. I'm not so interested to hear about how you detect (as that might clue them up a bit) but what you do once you have discovered its a fraudulent order.

At the moment we just cancel the order and as our payments are on an pre-authorise basis no money is taken.

We probably get a couple of fraudulent orders per month, which is quite low, but then we are only allowing sales to UK IP's/customers.

I'm fed up of these people "getting away with it", most of the time it seems to be for phishing sites. Is there any kind of central resource for reporting these? I can't imagine the local bobby would be very interested?

If it's obvious fraud, we don't set up the order. If it's sneeky fraud, we close the account and refund the billing (if the billing being challenged wasn't what tipped us off.)

Anything further? Shrug and move on. Anything else isn't worth the time or energy. It'd be nice to hunt every one of them down and prosecute the sneeky ones for theft of services, but ... just not worth it. I'd rather spend my time on paying clients.

[Dan_EZPZ]

We used Maxmind but still had a few fraud orders make it through, we then added Telephone verification and havn't had a single fraud order go through since.

When we did get them, we just terminated the account, disabled the user and refunded the payment.

[TonyB]

Most fraudulent orders so obvious it's just a matter of refund then canceling the order. There have been some interesting ones where the information matches, ip matches, phone # ect. So obviously with a fraud score of 0 or very low the account goes up. 20 minutes later some IP china or something like that is uploading a phishing site. In these cases refund + termination of the account.

I am pretty surprised about these orders originating from the users PC and containing their email even. There is no way you're going to catch those unless every order goes through phone verification. It would not surprise me if phone verification becomes the norm eventually.

[JohnSH]

For Fraud, the best tools to use are a phone ordering verification system, something like fraud guardian, and have someone manually review your orders.

We get a lot of fraud trying to go through our system and 99.5% of those orders don't make it to activation.

[Mercurial]

It's fantastic that your all posting how you prevent, but really I was interested in hearing about what you do afterwards, i.e. the post process:

What do you do about it once you have binned the fraudulent order? Just leave it at that? Or submit the details to the authorities and take it further, etc.

The general consensus seems to be that nothing is done afterwards.

[Justin]

Quote:

Originally Posted by Mercurial

It's fantastic that your all posting how you prevent, but really I was interested in hearing about what you do afterwards, i.e. the post process:

What do you do about it once you have binned the fraudulent order? Just leave it at that? Or submit the details to the authorities and take it further, etc.

The general consensus seems to be that nothing is done afterwards.

As has been said it really isn't worth the while to persue it further. You have to remember alot of the frauds that come in wind up coming from other countries outside of any local jurisdiction. While I wish it was simple to prosecute and track down these fraudsters it's very unlikely in alot of cases.

9 times out of 10 they're employing any of the following to mask and hide themselves:
* Carded account information (ID theft)
* Proxied through some host in the nearby area to that of the address of they stole

The above are just some of the usual tactics I've seen thus far on fraudulent orders. Maxmind does catch and deny most of the obvious ones, once in awhile one gets by which voice verifying typically always catches.

If service was stolen to where it wound up costing alot of money we're talking thousands in damages/losses then it's worthwhile to get the authorities involved (if memory serves me the FBI and so forth don't usually bat an eyelash even at anything less than a few thousand dollars).

[InfiniteTech]

Just use call verification and MinFraud by MaxMind.

10 fraud orders per month - when NOT using MaxMind
1 fraud order per month - when using MaxMind

^^ these are real statistics. Not just comparative values.

[markhard]

in the case of one frauder slip the scanning and we actually process the order, then after several days you get complaint from your upstream. of course you'll suspend the account and refund the money, but do you inform the client that his/her account is suspended because of fraud activty?

[vetwebhosting]

1) Use some form of fraud watch software with your billing software, i.e. Maxmind.

2) Phone verification

3) Compare the IP of the user to the address they registered. If their address they give is New York and their IP says Venezuela, it is fraud.

4) If you suspect fraud, cancel the order and refund the money to avoid charge backs.

[WO-Jacob]

Quote:

Originally Posted by markhard

in the case of one frauder slip the scanning and we actually process the order, then after several days you get complaint from your upstream. of course you'll suspend the account and refund the money, but do you inform the client that his/her account is suspended because of fraud activty?

Depends.

I look at their website contents, the logs, and make a judgement call as to whether or not they were trying to use the account legitimately. If they were, sure. If not, no.

[abhai2k]

The best way IF you are using CC - maxmind/fraud gate - this checks the possibility of a fraudulent activity and also has an option of calling and verifying.
IMO its better to use maxmind to get a score. Then have an employee/call center to call up the ph no provided and verify manually. And before you ask yes this will turn out expensive.
Alternate use paypal or such services as they themselves have fraud checks. But also incorporate your own checks just in case.
Like they say - There is no fool proof security or fraud checks, If it has already been compromised somewhere, or it is too expensive to implement it.
Another problem with calling and verification is clients these days want everything to be done in seconds. They will not wait, they pay now they want the server/account up and running now.
Bottom line research your requirements, based on it implement the security.
Hope this helped

[Manageandsupport_com]

Quote:

Originally Posted by Mercurial

I'm interested to here what processes/procedures other companies have in place that help them deal with fraudulent orders. Particularly those based in the UK.

I'm sure we all have different methods for detecting, and lets face it some of these criminals are fairly obvious about it. I'm not so interested to hear about how you detect (as that might clue them up a bit) but what you do once you have discovered its a fraudulent order.

At the moment we just cancel the order and as our payments are on an pre-authorise basis no money is taken.

We probably get a couple of fraudulent orders per month, which is quite low, but then we are only allowing sales to UK IP's/customers.

I'm fed up of these people "getting away with it", most of the time it seems to be for phishing sites. Is there any kind of central resource for reporting these? I can't imagine the local bobby would be very interested?

Run an ip check to the country the order came from. You also might want to call the purchaser to confirm if the order was placed legitly.

[Mike - Limestone]

*Excellent* advice by everyone in this thread in terms of detecting fraud.

I would advise you to contact the customer and request verification documents. At some point, you may have to tell them that the order is too suspicious to accept, but word it carefully. You may be turning away a perfectly legitimate client, so be careful how you say it (and try to minimize such legitimate order turnaway instances!).

Besides turning the client away, there is typically not too much you can do in terms of warning others (both practically or legally; again, you're rarely sure that it's fraud, even if you highly suspect).

-mike