14. Securing Your Transactions

If you’re in business, then sadly you know a thing or two about fraud. Criminal activity, whether shoplifting or counterfeit money, has been a problem since the very first store opened. The problem hasn’t gone away with the advent of online commerce. In fact, many would argue that the problem has worsened due to the increased anonymity inherent with the Internet.

Whatever your organization’s goals, profit or non-profit, it’s critical to protect yourself as much as possible from criminal and fraudulent activity. It’s even more important while working with social media. Luckily, PayPal offers a variety of anti-fraud programs and services that help to minimize the effects of online criminals.

Understanding Fraud

It’s a common misconception that a lot of online fraud out there is simply a “victimless” crime. Sure, a consumer may get stuck with a huge credit card bill of bad transactions, but they usually get fixed and the consumer isn’t usually liable, depending on the card used and the bank’s liability clause, people will argue.

But there are consequences, which can ripple back to the merchants either indirectly through credit card banks raising fees or higher insurance premiums, or directly through penalties and fees—sometimes as much as $30 per fraudulent transaction.

There is no such thing as a victimless crime. One way or the other, when something is stolen, somebody pays.

The Scope of Online Fraud

According to the Internet Crime Complaint Center (IC3), a joint FBI/Department of Justice Internet watchdog organization, 2010 had the second highest number of complaints since the IC3’s inception in 2001, although that’s fallen from the all-time high in 2009. So while people are getting wiser about online fraud, it’s also clear that the scammers are still clever, too.

The IC3’s 2010 annual report (www.ic3.gov/media/annualreport/2010_IC3Report.pdf) lays it all out: non-delivery of payment or merchandise was the number one type of Internet crime in 2010 (as evidenced by the fact that it comprised 21.5 percent of all complaints). Identity theft came in at number two with 16.6 percent, auction fraud was third at 10.1 percent, and credit card fraud was fourth at 9.3 percent.

Crime has indeed changed: once, online auction fraud was the top complaint at the IC3. But now, with social media providing so many avenues for scammers to contact people, criminals can be very creative in how they find new ways to part you or others from your money or goods.

Types of Online Fraud

So just how creative are these criminal types? Very much so, sadly. Here are a just a few of the possible situations that an online merchant might encounter:

• No item received. A scammer purchases an item from you, the merchant. You ship it to the customer. The customer then claims that he never received the item and asks for a refund. If you refund the money, you’re docked the cost of the item plus the item itself—and the scammer has a brand-new item obtained at no cost. If you send the customer a replacement item, he has two no-cost items, which he can sell or use at his convenience.

• Item is not as described. This is a similar scam to the “no item received” scam. The perpetrator purchases an item from you. You ship the item, and then the customer claims that the item isn’t what was described. It’s used instead of new, the wrong size, doesn’t have the features promised, or is otherwise not what he ordered. To satisfy the customer, you issue a full or partial refund, which docks you the cost of the original item plus the cost of the refund. The scammer, of course, has a nice new product at no cost or at a reduced price.

• Item was damaged in shipment. This is a variation of the “not as described” scam. You ship to the scammer the item purchased, and then the customer claims that the item was damaged in transit. Rather than dealing with the shipping service, you issue a full or partial refund. (Or maybe you issue a refund in advance, anticipating settlement from the shipping service.) The scammer gets an undamaged item at a substantial discount.

• Check or money order fraud. Also known as an overpayment scam, the fraud works something like this: a merchant sells an item, and the buyer pays for the item with a cashier’s check or money order. But there’s a problem; the buyer tells the merchant that he’s mistakenly sent too large a check. Could the merchant send the excess amount back with the item? Because it’s a cashier’s check or money order, banks will normally release the funds in just a day or so, giving the merchant the impression that the funds have cleared. In reality, the check or money order is fake, but it can take up to weeks for your bank to learn this, and you’ve already sent the “extra” funds back to the buyer days before, along with the merchandise he bought. Since PayPal doesn’t process checks or money orders, their services don’t apply in this case, but it’s a good idea for you to remain alert about such fraud.

• The buyer pays with a stolen credit card or a hijacked bank account. The previous scams are all pretty much single events, because they’re only going to work with you once. A much more damaging form of fraud comes from actual identity theft, where a criminal steals a customer’s credit card or debit card, or somehow hijacks the customer’s bank account. The criminal then uses the stolen data or information to make one or more purchases, typically large ones, from you (and other merchants). It looks like a standard transaction from your end, and you ship the merchandise—typically to a realistic address, where someone acts as a freight forwarder, receiving illegally obtained merchandise and then shipping it to locales where the criminals can then use or dispose of the merchandise as they see fit. When the original consumer—the one whose identity was stolen—notices the fraudulent account activity and makes a formal complaint, the consumer’s credit card company or bank initiates a chargeback against you, the merchant, to recover the consumer’s funds. This activity typically results in you being docked the cost of the fraudulently obtained merchandise and having the sales price for said items deducted from your merchant credit account.

