There’s been a lot of talk about ‘Phishing’ lately. It’s a method for stealing personal information that’s getting more and more common. You’ve probably seen them in your email box. ‘Phishing’ is where a crook sends an email that appears to be from a trusted source (such as a bank or credit card company). It asks you to click a link in the email and then type in some sort of personal information. The links in these Phish emails, of course, go somewhere else and they aren’t what they appear to be. Denise O’Berry posted a great blog entry complete with screen shot about one she received recently. Give it a read if you want to see how realistic these Phishing emails look.
The other side of phishing is that some people are actually falling victim to this and are getting their personal information stolen. One way this thievery can manifest itself is in the shopping cart of your product-based web store.
Lately, we’ve noticed a significant influx of orders where the billing party is completely different than the shipping party (different name, different city, not even in the same state). Usually, the items being ordered are of a high dollar value. These are huge red flags to watch for. There are legitimate reasons why an order might ship to someone in a different place, but you should make sure in instances like that.
Attempt to contact the billing party using the phone number shown at the billing phone. Of course, you can not really tell who you’re talking to, so if that phone number appears ‘phoney’ or if you’re just not comfortable with the situation, cancel the entire order and void the credit card charge. Otherwise, you’ll probably end up with a chargeback later that you’ll have to pay because if the transaction was not legitimate, your business will be left holding the bag.
I talked about AVS a bit in this blog post, but AVS only checks the validity of the billing address itself. If the billing address information has been stolen along with the credit card information, AVS will not catch it.
If your volume is low enough that you (or someone taking your orders) can monitor this, then a documented procedure should be in place for dealing with non-matching shipping addresses. If your volume is too high to monitor such things, try using the automated tool set from your merchant gateway provider. Authorize.Net for example, offers a great Fraud Detection Suite which has various security settings that will allow you to automatically stop such orders as the ones where the billing party does not match the shipping party.
All web businesses, home-based businesses or otherwise, should pay closer attention to the shipping addresses on orders in light of Phishing trends. Thieves who are operating from stolen information are definitely customers you won’t want to do business with.