6 steps to help prevent fraudulent payments.

Jul 21 2020 | PayPal editorial staff

You might think your ecommerce website is too small to be of much interest to online criminals. Sadly, you’d be dead wrong.
In 2018, small businesses in the U.S. reported losing an average of $28,313.33 to online fraud.1 And the Federal Trade Commission reported that, from 2017 to 2018, credit card fraud increased by 24% and online shopping and payment account fraud increased by 18%.2

An attack like that can be very damaging. At the very least, if you accept a fraudulent payment, you could be held financially responsible for the loss. But there are steps you can take to help minimize your risk, and we’ve outlined them below.

How fraudsters operate.
Before we talk about what you can do to minimize your risk, it’s helpful to understand common tactics fraudsters use. Generally, online fraudsters usually use two methods to steal money:
 
  • Account takeover: You probably provide customers with accounts that store personal information, financial information, and purchase history. Fraudsters often hack into these accounts through phishing schemes. In one of the most common, fraudsters send emails to trick customers into revealing usernames and passwords. The fraudsters then log in to your customers’ accounts, change the passwords, and make unauthorized purchases.
  • Identity theft: Although most businesses take many precautions to secure customer data, fraudsters still manage to hack into databases and steal usernames, passwords, credit card numbers, and personal information.

Hackers often sell credit card numbers to other fraudsters who open accounts with online retailers and use the stolen numbers to pay for purchases. This type of fraud is difficult to detect because many people don’t check their credit card statements thoroughly — and because victims typically have no idea someone opened an online account in their names.

Managing your risk.
Although the potential for fraud is high in online transactions, it doesn't mean you must accept it as part of doing business online. By putting the right tools and processes in place, you can help keep your business and your customers secure – and reduce your chances of drowning in chargeback fees and lost revenues. Below are six tips to help you get started and once you've checked these off, make sure to review the 13 signs of unusual buyer activity.


1. Monitor transactions and reconcile your bank accounts daily.
Nobody knows your business as well as you do. You know your biggest spenders and their buying patterns. Monitor your accounts and transactions looking for any red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers — there are tools that trace customers’ IP addresses and alert you to those from countries known as a base for fraudsters.

Also, check to see if your customers are using free or anonymous email addresses (such as Gmail or Yahoo email addresses), as there’s a much higher incidence of fraud coming from free email service providers than from paid.

2. Consider setting limits.
Using your unique knowledge of your business, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. It can help keep your exposure to a minimum should fraud occur.

3. Use the address verification system (AVS).
AVS compares the numeric parts of the billing address stored within a credit card to the address on file at the credit card company. This is a fraud tool included in most payment processing solutions, but check with your payment processor to be sure it’s supported.

4. Require the card verification value (CVV).
You’re familiar with this three-digit or four digit security code printed on credit cards. What you might not know is that PCI rules prevent you from storing the CVV along with the credit card number and card owner’s name. (That’s why it’s so effective – it’s virtually impossible for fraudsters to get it unless they’ve stolen the physical credit card.) Most processors include a tool to require CVV as part of their checkout templates. Use it.

5. Get tougher with password requirements.
Hackers employ sophisticated programs that can run through all the permutations of a password. It won’t take them long to crack a four digit, alpha-numeric password (such as, “abcd”). Best practices these days call for (at least) an eight-digit alpha-numeric password that requires at least one capitalization and one special character (for example, “P0r$che9!!”). Your customers might grumble, but it’s better safe than hacked.

6. Keep your platforms and software up to date.
Make sure you’re running the latest version of your operating system (OS), as OS providers continually update their software with security patches to protect you from newly discovered vulnerabilities, as well as the latest viruses and malware.

Likewise, install and regularly update business-grade anti-malware and anti-spyware software (free, limited-feature, and consumer-strength anti-virus software are not sufficient) to prevent attacks that exploit outdated software vulnerabilities.

Note: If your site is hosted on a managed solution, such as BigCommerce, automatic security patches help ensure that any vulnerabilities are quickly resolved.

Once you've taken these steps, learn the 13 signs of unusual buyer activity to be aware of.
Disclosure: The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

1 48% of Businesses Think They're Not Big Enough to be Targeted for Fraud, Small Business Trends, March 10, 2019.

2 Consumer Sentinel Network Data Book 2018 – February 2019, Federal Trade Commission, 2019.

Frequently asked questions.

Fraud Protection provides the following filters:
 
  • Transaction Risk Score 
    • Based on PayPal's machine learning risk model, this filter detects risky transactions derived from historical fraud trends seen across all transactions processed by PayPal.
  • Street Address or Postal Code does not match
    • Postcode (5 or 9 digit) or street address did not match during the AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Street Address or Postal Code not verified
    • Could not verify the street address or postal code during AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Street Address or Postal Code not provided
    • Postal code or street address was not provided. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Postal Code does not match
    • Address matches but the postal code does not match during the AVS check. To use this filter, just turn it on and don't change the pre-set value/codes.
  • Issuing bank does not support AVS
    • AVS not supported by issuer. To use this filter, just turn it on and don't change the pre-set value/codes.
  • AVS system error
    • Transaction ineligible for address verification or edit error found in the message that prevents AVS from being performed. To use this filter, just turn it on and don't change the pre-set value/codes.
  • CVV or CSV does not match
    • The CVV provided does not match the information on file with the cardholder's bank. To use this filter, just turn it on and don't change the pre-set value/codes.
The below filters reject transactions with values higher than the value set on this filter. The default value is only directional, please use the test feature to assess the impact:
 
  • Number of transactions across PayPal from the buyer's phone number in the last 1 day
  • Number of issuer declines across PayPal for the buyer's phone number in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's phone number in the last 90 days
  • Number of transactions across PayPal from the buyer's email ID in last 1 day
  • Number of issuer declines across PayPal for the buyer's email ID in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's email ID in the last 90 days
  • Number of transactions across PayPal from the buyer's email domain in the last 1 day
  • Number of issuer declines across PayPal for the buyer's email domain in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's email domain in the last 90 days
  • Number of transactions across PayPal from the buyer's IP in the last 1 day
  • Number of issuer declines across PayPal for the buyer's IP in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's IP in the last 90 days
  • Number of transactions across PayPal from the buyer's card in the last 1 day
  • Number of issuer declines across PayPal for the buyer's card in the last 7 days
  • Number of fraud chargebacks across PayPal from the buyer's card in the last 90 days
Here's more information about Fraud Protection:
What is Fraud Protection?

