High-risk transactions and fraud prevention

Solved

High-risk transactions and fraud prevention

NYCTrackbook
Excursionist
22 0 5

I had a high-risk transaction for digital goods go through this morning, where the currency used was Nepalese Rupees but the registered address of the card was a rural town in the US state of Georgia (I'm in NJ and I sell a book that is rarely purchased by customers outside of the northeastern U.S.). A few minutes before this one went through, an attempt to purchase a $25 digital gift card was made, but I cancelled it as soon as I saw it.

What recourse do I have as a seller against this? My margins are incredibly tight (about 12%), and as an extremely small business, I cannot afford to lose even a little bit to fraud. 

Accepted Solution (1)
dylanpierce
Shopify Partner
273 13 120

This is an accepted solution.

Looks good! Thanks for the screenshot. Yes, the flow shows that all medium/high risk orders will be held.

 

 Is there any way to have seller protection against chargebacks if he tells me the order is legitimate, but then cancels, or it turns out to have been fraudulent after all?

 

I'm not sure which payment gateway you're using, but Shopify Payments offers Shopify Protect which is essentially chargeback insurance on qualified orders. However, Shopify Protect won't cover all orders, only ones where Shopify determines they can cover the loss if a chargeback is filed.

 

Additionally, they won't cover if the customer reports the package as "never received", Shopify Protect will only cover "unauthorized charge" chargebacks. Additionally, they will only insure physical goods shipped within the U.S.

 

There are other chargeback insurance options, but from what I understand they'll charge you a percentage of _all_ revenue, which ends up being very expensive. They may not cover digital goods either.

It really depends on how risky your industry is, if your chargeback % is low, then insurance is most likely overkill and you're bottom line is better off verifying customer email/phone numbers and intent to purchase.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

View solution in original post

Replies 15 (15)

dylanpierce
Shopify Partner
273 13 120

Hi @NYCTrackbook 

 

If you haven't yet I highly recommend enabling manual payment capture. Here's a short guide on how to do that.

You're still at risk for a chargeback even if you immediately cancel and refund orders, this is because your checkout has automatically processed the payment through the gateway.

I assume you're using the Digital Downloads app for handling digital orders? Or are you using another app to deliver your items digitally after purchase?

Just want to know that detail so I can advise on a way to hold the order's fulfillment until you've captured payment.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

I have just enabled Manual Capture. In 3 years of selling on digital platforms (here and on Wix before that) I have never had a single bad transaction, but now two in one day (from the same person). I am using the Fileflare Digital Downloads app for digital file fulfillment. 

dylanpierce
Shopify Partner
273 13 120

They might just be testing credit cards, not actually caring about the product itself. Credit card testing is when a bad actor either has a sample of stolen credit cards or wrote a bot that generates fake credit card numbers in an attempt to randomly find one.

Since it's a low volume, it might just be manual stolen credit card testing, where they want to sample some stolen credit card numbers before attempting larger purchase somewhere else.

If it's an e-book purchase, then I suspect that's most likely the case.

 

You could review that app's documentation to find a way to disable the fulfillment until payment is captured, but I suspect that won't help much.

You'll most likely just need to manually capture good actors payments and ignore this bad actors purchases until they move onto the next store that doesn't have manual capture enabled so they can test cards there.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

That's almost certainly what they've done. The digital asset was never downloaded.

What I'm looking for is a way to hold up only high-risk transactions, and let low-risk, which is pretty much everybody else, through.

dylanpierce
Shopify Partner
273 13 120

Ah good, at least that simplifies the problem. If you were selling gift cards or something that was closer to liquid cash then it would be a bigger problem.

What you can do is download Shopify Flow which is a free app that builds workflows.

Then you can build a workflow that will manually capture payments on all low risk orders, that will automate that process of ignoring these bad actors with high risk orders.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

Until this morning I did have the option of a gift card for my store. I've never sold one so I just deleted the product after this. It was nothing redeemable for cash, as far as I know. I think I had it set up to give a copy of my book (physical book or digital) to someone.

I have the Shopify Flow app already, and I did manage to get a few workflows set up last year; they've been working great so far. Any idea where I can find out how to test this new workflow? 

dylanpierce
Shopify Partner
273 13 120

Shopify Flow is a fantastic app, there's a great team behind it too. One of the most underrated parts of Shopify in my opinion.

I've attached a basic Flow that will capture payment automatically on low risk orders.

 

You can download it, and import into Shopify Flow using the Import button at the very top of the Shopify Flow app home page:

 

CleanShot 2024-08-21 at 09.35.33.png

 

The best way to test is to create a draft order in Shopify, which will trigger your workflows just the same.

However, testing for high risk orders is a bit tricky, the only way I've found to manually create a test order with high fraud risk is by using the Shopify GraphQL API to manually update the order as high risk.

But if you only need to test low risk orders, which are most orders, then creating a draft order should work just fine.

 

Hope this helps,

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

I didn't see anything to download, however I went ahead and created one myself that I hope works. It did work on a low-risk transaction early this morning, but obviously I had no way to try a high-risk transaction. This is what I created. Do you see any issues with it? I do get a number of "medium" risk hits every year from customers who use a VPN so the transaction's IP address or location doesn't match the billing address, and in those cases a phone call or an email to the customer invariably results in a good order going out.

