6 steps to help prevent fraudulent payments.

Jun 09 2020 | PayPal editorial staff

You might think your ecommerce website is too small to be of much interest to online criminals. Sadly, you’d be dead wrong.
In 2018, small businesses in the U.S. reported losing an average of $28,313.33 to online fraud.1 And the Federal Trade Commission reported that, from 2017 to 2018, credit card fraud increased by 24% and online shopping and payment account fraud increased by 18%.2

An attack like that can be very damaging. At the very least, if you accept a fraudulent payment, you could be held financially responsible for the loss. But there are steps you can take to help minimize your risk, and we’ve outlined them below.

How fraudsters operate.

Before we talk about what you can do to minimize your risk, it’s helpful to understand common tactics fraudsters use. Generally, online fraudsters usually use two methods to steal money:
  • Account takeover: You probably provide customers with accounts that store personal information, financial information, and purchase history. Fraudsters often hack into these accounts through phishing schemes. In one of the most common, fraudsters send emails to trick customers into revealing usernames and passwords. The fraudsters then log in to your customers’ accounts, change the passwords, and make unauthorized purchases.
  • Identity theft: Although most businesses take many precautions to secure customer data, fraudsters still manage to hack into databases and steal usernames, passwords, credit card numbers, and personal information.
Hackers often sell credit card numbers to other fraudsters who open accounts with online retailers and use the stolen numbers to pay for purchases. This type of fraud is difficult to detect because many people don’t check their credit card statements thoroughly — and because victims typically have no idea someone opened an online account in their names.

Managing your risk.
Although the potential for fraud is high in online transactions, it doesn’t mean you must accept it as part of doing business online. By putting the right tools and processes in place, you can help keep your business and your customers secure – and reduce your chances of drowning in chargeback fees and lost revenues. Below are six tips to help you get started and once you’ve checked these off, make sure to review the
13 signs of unusual buyer activity.

1. Monitor transactions and reconcile your bank accounts daily.
Nobody knows your business as well as you do. You know your biggest spenders and their buying patterns. Monitor your accounts and transactions looking for any red flags, such as inconsistent billing and shipping information, as well as the physical location of your customers — there are tools that trace customers’ IP addresses and alert you to those from countries known as a base for fraudsters.


Also, check to see if your customers are using free or anonymous email addresses (such as Gmail or Yahoo email addresses), as there’s a much higher incidence of fraud coming from free email service providers than from paid.

2. Consider setting limits.
Using your unique knowledge of your business, set limits for the number of purchases and total dollar value you’ll accept from one account in a single day. It can help keep your exposure to a minimum should fraud occur.

3. Use the address verification system (AVS).
AVS compares the numeric parts of the billing address stored within a credit card to the address on file at the credit card company. This is a fraud tool included in most payment processing solutions, but check with your payment processor to be sure it’s supported.

4. Require the card verification value (CVV).
You’re familiar with this three-digit or four digit security code printed on credit cards. What you might not know is that PCI rules prevent you from storing the CVV along with the credit card number and card owner’s name. (That’s why it’s so effective – it’s virtually impossible for fraudsters to get it unless they’ve stolen the physical credit card.) Most processors include a tool to require CVV as part of their checkout templates. Use it.


5. Get tougher with password requirements.
Hackers employ sophisticated programs that can run through all the permutations of a password. It won’t take them long to crack a four digit, alpha-numeric password (such as, “abcd”). Best practices these days call for (at least) an eight-digit alpha-numeric password that requires at least one capitalization and one special character (for example, “P0r$che9!!”). Your customers might grumble, but it’s better safe than hacked.

6. Keep your platforms and software up to date.
Make sure you’re running the latest version of your operating system (OS), as OS providers continually update their software with security patches to protect you from newly discovered vulnerabilities, as well as the latest viruses and malware.

Likewise, install and regularly update business-grade anti-malware and anti-spyware software (free, limited-feature, and consumer-strength anti-virus software are not sufficient) to prevent attacks that exploit outdated software vulnerabilities.

Note: If your site is hosted on a managed solution, such as
 
BigCommerce, automatic security patches help ensure that any vulnerabilities are quickly resolved.

Once you’ve taken these steps, learn the 13 signs of unusual buyer activity to be aware of.
 
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

1 48% of Businesses Think They’re Not Big Enough to be Targeted for Fraud, Small Business Trends, March 10, 2019.
 
2 Consumer Sentinel Network Data Book 2018 – February 2019, Federal Trade Commission, 2019. 

Was this content helpful?

Frequently asked questions.