To ensure a safer transaction environment, we review all accounts and activities in our system regularly. On rare occasions, we may suspend some sellers’ eligibility for PayPal Seller Protection if there’s a higher than usual risk associated with their accounts, which may be attributed by their volume of buyer complaints, payment reversal and fraud rates.

Every 90 days, we’ll periodically re-evaluate the accounts under suspension to determine if they can become eligible for protection again. Here are some tips that may help you restore your eligibility at the earliest:

Providing excellent customer service

  - Offer a refund and post your return policy where customers can see it.

  - Use a reputable shipping service.

  - Set up a customer service message within your PayPal account.

  - Be professional, helpful and courteous if a customer contacts you. Post customer service contact information, including working hours and response time.

Reducing the risk of fraud

  - Provide detailed and accurate descriptions of items for sale and include pictures from multiple angles.

  - Verify the customer’s order information before shipping, such as the address and phone number. If an order looks suspicious, contact the customer to verify information. Also, delay shipping any high-risk orders and avoid shipping them overnight unless you are confident the order is legitimate.

  - Use tools to detect fraud, such as IP geolocation, device identification, fraud filters, etc.

  - Keep your Credit Card Statement Name updated to make sure that your customers can recognise your transaction easily on their card statement.

  - Review orders for anything unusual, such as:

  • Shipping to a high risk country
  • Orders that are larger than normal
  • Requests for change of shipping address after the order has been paid for
  • Abnormally large numbers of international orders within a short period of time
  • Several orders from different customers shipping to the same address
  • Overpayments with additional requests
  • Rush or overnight shipping
  • Orders from a suspicious email address
  • Orders from a suspicious postal address (e.g. P.O. boxes, vacant buildings)
  • Multiple separate orders from the same PayPal account

Please visit our Security page to learn more about PayPal Seller Protection and tips for selling safely in India.

If a buyer opens a dispute or claim regarding an item they didn’t receive, you may be required to provide the proof that you’ve already sent the item to the buyer. One way to show that proof is to use a carrier with online tracking. The recipient's name and address in the online tracking information must match those displayed in your Transaction Details page. For transactions involving items worth $750USD (or its equivalent in other currencies) or more, please also keep an online receipt with the recipient’s signature as proof of delivery.

It's important to meet the postage requirement for you to be eligible for Seller Protection. If the buyer demands that you deliver to an address different from the one in the Transaction Details page, we suggest that you contact the buyer to arrange a refund and make a new payment with the correct delivery address. You can view the detailed postage requirements related to Seller Protection in our User Agreement.

Learn more about how to handle a PayPal dispute or claim.

It's extremely important to report any suspected instances of fraud. Not only will this protect you, it will also help make the web a safer place to do business.

Here are some types of fraudulent activity. Please follow the steps we've included further below to report them:

  • Unauthorised activity on your PayPal account.
  • Fake PayPal emails or spoof websites.
  • Items you didn't receive or a potential fraudulent seller.


Unauthorised activity on your PayPal account

An unauthorised payment could be any payment made from a credit or debit card without the owner’s permission.

If our system detects that a payment is abnormal, we’d place a hold on it to determine if it’s authorised. The funds can't be withdrawn during our review. If the payment is determined unauthorised, the funds will be returned to the sender's account. Sellers who meet the eligibility guidelines under PayPal Seller Protection are also protected.

If you notice an unauthorised account activity, report it to us immediately following the steps below.

To report unauthorised activity:

  1. Go to Resolution Centre.
  2. Click Report a Problem.
  3. Select the transaction you want to dispute and click Continue.
  4. Select "unauthorised transaction" then click Continue.
  5. Follow the instructions on the page.


Fake PayPal emails or spoof websites

If you received what looks like a fake PayPal email, or you've come across a spoof PayPal website, please report it to us by forwarding the original email or URL to spoof@paypal.com.


Items not received or a potential fraudulent seller

If you sent a payment but haven't received what you paid for, or believe the seller to be fraudulent, you can file a dispute in the Resolution Centre and start communicating the issue with your seller. 
 

To file a dispute in the Resolution Centre:

  1. Go to Resolution Centre.
  2. Click Report a Problem.
  3. Select the transaction you want to dispute and click Continue.
  4. Select "Item dispute" then click Continue.
  5. Follow the instructions on the page.

If you can't find an agreement with the seller, you can escalate the dispute to a claim any time within 20 days of the date the dispute was opened. We’ll step in to investigate the case and decide the outcome based on evidence supplied by you and the seller.

For more information about how to avoid frauds, and how we protect you with our Buyer and Seller Protection in India, please visit the Security page.

The contents of this site are provided for informational purposes only. The information in this article does not constitute legal, financial, IT, business or investment advice of any kind and is not a substitute for any professional advice. You should always obtain independent, professional accounting, financial, IT and legal advice before making any business decision.