I have been working with merchants for several years helping them to prevent fraud. The number one question I’ve encountered has been (and continues to be): “What am I supposed to do when fraud occurs?”
I have talked to big and small, dot-com and brick-and-mortar merchants all over the country. My research shows that no one person has all the answers, but there are several common paths that merchants can follow to combat online fraud.
My first message to merchants is: When fraud occurs, do something about it. Don’t just write it off and consider it a cost of doing business. You must review the fraudulent order internally and determine your plan of action. Only by doing that do you stand a chance of preventing fraud.
Exploiting and opportunity
Once a fraudster figures out he can commit fraud on your web site, he will continue to commit fraud until you stop him. Additionally, he will educate all his friends on how to commit fraud against you. I’ve watched enough murder mysteries to know you are never supposed to go back to the scene of the crime. So when I first learned that a successful criminal hacks a site over and over, I wondered why. It seemed that repeat frauds would just increase the chance of getting caught.
But what actually happens in this situation? The fraudster learns you have limited resources to fight fraud. If one person commits fraud against you, you might be tempted to try to catch him. But when he and 100 Internet buddies commit fraud against you, you are spread so thin that you will not be able to keep up with the volume of fraud. When groups of fraudsters target a merchant, the options become grim. Large-scale fraud may even result in the merchant choosing to shut down the business.
What to do
Here are three of the most crucial steps you should take when fraud occurs:
1. Document the fraudulent order
It is imperative to document every fraudulent order. Documentation will allow you to build a criminal case, track fraud within your business, and find the root cause of how fraud is happening. The critical elements in documenting the fraudulent order are shipping address, shipping telephone number and IP address. For one other strong piece of evidence, collect a signature at the time of delivery.
2. Create a negative file
The most effective tool a merchant can create is a history of fraudsters, often called a negative file. It should contain credit card information, fraudsters’ names, shipping addresses and IP addresses. Compare each order against the negative file, and if there is a match or close match, mark the order for internal review. Never automatically reject an order based on your criteria, as you may inadvertently reject a valid consumer; these are known as “insult orders.” Additionally, do not share negative files with other merchants. Someone else’s negative file may contain valid consumers who had bad experiences and simply charged back the order.
3. Report the crime
“Who should I call and what steps should I take to report the fraud, and when should I report fraud?” This extremely tough and complicated question needs to be answered within your organization. Before you do anything, you must establish guidelines about fraud and how to handle fraud cases. Perhaps if the fraud is less than $1,000, you would simply document the case internally, add the information to your negative file and do business as usual. But if your fraud is greater than $1,000, you would invest two hours of research time in trying to build a case.
What to report
To build a case to report to the authorities, summarize all the information you can, make it easy to read and submit all details to the law enforcement agency. Make sure the most important details are right on top in an easy-to-read format. The two most crucial details in catching a criminal are IP address and shipping address.
How to report a crime. Go to a yellow pages search engine (I prefer Yahoo-yp.yahoo.com) and click on “change location.” Enter the ZIP code of where the fraud occurred - the shipping address ZIP code. Then, in the search box, type in “police.” Call the police and ask to speak with a detective. Explain your case and send the summary information. Keep in mind that detectives are measured by successful cases solved, so the more detail you can provide in an easy-to-read and understandable format, the more successful you will be. Now, here is where your common sense comes in. Do not expect to be able to call the New York City police department, speak with a detective and have them go after a case of fraud for $100 on a few DVDs. But you can expect smaller towns to be more aggressive against smaller crimes. The key to success is to provide enough detail so all the detective has to do is capture the criminal. You do as much of the research as you can.
What happens to your case when you report it? First the detective builds the case, then either captures the fraudster or decides to involve the Secret Service or other appropriate federal agencies. After the fraudster is caught, the case is presented to the district attorney. It is up to the law enforcement folks to “sell” the case and get the DA to actually bring the case to court.
Here are some other best practices that e-retailers would be well-advised to follow:
Have someone in-house become the expert on fraud. Do not have customer service representatives automatically contact customers about fraudulent or suspicious activities. It is best to have a single person or group handle these types of activities. The patterns, questions and responses will be typical, and gut instinct will help fight a lot of fraud.