PayPal Payments Standard is the easiest way to securely accept debit and credit cards, PayPal and PayPal Credit. It takes the hassle out of accepting payments online. You handle the sales. We handle everything from the checkout process to security and mobile compatibility. Plus:
  • No advanced programming is needed.
  • Your customers don’t need a PayPal account to pay you.
  • It’s optimized for customers on smartphones or tablets.
And unlike many full payment-processing solutions, PayPal Payments Standard has no application, setup or monthly fees, or long-term commitments. You start paying when you start selling.

What can I do with PayPal Payments Standard?

PayPal Payments Standard lets you accept credit and debit cards on your website or through an online marketplace such as eBay or Etsy. Buying is straightforward: We handle the checkout process and then send customers back to your site. Fees are a flat amount per transaction, so selling is just as simple. To see all discounts and fees, take a look at our fees page.

You can use PayPal Payments Standard to send invoices online too, so you can get paid sooner. For offline payments, you can add PayPal Here, a mobile payments solution, to your account to let you take payments on the go using your smartphone or tablet. (alternate rates apply).

With PayPal Payments Standard, you’re also eligible to apply for the free PayPal Business Debit MasterCard®.

As with all of our payment solutions, PayPal Payments Standard helps protect your business with our Automatic Fraud Screening, industry-leading data security and reliable customer service.

Get Started Now.
PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right in your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has a $99 setup fee and a monthly fee of $25.

There are optional features such as additional fraud protection, recurring billing and buyer authentication. Click here to see pricing.
Offers that sound too good to be true, probably are
Most of us are careful if a stranger approaches on the street and offers a deal that's just too good to be true. But we're much less cautious online, putting us at risk.

Advance fee fraud
If you get an offer for free money, there's probably a catch. Typically, fraudsters will ask you to send some smaller amount (for taxes, for legal documents, etc.) before they can send you the millions you’re promised, but which they never intend to send you.

How to avoid this scam: Don't wire money to someone you don't know.

Overpayment scam
  • A customer sends a PayPal payment that is more than the purchase price of the order and then asks you to wire them the difference.
    • They may tell you that they accidentally overpaid you, the extra money is for the shipping costs, they're giving you a bonus for your great service or the money is for the stress they've caused you.
    • They may even ask you to wire the shipping fees to their shipper.
  • This scammer may have paid with a stolen credit card, bank account number, or checking account.
    • Just because a payment has been deposited into your account, doesn't mean the money is yours to keep. If the legitimate account holder reports unauthorized activity, the money can be withdrawn from your account.
    • If that happens, you'll lose the money you wired to the fraudster, the product you shipped, shipping costs, and your payment.
How to avoid this scam:
  • Don't wire money to someone you don't know. A legitimate buyer won't overpay you for an order.
  • If a customer overpays you and asks you to wire them the difference, consider canceling the order—it's very likely to be fraudulent.
  • Don't wire money to the bogus shipping company—it's part of their scam to get your money.

Prize winnings
Messages asking you to pay a small handling fee to collect some fabulous prizes are usually a scam. You send the handling fee and get nothing in return.

How to avoid this scam: Don't send money to someone you don't know. A legitimate prize won’t require you to pay in order to receive it.

High profit – no-risk investments
These types of investments are usually scams and include messages insisting that you “Act Now!” for a great deal.

How to avoid this scam: Discontinue communication with this person/company.

Fake charities
Scammers use disasters to trick kind-hearted people into donating to fake charities. This usually happens when there is a refugee crisis, a terrorist attack, or a natural disaster (like an earthquake, flooding, or famine).

How to avoid this scam:
Thoroughly check the background of any charity to make sure your donation goes to real victims. Use resources to check out charities, like the ones below:

http://www.charitynavigator.org
http://www.bbb.org/us/charity
http://www.charitywatch.org

If a charity does not have a website, be cautious.

To learn more about common scams and how to avoid them, search online for advance fee fraud. You can also read the FBI's material on common types of scams. Most importantly: be as cautious online as you would be in the real world.