• Corporate identity theft. Identity theft isn’t just for individuals. Many businesses find that criminals somehow obtain usernames, passwords, and other information that lets them either hack into others’ accounts or systems or make purchases while pretending to be someone authorized by your business. In the best-case scenario (and it’s not so good), the thieves order various items and you pay for them. In the worst-case scenario, the criminals hack into your internal systems and wreak havoc, up to and including stealing your customers’ personal data and shutting down your systems and servers.

Identity Theft 101

As you can see, the most damaging forms of online fraud involve some form of ID theft—either of your ID or your customers’ IDs. How, exactly, do criminals obtain this information?

Identity theft is not exclusively an online activity. You can be as careful online as you want, only to learn that someone pulled your credit card statements from the trash bins behind your shop.

In fact, getting IDs is often a rather mundane activity, as thieves may attempt the following:

• Stealing a person’s wallet or purse.

• Stealing a company’s or individual’s mail, in particular bank and credit card statements. Or stealing those pre-approved credit card offers that arrive in the post, unsolicited.

• Completing a change of address form with the U.S. Postal Service to divert a person’s mail to another location.

• Rummaging through a business’s or an individual’s trash for key financial records.

• Stealing an individual’s or a company’s credit report by posing as a landlord or employer.

• Conning a company’s human resources department into providing a person’s personnel records.

• Buying personal or company information from inside sources, typically store or company employees.

Of course, there’s going to be some online theft, so don’t let your guard down. Online criminals can also do the following:

• Use malware on your computers, such as “packet sniffer” software, to obtain passwords and numbers while you are online.

• Purchase or otherwise obtain illegally gathered information from an underground website or Internet Relay Chat (IRC) channel, usually run by large criminal syndicates.

• Use social engineering and phishing techniques to con people into providing confidential information via phone, email, instant messaging, and, yes, social networking sites. Many people can publish information on social media sites, such as their full birth date, that can help fraudsters.

In short, there are a lot of different ways that identity-based information can be stolen. And once stolen, that information can be used to commit fraud against your business.

Reducing Online Fraud

Most merchants can’t afford the financial losses caused by fraudulent transactions. And, honestly, even if you could, why would you want to? You need to take aggressive steps to minimize fraud. Here are some ways you can help your business:

• Ship only to confirmed addresses. Criminals who hijack consumers’ accounts typically ship the illicit merchandise to some other address—not to the original consumer. To make the address look legit, they will use freight forwarders—sometimes duped staffers who will forward those goods on to addresses with less savory track records. Even so, be on the lookout for address inconsistencies, especially orders that have you sending the merchandise to an address other than the one that originally was recorded for a customer. Especially suspicious are orders that have a billing address in one country and a shipping address in another.

• Track all packages. This is a great way to help protect against scammers who claim not to have received a package. Get shipping or delivery confirmation, and you have a good defense against this type of scam.

• Insure all packages. Help protect yourself against claims of shipping damage by purchasing insurance for all the items you ship. This way you’re protected if an item actually does get damaged in shipment—or if a recipient claims that the package arrived damaged.

• Beware of unusual customer requests. Beware of any suspicious requests on an order, such as customers willing to pay any price for rush delivery, split payments made from different PayPal accounts or credit cards, payments sent piecemeal from the same PayPal account, orders that are not paid for in a single, full payment, or payments that are too big and the buyer asks you to send something back. You should also be suspicious of orders—especially from new customers—that are substantially larger than your typical order, or are for multiple items of the same style, color, or size. All of these are red flags that something foul may be afoot.

• Know your buyers. You also need to know to whom you’re selling. Make sure that new customers have a verified PayPal account and a confirmed address before you ship.

What do you do if you receive a suspicious order online? A good first step is to call the customer to confirm. You can also take advantage of PayPal’s various anti-fraud services, which we’ll discuss next.

Using PayPal’s Anti-Fraud Services

PayPal offers a variety of services and technologies designed to identify and help prevent fraudulent transactions, including a team of more than 2,000 specialists working 24/7 on your behalf, as well as highly effective anti-fraud risk models and detection techniques that help stop fraud in its tracks.

Fighting Fraud Online with PayPal

What measures does PayPal take to help reduce fraud? There are many, including the following:

• Address confirmation to protect against packages being shipped to places other than the legitimate customer’s residence or place of business.

