Last week I shared some tips on spotting card testing cases. This week, I am sharing some basic strategies to combat this type of fraud.
Card testing is often more an annoyance than a headache as quick eyeballing can easily spot these fraudulent attempt (see sample fraud order from the last post).
However, switching from an automated or semi-automated order processing system to one heavily reliant on manual review, (not to mention additional administration of canceling orders, factoring out these orders for sales statics and analysis) can escalate this minor annoyance to a major pain.
Here are 3 strategies we've seen that hopefully can help you tackle this problem and minimize administrative issues.
Card testing is often more an annoyance than a headache as quick eyeballing can easily spot these fraudulent attempt (see sample fraud order from the last post).
However, switching from an automated or semi-automated order processing system to one heavily reliant on manual review, (not to mention additional administration of canceling orders, factoring out these orders for sales statics and analysis) can escalate this minor annoyance to a major pain.
Here are 3 strategies we've seen that hopefully can help you tackle this problem and minimize administrative issues.
1. IP Black List
The easiest solution would be to block the recurring IP addresses where the card testing orders are coming from. However, this can be a tedious cat and mouse game since the fraudsters will just switch IPs.
You can also try blocking a range of IPs or IPs from specific high risk countries. There are free services you can use to obtain the range. Certain platforms also have features that allow you to customize the IP block list. For example, Yahoo Stores can the "IP Blocking" feature.
At this point, if you are lucky,the fraudsters will probably cease attack and go somewhere else. They might become sophisticated and use proxies or other methods to bypass your IP country block, but this road block will deter many unsophisticated fraudsters.
2. Automate Cancellation
Another strategy is to let the orders come in, automatically flag them for cancellation, and then cancel them. This way, the fraudster’s strategy won’t likely to change and then they become very predictable and thus more manageable. This strategy is sometimes preferred over #1 because it's like fighting in stealth mode! You can use this strategy to collect data to potentially flag future orders that might come in with similar credentials like email or phone number but this time with a normal looking order information. Any data you can get to build your own "fraud cases" would be extremely helpful.
3. Minimize Manual Review
Some merchants have dealt with this nuisance the old fashion way- by throwing more hands at looking at orders. Some merchants spent up to 1/4 of their time reviewing orders! Although not as cost effective, manual review, at the end of the day, is still a must.
The goal to setting up any effective and successful manual review protocol should be:
to minimize the number of orders to be reviewed as well as minimize the time spent on reviewing each order. This means implementing a filtering system to first weed out transactions that are obviously fake/fraudulent/bad, and then using the right tools to aid and expedite your review. For example, you can implement both #1 and #2 to automatically filter out fraudulent orders right away to reduce the number of total orders in the queue. You can then layout a systematic process to check for remaining factors.