Shipping Scams
There are several ways fraudsters incorporate shipping into their schemes. Be sure you’re familiar with the following:
  • My shipping service scam
    • The buyer asks you to use their shipping account because they can get a discount, they have a preferred vendor they’ve worked with for years, or their shipping service is cheaper or more reliable. In another variation of the scam, the buyer may also ask you to wire the shipping fees to their preferred shipper.
    • If you use the buyer's shipping account, they can easily contact the shipping company and reroute the order to another address.
      • The buyer can then open up a complaint asking for a refund because they didn't receive their order.
      • You aren't able to prove that the buyer received their order and you are out your product, the shipping costs, and your money.
    • If they ask you to wire the money to a bogus shipping company, they can steal your money.
      • After you have wired the money you’ll find out that the order was made with a stolen card or bank account. You may be held liable for returning the funds to the legitimate customer whose account was stolen.
How to avoid this scam:
  • Only use your shipping account.
  • Never wire money to someone you don't know – you can't get it back easily.
  • If a customer asks you to use their shipping service, review their order for fraud carefully. They may have used a stolen card or bank account to fund the purchase.
  • Ship to the address on the Transaction Details page.
Pre-paid shipping label scam
  • You receive an order from a customer who asks you to use their pre-paid label to cover the shipping charges. (They may tell you that they can get their labels at a discounted price.)
  • By providing the label, the customer controls the destination of the package. They may send it to another country, a PO box, or some other untraceable location.
    • To be covered under PayPal's Seller Protection policy, you are required to ship to the address on the Transaction Details page.
    • The shipping label may also have been purchased with a stolen credit card.
How to avoid this scam:
  • If the customer asks you to use their pre-paid label, review their order for fraud carefully. They may have used a stolen card to make the purchase.
  • Do not accept shipping labels from your customers.
  • Ship to the address on the Transaction Details page.
Package rerouting scam
The buyer reroutes the package so they can file a complaint that they never received it.
  • A buyer places an order and provides an incorrect or fake shipping address.
  • The shipping company tries to deliver the package but isn't able to.
  • The buyer monitors the online tracking information and notices that the shipper couldn't deliver the package.
  • The buyer contacts your shipping company and asks them to send the package to their correct address. The shipping company delivers the package to the new location.
  • The buyer then files a complaint about not receiving the item.
    • Because the shipment was rerouted, you can't prove the item was delivered to the address on the Transaction Details page.
    • The buyer gets to keep the item and money.
    • Because the package wasn't delivered to the address on the Transaction Details page, you aren't covered by Seller Protection.
    • Unfortunately, you lost the product, shipping fees, and the money.
    • To make it worse, you might also have to pay your shipper an additional rerouting fee.
How to avoid this scam:
  • Contact your shipping company and block buyers from rerouting packages.
  • Validate the buyer's address before shipping.
  • Only ship to the address on the Transaction Details page.

Business/job opportunities
Fraudsters will post fake job opportunities on job-posting sites, dating sites, and via spam email.

Reshipping packages scam
  • One of the more popular work-from-home scams is reshipping electronics, clothing, and other items out of the United States.
  • You receive items (electronics, jewelry, clothing, etc.) in the mail and are asked to ship them out of the country.
    • Packages may be addressed to someone else's name (the stolen credit card victim).
    • Your "employer" provides you with a shipping label (also paid for with a stolen credit card).
    • Your "employer" asks you for personal information, such as your Social Security Number and bank account details, so they can "direct deposit" your check.
    • Generally, you’ll never get paid and have just exposed yourself to fraud.
  • Most merchants will not ship items out of the country.
    • Fraudsters need you to act as an intermediary to help get the goods out of the country. It also helps them avoid getting caught.
    • They use your personal information to steal your identity or take over your account.
How to avoid this scam:
  • If it's too good to be true, it probably is. Know who you are dealing with and don't reship packages.
  • If you didn't realize you were involved in a scam until the packages started arriving, refuse delivery or return to sender. Report scams to the Internet Crime Complaint Center or contact your Postmaster.
  • Never give your private personal or financial information to anyone you don't know.
Employment scam
  • Someone contacts you about a great new business opportunity. They need an employee or partner to sell cameras (or some other expensive product) for them.
  • Scammers trick innocent and trustworthy people into sending them money and merchandise.
    • The scammer may even say they found you through eBay's Trading Assistant program. They will ask you to:
  • List some products for sale on eBay or on your website.
  • Use the money from the orders to pay their supplier. They’ll contact the supplier in advance to let them know you’ll be sending them money.
  • Update your PayPal account address to their address. They’ll usually give you an address that looks like a regular address but it's a P.O. box.
  • After you pay the supplier, you’ll start receiving complaints from your buyers stating that they didn't receive their merchandise. Instead, they received an empty box (from the scammer).
  • You contact the supplier. They inform you that your partner said you would be sending money for gold bullion, so they shipped the gold bullion (not cameras) to your PayPal account address. You remember that your partner asked you to change your PayPal account address to their address, so they could pick up the gold.
    • You paid the supplier for the cameras, so you file a complaint against the supplier. Unfortunately, you learn that you may be liable for the money since the supplier delivered the merchandise to your PayPal account address.
How to avoid this scam:
  • If it's too good to be true, it probably is. Know who you are dealing with.
  • Don't list someone else's address on your PayPal account.
  • Verify your suppliers and don't send money to someone you don't know.
  • Only ship items to the address on the Transaction Details page.
  • Be on alert if you’re asked to ship a lot of packages overseas or to the same post office box.
If you think you’ve received a suspicious email or have been directed to a fake website, forward it to spoof@paypal.com and we’ll investigate it for you. After you send us the email, delete it from your inbox. If you clicked on any links or downloaded any attachments within the suspicious email or website, log into your account and view your transactions. It’s also a good idea to change your password.
 
