Re: Fraud scammers running credit cards. What can we do?

Thanks for the info. I'll look into your suggestions.

It's unfortunate that shopify isn't looking at this type of security breach. Doesn't inspire confidence going forward.

Of course, happy to help.

I agree, they may have decided to paywall Bot Protection before card testing was so pervasive.

I think the original value proposition for Bot Protection was for high end stores to protect against bots automating drop purchases purely for scalping. Here's a really good NYTimes article about it if you're interested: https://www.nytimes.com/interactive/2021/10/15/style/sneaker-bots.html

But card testing effects all Shopify merchants, and botters get the same value of testing against a Free Shopify site versus a Plus. So they can just write their automations for low plan Shopify shops and there's not much recourse at the moment.

Thanks for that so here's the suggestion we are trying for the moment. It's not great for the customer as they need to enter their email address for a one-time verification code to be sent. If the email is not legit, they can't complete checkout. We'll see if it's working in an hour or two.

From helpful support @ Blocky:

I would also like to propose a great solution that is working great for other users of us that are experiencing the same issue - using the new Shopify user accounts for checkouts. This will require all customers to register an account with your lovely store before placing an order, and thanks to Shopify's new account management options, the registration process occurs on Shopify and is being verified by them, so no fake emails can be used, and it should prevent all of the fake abandoned carts and customer accounts. You can also try that for a few days and see its effect in you store

Here's how to turn it on -
Go to the checkout settings page: (go into your store settings)
Tick the "Require the customer to log in to their account before checkout" option
Click Save
4, Then, go to: (customer_accounts experience link)
Make sure that the "Show login link in the header of online store and at checkout" option is ticked, and under it, select the "New customer accounts Customers will log in with a one-time code sent to their email." option.
Click Save.

More info here: https://community.shopify.com/c/shopify-discussions/change-send-email-id-for-quot-customer-accounts-... but website seems down 503 error at the moment?

Thanks for sharing that, I didn't realize that you could require a Shopify account before checkout. That is an interesting idea.

Then you require email verification, which isn't hard to pass with enough technical know how, but it does add a barrier for the bad actors jump over.

Just to reiterate, this won't be an end all solution, you can bypass this by programmatically interfacing with Gmail to pass the code. Or use a custom domain, it's definitely possible. But it will definitely weed out some bad actors.

I would encourage anyone that is considering this to keep in mind that extra steps of verification like this might harm your conversion rates. Make sure you monitor your conversion rate before and after implementing a change like this and make sure it's not doing more harm than good.

In some cases extra verification is actually a good thing and sends a good signal, if it's a high end purchase for example. But if your store is on the lower end of AOV, then this might cause more harm than help.

Conversion rate is the worry. Was sweating bullets until the first new order came thru.

So far sales numbers are ok.

Agreed. Seems like something Shopify should have built in so bots can't steal cc info.

Hey thanks for sharing. There should be A LOT MORE coming directly from Shopify to help deter these kinds of fraud attempts.

So far with adding either customer needs to login or enter valid email address to continue to payment has curbed the bs cc scams. Fingers crossed. But these jerks (who should get a real job) scamming cards are always coming up with new ways to screw the system. The biggest issue is that most shopify shopping carts use the same generic format so creating a bot to thwart security stuff is almost too easy for the scammers.

Unfortunately we aren't using shopify payments (they kicked us off), since shopify's cc processing contracts with Stripe/Wells Fargo/etc make even Canadian stores beholden to lazy USA credit card classification rules. Essentially they lump health canada licensed products with "quasi pharmaceuticals" like the blue pills - simply because Stripe is lazy to add a legit class for our products. This is the disadvantage with any corporation that goes south to USA. Anyway, don't get me going on that garbage.... lol  I'm sure if we used shopify payments there might be more protection for cc scammers but who knows? 😕

Why don't you accept manually ? Like this if they do not seem legit, since, you have 5 days to approve, thye will cancel themselves

You go to Settings, Payments and at the bottom, Payment capture method. Pick manually. and choose Manually.

We do this to check every transaction and we void when we want to let the customer know, otherwise, it voids by itself. But we never accepted the money.

The ones we suspect, but not sure, we accept, but take our sweet time to ship, almost a month, enough to give time to the one who got their card stolen to report it, or to give us more time to search into the buyer. Anyway, Manually is better, and as for that bot, they will bot by themselves doing so

Exactly, setting up manual payments isn't that difficult.

Also, now that Shopify Flow is available for free on all plans, you can easily automate capturing payment on non-risky orders.

That way you save a ton of clicks by "automatically" capturing payments on regular orders, while these fake orders can be manually captured without risk of a chargeback.

Na, bad idea because shopify does not help with chargebacks. Amd their fràud app says no risk to approve orders when in fact when you look into the report, the customer uses a fake billing adress.

Sorry I could have been more clear, I'm not referring to the Shopify Fraud Filter app

I'm referring to the Shopify Fraud Analysis that's provided for each order (no app required).

But, to your point, say you don't want to automatically approve payments if the shipping address doesn't match the billing address even if the Shopify Fraud Analysis claims the order is low risk.

Then you can still use Shopify Flow to not automatically capture orders with mismatching billing and shipping addresses _in addition_ to the Shopify Fraud Analysis.

Here's an example workflow that considers both the Shopify Fraud Risk analysis and if the order's shipping address matches the billing address:

 
Only orders with matching billing and shipping addresses will have automatic payment capture, otherwise you can add a tag to show these orders need verification, etc.

What is the point ??

We have to verify anyway and will not rely on shopify for thos if they do not already. See how they handle chargebacks ?? Even in your right, shopify put their heafs in the sand. How can you suggest them as a secure way when they do not care already

Seriously, best way is to rely on our own  judgment.

