Since the moment online payments came into being, bad actors have been trying to commit fraud with them. We offer a variety of fraud prevention measures you can utilize as a member. This article will explain how ecommerce fraud works, what you can do to prevent it, and what to do if it happens to you.
Ultimately, your payment gateway (Stripe, Heartland, Authorize.net, etc.) is responsible for ensuring your payment security online (that's a big part of why you pay them fees).
If you suspect you've been a victim of fraud, follow these 3 steps immediately!
eCommerce Fraud 101
In the video below, we walk you through everything you need to know about online fraud in 2023.
Fraud Prevention & Best Practices
As an ecommerce platform, we're highly sensitive to the security needs of our member stores and we've designed the architecture of our shopping experience to minimize the potential for fraud by:
Requiring user identification for every purchase
Logging user session, location, and ISP details
Never storing any payment information
Fraud Reduction Best Practices
We've collected feedback from stores to establish fraud reduction best practices you should follow when reviewing online orders. They are:
If it's an order to be shipped
Check to see if shipping and billing addresses match
Check the phone number
Google the email address and/or phone number to see if results are tied to same identity as buyer
Call the customer directly and validate their information over the phone (no text)
If the above do not suffice, do not ship, and be sure to flag as potential fraud with the payment processor you use (Stripe, Heartland, Authorize.net, etc.)
If it's an order to be picked up in-store
Indicate online that you require matching ID for in-store pickup (using the checkout message feature and order fulfillment notes)
Require ID for pickups, no exceptions
Scan a copy of their ID in-store
If the above do not suffice, reject the pickup and refund the purchase, then be sure to flag as potential fraud with the payment processor you use (Heartland, RICS>Pay, Lightspeed, OpenEdge, Shift4, etc.)
Anti-Fraud Platform Features
Please note, your payment gateway (Stripe, Heartland, Authorize.net, etc.) likely offers additional anti-fraud features (ex: Stripe Radar). Most will cost you extra to use, so refer to their websites for more details if you're interested.
Each of the following Run Free Project anti-fraud features are all optional and included with your platform subscription at no additional charge. They are:
Scamalytics
We've partnered with Scamalytics to offer automated, reputation score-based transaction filtering (i.e. blocking) for high risk purchase attempts. By default, Scamalytics is turned off. To turn it on, simply navigate to your Run Free admin dashboard, tap the settings icon in the upper right corner of the blue menu bar, then choose integrations as shown below:
On the integrations page, select fraud risk as shown below:
In the main window, the Risk Assessment toggle will be off. Turning it on will prompt you with risk score and failed message text boxes as shown below:
The risk score is a 0-100 grade assigned by Scamalytics to a particular user session based on their IP address. The lower the number, the lower the likelihood of fraud. The higher the number, the higher the likelihood of fraud.
Thus, the risk score field on the Fraud Risk Analysis page indicates the maximum Scamalytics score you're willing to accept payments from. The lower the number, the lower your tolerance for risk. For example, if you entered 30 into the risk score field, you would automatically block any IP address with a score of 30 or higher from making a purchase from your online store. When that happens, the message you type into the Failed Message text box to the right will display in the lower right corner of the user's screen. You can customize it to say anything you'd like.
We generally advise stores to start with 50 or 60 and adjust up or down from there depending on the circumstances. The lower the number, the higher the likelihood you might inadvertently block a legitimate purchase attempt.
Fraud Blocking Rules
Everyone's security posture is different, so we give you the ability to create custom Fraud Blocking Rules based on your unique circumstances. Simply navigate to your Run Free admin dashboard, tap the settings icon in the upper right corner of the blue menu bar, then choose fraud blocking rules as shown below:
You will be presented with a list of fraud blocking rules you've created for your store as shown below:
If this list is empty, you haven't created any blocking rules yet. Please note the warning in yellow. Some global rules are applied to the platform for user accounts that have been caught attempting fraud across sites that are not shown on this page. In other words, when member stores notify us of fraudulent activity, we can apply platform-wide blocks against those accounts to reduce your potential of being victimized by the same offender.
To create a fraud blocking rule, simply tap the Add Rule button in the upper right. It will pop a modal similar to the one shown below:
You can create blocking rules based upon the following variables:
Email address
Billing address
Shipping address
State
First name
Last name
Phone number
IP address
You can also add matching logic to your rule by selecting contains, starts with, or is in the Match By dropdown for any of the variables listed above. For example:
If you chose the variable Email Address and Contains as your Match By logic, then entered bigdaddy into the value text box:
bigdaddy@runfreeproject.com would be blocked
bigdaddy42069@yahoo.com would be blocked
1234bigdaddy@aol.com would be blocked
big1234daddy@comcast.com would be allowed
If you chose the variable Email Address and Starts With as your Match By logic, then entered bigdaddy into the value text box:
bigdaddy@runfreeproject.com would be blocked
bigdaddy42069@yahoo.com would be blocked
1234bigdaddy@aol.com would be allowed
big1234daddy@comcast.com would be allowed
If you chose the variable Email Address and Is as your Match By logic, then entered bigdaddy into the value text box:
bigdaddy@runfreeproject.com would be blocked
bigdaddy42069@yahoo.com would be allowed
1234bigdaddy@aol.com would be allowed
big1234daddy@comcast.com would be allowed
Block Customer Accounts
Although relatively easy to circumvent for the determined fraudster (anyone can create a new account), blocking a customer's account is an option on the Run Free Project platform. Simply navigate to your Run Free admin dashboard, tap the customers header on the blue bar at the top of the page as shown below:
Then, locate the customer account (the email address is usually the best way to do that). On the far right of row the customer's account info appears on, there is a blue button with a down arrow. Tap that button, then select Toggle Block as shown below:
The customer's name will go from blue to red, indicating their account is blocked as shown below:
To unblock a customer, simply follow the same process described above again, and their name will go from red to blue, indicating they've been unblocked.
reCAPTCHA
We can also turn on reCAPTCHA for you, although we tend to reserve this as an option of last resort since it requires additional steps for your legitimate users too. To enable reCAPTCHA, please send us a chat message by tapping the blue and white chat icon in the bottom right corner of this page, your Run Free admin dashboard, or our website.
If You Suspect You Have Been a Victim of Fraud
We suggest a 3 step process to stores who suspect they've been a victim of fraud. Each is described below and we cover it in depth in this video as well.
Step 1
Before doing anything else, flag the payment as potentially fraudulent with your payment gateway (Stripe in this example). Tap the 3 dots, then choose Add to block list as shown below:
Ultimately, your payment gateway (Stripe, Heartland, Authorize.net, etc.) is responsible for ensuring your payment security online (that's a big part of why you pay them fees). And although we do lots of stuff to try to minimize fraud, in the end, it falls on them. So report it to them first.
Step 2
Block the shipping address using our Fraud Blocking Rules, then block the user on the customers page. Many fraudsters use the same shipping address with different payment cards as they test which will go through, blocking the shipping address will ensure the same folks can't steal from you again.
Step 3
Notify Run Free support by using the chat function by tapping the blue and white chat icon in the bottom right corner of this page, your Run Free admin dashboard, or our website. The more we know, the better we can be at reducing the potential for fraud from a platform perspective.