To report SPAM SMS messages, forward them to ‘7726’ (which is the key for SPAM on most phones). Check with your service provider to find if this service is supported or read more here: http://www.gsma.com/aboutus/.  
 
To view all transactions and activity, log in to your PayPal account and check your recent activity. If you see any unauthorized transactions, go to the Resolution Center to report them.
 
 
Here's how you can help prevent fraud when shipping an order:

Verify shipping address
Go online and verify the shipping address. Look for red flags such as shipment to a freight forwarder, shipping company, P.O. Box, hotel or a vacant property. Fraudsters often ship orders to addresses that can't be traced back to them.
  • Freight forwarder: Third party shipping service that reships merchandise to another location (typically abroad) for a fee. To see where your package is being sent to, simply enter the shipping address into a search engine. If the search results show the name of shipping company, be more cautious.
  • Shipping companies or P.O. boxes: Fraudsters like the anonymity that shipping companies and P.O. boxes provide. However, there are also a lot of legitimate reasons for using a shipping company or a P.O. box. You just need to be more cautious, since shipping to P.O. boxes and shipping companies are typically more risky than shipping to residential addresses.
  • Money mule: Fraudsters pay people (known as money mules) to have orders shipped to their address. The money mule receives the package, then reships it to the fraudster’s address. Be careful if you have a lot of orders from different customers that are shipped to the same address.
  • Vacant property: To identify vacant properties, enter the shipping address into a search engine. If the property is currently listed as for rent or for sale, it could be vacant.
Ship with online tracking
Use a shipping service that provides online tracking to help confirm the item was delivered. Standard shipping receipts only show that an item was shipped. Online tracking services prove the item was delivered.
  • If the total sale is for $750 or more, obtain signature confirmation to confirm your customer received their order – the nominal expense is well worth it.
  • Use your discretion when shipping internationally using First Class Mail International since this shipping service is not accepted under PayPal's Seller Protection Policy.
Order shipping insurance
Too many things can go wrong in transit. That's why it's important to purchase shipping insurance for items that are fragile or expensive. Shipping insurance serves two purposes:
  • Insures the item in the event it is lost or damaged.
  • Includes tracking and delivery information so the customer can see that the order is en route, and you will know when the package was delivered.
In case of a shipping problem, file an insurance claim with the shipping company.
  • You, your customer or the shipping company can report claims. Contact your shipping company for detailed instructions on how you should proceed with a claim.
  • Be aware of insurance exceptions.
    • Liability for loss or damage may be limited depending on the type of package, the declared value, and/or the shipping company. Talk to the shipping company to ensure proper coverage.
Delay shipping high-risk orders
  • Delay shipment for new orders that are expensive and in demand for 24 to 48 hours, especially when shipping internationally.
  • Use caution when shipping overnight. Fraudsters will often ask for overnight shipping so that they can resell expensive merchandise as quickly as possible.
Use your own shipping service
  • Do not use your customer's shipping company when mailing orders. Packages can be rerouted by the customer to other addresses after shipment, and won't be covered by Seller Protection.
Use care when choosing or acting as a drop shipper
  • Since you're responsible for delivering what the customer orders, it's critical to choose a reputable drop shipper to help avoid losses.
  • Be wary of drop-shipping companies located in high-risk countries.
  • If you're a drop shipper, have a vetting process in place for all suppliers. This should include inventory management and product guarantees (to ensure that items are in stock and you're delivering high-quality merchandise).
Issue returns quickly and let customers know when you are out of stock/inventory
If an item is out of stock, remove the listing or update it to reflect the out-of-stock status. Provide an estimated in-stock date or clearly indicate that customers who choose an out-of-stock product are placing an advance order.

Example: A new customer orders a $10,000 chandelier. Here is what you can do:
  • Search an online map to see who and where the order is being shipped. Is the order being shipped to an expensive home, motel or to a freight forwarder?
  • Use a search engine or social networking site to verify the name and shipping address. Does the name, shipping address and billing address match?

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies