What to Do If You Suspect Credit Card Fraud by a Customer

Suspect credit card fraud

Credit card fraud is a challenging predicament for merchants. You want to reduce your level of exposure to chargebacks and losses, but you also want to create a smooth and simple experience for your customers. Sometimes these goals are at odds, so it’s hard to know what to do when you suspect credit card fraud by a customer.

A recent study from Javelin Strategy and Research found that credit card fraud reached an all-time high of 15.4 million people in 2016. Card-not-present fraud (like online payments where you can’t guarantee the customer actually has the card) increased by 40%. Account takeover fraud (where a fraudster gains control of a bank account or card) increased by 31%.

As the trend of making more online purchases continues, traditional identity theft and friendly fraud will undoubtedly get worse. Click To Tweet

While it’s true that organized criminals seek out credit cards to abuse, a percentage of credit card fraud occurs when seemingly “good” customers make authorized purchases, but later claim they were unauthorized. This is called friendly fraud. It occurs when a customer dishonestly claims an order never arrived, it was damaged, service was never rendered, or that the transaction was unauthorized.

As the trend of making more online purchases continues, traditional identity theft and friendly fraud will undoubtedly get worse (barring changes to our financial system). Since customers can go right to the payment processor to report fraud via a chargeback, merchants have to deal with a labor-intensive process of fighting fraud claims and potential fees.

The burden of proof lies with you – the merchant. It’s your job to verify the customer’s identity. But what should you do if you suspect credit card fraud by a customer?

Free download: 12 Indicators of a Potentially Fraudulent Transaction

Reach Out to the Customer

If your customer makes a purchase on your website without your involvement and you aren’t sure if the transaction is legitimate, it often helps to reach out to them with an email to ask for more verification.

You could ask for their bank’s name, their name as it appears on the credit card, or pretty much any other piece of information that would help you verify their identity. End your email with, “I will fulfill your order once you provide this information.”

If the customer is trying to make a fraudulent transaction, there’s a good chance they won’t respond. Fraudsters don’t want any attention, especially if it seems like you’re trying to confirm their identity. Reaching out could scare them off.

Consult Your Payment Processor’s Guidelines

Your payment processor most likely has a resource on how to behave if you suspect a customer is trying to pay fraudulently. You’ll want to review this information carefully. It’s not just good advice. It also probably spells out steps you should take to keep your account in good standing with your payment processor.

For instance, in Stripe’s guide on disputes and preventing fraud, they explain what fraud looks like (in the context of Stripe’s app), how to avoid it, and what to do if you think a customer is trying to make a fraudulent purchase.

Use Your Payment Processor’s Fraud Tools

If your payment processor offers any special tools to deal with fraud, you’ll want to take advantage of them right away. The processor probably has software tools better at detecting fraud than you can by eye, anyway.

One of the reasons we like using Stripe so much (and make it a staple of our WordPress plugin, WP Simple Pay) is because of their fraud detection tool called Radar. Radar is a machine learning algorithm that identities fraudulent activity on payments that come through Stripe’s platform. Radar has blocked billions of dollars in fraud since 2016.

Radar is unique because it doesn’t block fraudulent payments. It also informs you why it happened so you can take steps to protect yourself in the future. You can also choose to reach out to the customer for more information and protect yourself from liability.

If you don’t use Stripe, your payment processor probably has a similar tool you can utilize to protect yourself from fraud. If you haven’t yet, explore your payment processor’s website for tools to help you in the event you suspect credit card fraud by a customer.

Delay Shipping Goods or Performing Services

As a business, it’s good policy to fulfill your customer’s order (whether they order products or need you to perform a service) as quickly as possible. Customers who get what they pay for quickly are more likely to become repeat customers, after all.

But if you suspect a customer has made a fraudulent transaction, it’s smart to delay fulfilling their order for about 48 hours. This gives the customer some time to notice the fraudulent transaction and contact you or their bank for remedy.

If you ship the customer’s order, start work on their project, or spend their money, there’s a strong possibility you’ll be out those costs if the cardholder initiates a chargeback.

Confirm the Transaction via the Billing Address

If the billing address on the card doesn’t match the customer’s shipping address, it’s worth your time to confirm with the cardholder at their address. Send a letter to the billing address with a confirmation code consisting of random numbers and letters. Ask the customer to call, text, or email you once they receive the letter to read you the confirmation code.

If the customer seems upset over this (which may happen because sometimes people genuinely want products shipped to alternate addresses), tell them it’s your policy any time someone uses a shipping address that’s different from their billing address.

If the customer doesn’t live at the billing address (meaning they’re trying to commit fraud), they won’t be able to verify the transaction. Once you explain your system, they’ll most likely stop replying to your emails.

When in Doubt, Decline the Sale

If you feel like something is off about a transaction, trust your instincts and decline the sale.

We know it’s hard to turn away business, especially if you’re a young company that needs immediate sales to fuel growth. But in the long run it’s easier on you if you turn away anything that’s suspicious. Otherwise you could end up with a chargeback. You’ll be out the money and you’ll damage your reputation with your payment process.

An incredible sale that seems too good to be true probably is. A customer who can’t remember their own address isn’t just forgetful. Listen to your gut when it tells you something is wrong. If the customer can’t make you feel at ease, apologize and decline the sale.

Update Your Policies and Procedures

After dealing with credit card fraud (or even just potential fraud), it’s important to update your business’ procedures to ensure you correct it again in the future.

For instance, let’s say a customer calls to place an order, but can’t recall their billing zip code and wants to call back. Odd, right? Who doesn’t remember their own zip code? So you track down the customer’s phone number and ask them to confirm the purchase. Lo-and-behold, someone was trying to use their card fraudulently.

In this example, your next step would be to instruct everyone on your team to evaluate how customers submit information. If they can’t supply basic information without struggling, you should flag the order as potentially fraudulent and investigate further.

Next you’ll want to update any settings in your payment processor to reflect your new policy. In Stripe, for example, you can set up different kinds of rules for your transactions.

Suspect credit card fraud

Download this free guide of indicators that a customer may be trying to commit credit card fraud through your business.

Act Quickly If You Suspect Credit Card Fraud

The key to combating customer credit card fraud is to respond quickly whenever you suspect it. Often it only takes a little scrutiny to deter a fraudster. If you follow the steps we’ve outlined above, you’ll minimize your exposure to risk and maintain a healthy relationship with your payment processor.