• Strong data encryption, to keep hackers from stealing transmitted data—and to keep merchant transactions and financial information private.

• Integrated shipping and package tracking capabilities, so you know that your packages get where they’re supposed to go.

• Transaction screening to alert merchants of suspicious account activity, using sophisticated fraud models to identify potentially fraudulent transactions before they’re completed.

• Industry-standard Address Verification Service (AVS) and Credit Card Verification Value (CVV2) checks as additional layers of protection against identity theft.

• Dispute-resolution assistance for all sellers, through the PayPal Resolution Center. The Resolution Center offers fair and speedy resolution for any dispute that should occur between buyers and sellers. This helps to ward off unwarranted refunds and chargebacks—often before they reach the need for a chargeback.

• A full-time chargeback-fighting team, focused on denying fraudulent chargebacks from unscrupulous buyers.

PayPal’s Anti-Fraud Team

In addition to various anti-fraud tools and technologies, PayPal offers highly trained security teams that help keep your sensitive data private and your transactions more secure. These professionals work behind the scenes, monitoring activity and possible fraud indicators to ensure a safer transaction network.

PayPal’s fraud experts also work closely with the FBI and other law enforcement agencies to identify and combat fraud wherever it occurs. PayPal’s team is charged with making every PayPal transaction as secure and as seamless as possible—for all parties.

Should PayPal’s fraud experts identify suspicious activity regarding one of your transactions, the transaction is placed on hold for 24 hours while the risk team determines its validity. PayPal will also alert you by email or have a representative call you, so you can then take whatever action is appropriate.

Using Fraud Management Filters

If you use one of PayPal’s payment processing products, you’re protected by multiple Fraud Management filters. These filters are tools to identify payment characteristics that may indicate fraudulent activity.

If a transaction is flagged by one of these filters, you then have the option of denying incoming payments that are likely to result in fraudulent transactions, or of accepting payments that are not typically a problem. If you are using the Website Payments Pro feature, you can even decide to further investigate flagged transactions, by comparing prior orders, for example, or by contacting the customer for more information.

This is good, because time is the one thing that scammers don’t have on their side. The slower and more patient you are with an odd transaction, the more likely that someone who is up to some fraudulent behavior will get caught.

Benefiting from Fraud Management Filters

PayPal provides free filters for all business accounts. These basic filters screen against the country of origin, the value of transactions, and other key indicators that will protect you from really obvious fraudulent activity.

When you subscribe to Website Payments Pro, you will have access to more advanced filters (available at an additional charge). These filters screen against credit card and address information, lists of high-risk indicators, and additional fraudulent transaction characteristics, such as nations known to have increased criminal activity.

How Fraud Management Filters Work

Figure 14.1 shows how Fraud Management filters typically work. In essence, there are three steps involved:

1. You, the merchant, configure your specific Fraud Management filters to either flag or hold for review suspicious transactions, or to deny riskier payments outright.

2. Based on the settings you specify, your filters will review all incoming payments.

3. Your filters automatically flag, hold for review, or deny payments, as specified.

Figure 14.1 The three steps involved with a Fraud Management filter.

As an example, consider the Country Monitor filter. Let’s say you specify that no orders should come from countries known to have a high rate of fraudulent activity; any orders coming from such a nation are flagged for review. When a criminal using a stolen ID tries to ship an order to one of those countries, the order is flagged, and the merchant will get an email notifying him of the problem. The merchant can take the step of calling the customer to confirm where the item should be shipped. When the legitimate individual answers the phone, the merchant and the customer will discover the attempted criminal activity.

You can then deny the fraudulent transaction, and the victim of identity theft takes action to stop further purchases on the stolen credit card.

Usually, most payments are accepted by the filters because they don’t show the characteristics you designated and thus do not indicate fraud. Those payments that are potentially fraudulent, however, are stopped and dealt with in the method you specify.

Evaluating Fraud Management Filters

What Fraud Management filters are offered? It depends on which PayPal product you use.

All PayPal business users have access to the following three basic filters at no additional cost:

• Country Monitor filter. Identifies transactions based on the country of origin.

• Maximum Transaction Amount filter. Identifies transactions that exceed a value specified by the merchant.

• Unconfirmed Address filter. Screens for payments above a specified amount when the shipping address entered by the customer has not yet been confirmed by PayPal.

Website Payments Pro subscribers have access to the following advanced filters, at an additional cost per month:

• Address Verification Partial Match filter. Screens for transactions where the billing address entered by the customer doesn’t completely match the information maintained by the card issuer.

• Address Verification Service No Match filter. Screens for transactions where the billing address entered by the customer doesn’t match the information provided by the card issuer.