Should I be using the Cancel Order action off the bat for high-risk, or something else?

NYCTrackbook_0-1724248494158.png

 

dylanpierce
Shopify Partner
273 13 120

Sorry, I didn't realize Shopify Community wouldn't allow me to attach the Flow files to responses.


You can use to download the sample flow to capture payments on non-risky orders here.

 

I've also added instructions on how to import it and activate it.

But your flow is attempting to handle all 3 different types of risk levels, my sample one is only for addressing low risk. Your high risk flow branch has two steps that seem a bit out of order. The flow will cancel the order and then attempt to hold it, which will result in errors.

 

I suggest simplifying the workflow so that all non-low risk orders are simply held for fulfillment. The other suggestion I have is to add a small delay (1 or 2 minutes) before applying the hold.

There are some issues with trying to hold fulfillments immediately, since Shopify itself is changing order fulfillments under the hood so they might overwrite your hold if it's too quick.

 

I do get a number of "medium" risk hits every year from customers who use a VPN so the transaction's IP address or location doesn't match the billing address, and in those cases a phone call or an email to the customer invariably results in a good order going out.

 

Very smart, that's exactly how you can save these sales that might be incorrectly flagged.

 

We offer a Shopify Flow action to create ID checks to automate that KYC (know your customer) step. It probably is overkill for your use case, but for others that need to verify large ticket orders it's a much better option.


Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

So how about this modified version? If low then capture; if medium or high wait 2 minutes then hold fulfillment. I assume that just puts the order in limbo and gives me the opportunity to contact the purchaser. Is there any way to have seller protection against chargebacks if he tells me the order is legitimate, but then cancels, or it turns out to have been fraudulent after all?

NYCTrackbook_0-1724266691857.png

 

dylanpierce
Shopify Partner
273 13 120

This is an accepted solution.

Looks good! Thanks for the screenshot. Yes, the flow shows that all medium/high risk orders will be held.

 

 Is there any way to have seller protection against chargebacks if he tells me the order is legitimate, but then cancels, or it turns out to have been fraudulent after all?

 

I'm not sure which payment gateway you're using, but Shopify Payments offers Shopify Protect which is essentially chargeback insurance on qualified orders. However, Shopify Protect won't cover all orders, only ones where Shopify determines they can cover the loss if a chargeback is filed.

 

Additionally, they won't cover if the customer reports the package as "never received", Shopify Protect will only cover "unauthorized charge" chargebacks. Additionally, they will only insure physical goods shipped within the U.S.

 

There are other chargeback insurance options, but from what I understand they'll charge you a percentage of _all_ revenue, which ends up being very expensive. They may not cover digital goods either.

It really depends on how risky your industry is, if your chargeback % is low, then insurance is most likely overkill and you're bottom line is better off verifying customer email/phone numbers and intent to purchase.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

I use Shopify Payments and PayPal only. My business is very small (under $50,000 in gross sales annually) and is something I do in semi-retirement. I publish a reference book in both physical and digital format that I update every year, and which has a somewhat limited audience. I make very little per copy at the end of the day, just enough for a few boxes of cigars and a bottle of Scotch or two. I do it for the enjoyment and the appreciation of the community more than the money, so any fraud really kicks me square in the sensitive bits, for sure. I agree with you that insurance in my situation would be overkill.

dylanpierce
Shopify Partner
273 13 120

Yes, I looked up your site, very cool. It would be a much smaller book but if you end up making a Cleveland street car/subway map, count me as interested.

Got it, then if you have the extra time it's worth it to just manually review these high risk orders. If you suspect they're just mis-flagged, then a quick email or phone call to the customer will probably clear that up.

It might even be possible to automatically send the customer an email for medium risk orders on Shopify Flow, so at least you can save some time with the outreach part.

Then you can save that extra cash for an extra peaty bottle of scotch. 

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.

NYCTrackbook
Excursionist
22 0 5

As an Ardbeg man, I appreciate the peat 😁. Corryvrecken for the win.

Not sure about Cleveland, but I am considering Chicago. Alas that would entail actually going to Chicago. NJ is bad enough <g>. Last time I rode the Cleveland system was about 30 years ago.

 

As for contacting customers, I am usually at my desk all day so I have no issue calling or emailing customers with queries. I do it when my shipping software says the address is incomplete or wrong, etc, or they request an inscription that needs clarification. I think they appreciate that the author is reaching out to them personally. It's just the bad actors that I'm worried about.

 

 

dylanpierce
Shopify Partner
273 13 120

Yea, the L is much more interesting and larger. But there are some neat old street car lines that are still around here, including an abandoned train station underneath my office here.

Right, the good acting customers will respond whereas bad actors are usually juggling many disposable email accounts. If it becomes that tedious, it might be a good idea to require a phone number at checkout, so that way you can easily tell if a bad actor is checking out because they tend to use VOIP numbers.

 

Just another signal that's helpful since gmail/hotmail email addresses are disposable yet common.

Founder of Real ID - Verify your customer's real IDs easily & securely with modern A.I.

Want to see it in action? Check out our demo store.