Even in your right, shopify put their heads (not heafs)in the sand. Sorry mistake typing. But i learned to stay away from apps in their store as much as i can. Couples i contacted from 2 new emails for infos and we started getting the same scams offers. Told shopify about this but of course they did not check.

We have to spend time checking each order and it is what it is. Because will certainly not start asking their ids, right? I almost had a fraud done to me and equifax told me to never give my birthdate to anyone or i would be responsible. And also, never give out your driver's permit to anyone unless being stopped by a cop. Not to get a phone line, etc. I was told to remove ids infos everywhere the other day because there was a lot of fraud since covid. So you understand that i would not give my id to buy 3 pairs of socks 😀

There's a spectrum of customer verification, and ID verification is on the high end. It's an industry standard for rental marketplaces like AirBnB, Turo, etc. It's also required for high end purchases like jewelry or where chargebacks are extremely costly like auto parts.

I would never recommend ID verification for cheap orders, but there are other ways of verifying orders to prevent fraud even with low order values:

* Email verification
* SMS verification

* Phone verification

You can send a unique code over any three of those channels to help prove the customer's phone number and email address. Criminals are often using disposable emails and phone numbers and can't keep track of the messages across all of their inboxes. Or even more likely they're too lazy to even use real emails and phone numbers. 

OTP (one time passcode) verification is a cheap and even more frictionless way of verification.

But ID verification has it's place in the anti-fraud toolbelt, it's just not for all.

Well, I do not care who asks for it, they would not get it from me. They will get a library card, but no way, will they get a driver's permit with adress, age and all kind of info a scammer can use. What you are not thinking about is at the other end, the person who takes the orders from the website, the secretary that could be asking for it, or the shipper, I have to trust them with my ID ??? Seriously ? 

When Equifax tells me we should never give our birthdate, I think I will follow their advice. EVEN if you had the id, for example, the 2 chargebacks we got, were people who were out there, quite known and played games with us, so, getting their ids was pointless because I could find out online who they were.  Ont was even a neighboor from someone we knew. The probllem was Shopify who did not send our answer to the credit card company when we gave the proof all was shipped and even the customer asking details about the stuff she had received then denying having them ? We had the proof, but Shopify did not do their job. Not much the little ID could do about this right ?? We called Visa and they said they had never gotten our answer. 

If anyone asked for my ID, i would tell them to get lost and cancel the order.

At the end, we have to double check every order because Shopify's chargeback system is worth minus 1000. 

I understand ID documentation is not a viable solution for you, but that doesn't mean it's not essential for different merchants and industries. We help online pharmacies as well as implement age verification beyond self-reporting your own birthday.

I totally agree, private details shouldn't be viewable by just anyone. That's why we provide controls to limit whom can view this data - including at the per staff level. I respectfully disagree with your claim regarding entering in personal information online. Parts of the internet is more dangerous because identity is disposable.

We have also helped overturn fraudulent chargebacks based on ID evidence provided at checkout. But what we hear most often are the dramatic drop in chargebacks, just because friendly fraud (also known as first party fraud) is mostly a crime of opportunity.

> At the end, we have to double check every order because Shopify's chargeback system is worth minus 1000. 

Genuinely curious, what do you mean by double check? What is your process for judging if a customer's order is legitimate, like you said they can file a chargeback based on non-fulfillment. In theory those orders won't trigger Shopify Fraud Analysis because the billing and shipping details line up. 

Honestly, do not get what you are trying to say at all. And you must be selling apps to be pushing for something without reading people's situations

One chargeback

This lady ordered 2 items. All was going through, billing adress matched, cvv, etc. AND she was known and neighboor from a friend of the company (though she did not know that) SO, SHE EXISTS You got me until now  ??

And she has money. The order was only 500$

Are you still following me ?? Then, she asks if we have a different colors, we say yes. Then, she said I am returning rush UPS and here is the tracking but please reship asap. Since we knew someone who knew her and she said the package was gone, we reshipped two more items but we never got back the other two AND SHE ASKED FOR A CHARGEBACK !!!!!!!! No reason at all, lying she had shipped and UPS confirmed not picking up anything from her

So, we lost the chargeback because even with the proofs that she had not reshipped and she did not even wait one day after asking for return, she asked a chargeback, but we lost

The whole story was crazy

But few months later, the lady comes back and says I have 4 items but would like a 3rd version. SO, SHE ADMITTED. We called the credit card company, they were going to open the file for us  aid that Shopify never gave them our answer .. 

We contacted the lady and said, we will report you to the credit card company and she refunded us.

But she was legit

Unless there is an app that can spot legit people and have a cristal ball that they might try to steal, not interested

We've implemented an email verification or login to shop. So basically the CC fraudsters don't have legit email addresses. If they want to actually get to checkout they need to either enter their legit email address to which shopify sends them a one time code, or they can login before checkout. This prevents scammers testing cc's. It makes it slightly more difficult for us because we can't use shopify payments, we use moneris 3rd party.

Just pick the option to accept payments manually, not automatically. They have this set-up in shopify. You have one week to accept the charge and if you do not, it does not go through and cancels automatically.

It will give you time to review

Thanks, Pripri - looking into it!

You go to Settings, Payments and at the bottom, Payment capture method. Pick manually. and choose Manually.

Ps, wonder if yoir set up of downloading as soon as paid will work with this. We have to ship items so it works for us. But test ot or set it up wot a delivery date as well ?

Yes - you nailed exactly the issue I'm thinking about: the auto delivery email.  So still considering the options open to me, but I appreciate adding this one to the mix.