• Address Verification Service Unavailable or Not Supported filter. Filters for instances where the Address Verification Service (AVS) is unable to verify the billing address.

• Bank Identification Number filter. Scans for payments from credit cards with Bank Identification Numbers (BINs) that have historically been associated with a high rate of fraudulent transactions. BINs, which identify the bank issuing the card, are checked against a “Risk List” maintained by PayPal.

• Billing/Shipping Address Mismatch filter. Looks for payments with different billing and shipping addresses.

• Card Security Code Mismatch filter. Identifies transactions with differences in the credit card security code.

• Email Address Domain filter. Screens for email addresses with historically high rates of fraud, using a “Risk List” of email domains maintained by PayPal.

• IP Address Range filter. Targets payments from Internet Protocol (IP) addresses that have historically high instances of fraud, using a “Risk List” maintained by PayPal.

• IP Address Velocity filter. Screens for multiple payments made in a short amount of time from the same IP address.

• Large Order Number filter. Locates transactions based on the number of items purchased, seeking larger-than-normal quantities.

• PayPal Fraud Model filter. Screens for payments that would have been declined by PayPal’s fraud model.

• Suspected Freight Forwarder filter. Searches for payments where the shipping address is a known freight forwarder, using a “Risk List” of U.S. shipping addresses maintained by PayPal.

• Total Purchase Price Minimum filter. Identifies transactions that are less than a specified amount.

• Zip Code filter. Sorts for billing addresses that have historically high rates of fraud using a “Risk List” of U.S. shipping addresses maintained by PayPal.

Understanding Filter Settings

You can configure each individual Fraud Management filter to one of four action settings: automatically accept or deny a transaction, or review or flag a transaction. Table 14.1 details each of these settings.

Table 14.1 Fraud Management Filter Settings

Activating Fraud Management Filters

To use the filters listed in the previous section, you need to set them up. If you have a basic business account, there will only be three filters to configure.

To set up filters in a basic account, follow these steps:

1. In the Profile section of the My Account page, click the My Selling Tools link in the left sidebar. The Selling Tools options will appear.

2. In the Getting Paid and Managing My Risk section, click the Update link next to the Block Payments option. The Payment Receiving Preferences page will appear, as seen in Figure 14.2.

Figure 14.2 Activating Fraud Management filters in a basic account.

3. Select Yes for the payment receipt options that you want to activate.

4. Click Save. Your payment filter options will be configured.

Since a more advanced business account will have more Fraud Management filters, you will need to follow these steps:

1. In the Profile section of the My Account page, click the My Selling Tools link in the left sidebar. The selling tools options will appear.

2. In the Getting Paid and Managing My Risk section, click the Update link next to the Managing Risk and Fraud option. The Edit My Filter Settings page will appear, similar to the one shown in Figure 14.3.

Figure 14.3 Activating Fraud Management filters in a Website Payments Pro account.

3. Check the filters you want to use. (The first time you do this, you will be asked to agree to the Terms of Service for Fraud Management filters.)

4. For each filter chosen, click the drop-down options list and select an action for that filter.

5. When a filter should be triggered by an associated value, enter that amount into the Value field.

6. Click Save. Your payment filter options will be configured.

Reporting Fraud

So...do you think someone just tried to pull a fast one on you? It’s important for businesses to report any suspected instances of fraud to PayPal, no matter how small. Not only does this protect you, but it also helps to protect other PayPal customers who might fall victim to possible fraud.

Reporting Unauthorized Activity on Your PayPal Account

If you notice unauthorized account activity, this could mean that someone has hacked into your PayPal account. You should report this immediately to the Resolution Center.

1. From the My Account tab, click the Resolution Center link. The Resolution Center page will open.

2. Click the Dispute a Transaction button. The Report a Problem page will open.

3. Select the Unauthorized Transaction option and click the Continue button. Follow the onscreen instructions to report the issue.

Reporting Unauthorized Activity on Your PayPal Debit Card

If you have a PayPal debit card and notice unauthorized transactions, you should immediately call the number listed on the back of the card. Alternatively, you can email PayPal at the address listed on the back of the card. In either case, be prepared to provide details about the transactions in question.

The Last Word

Social media can bring a lot of opportunities to your business, but it can also invite people in who are trying to separate you from your hard-earned gains. But if you stay alert, use the tools you have available, and above all else, take your time if the alarm bells are going off in your head, you should be able to minimize your chances of being on the wrong end of a fraud scheme.

In Chapter 15, “Using PayPal Tools for Non-Profits,” we’ll look at the various tools your organization can use to fundraise and keep revenue flowing.