01 Aug Anti-fraud checklist for your online shop
As more and more people shop online, the number of criminals taking to the web has also grown. As a business owner starting an online business, what can you do to protect yourself against online fraud?
As sales in your online store grow, it’s important to protect your business against online fraud. While there’s no one way to 100% insulate yourself against the risks of online fraudsters, there are many things you can do. Here’s a checklist of things to consider for your online store.
If your payment gateway provider has an anti-fraud service, then take advantage of it if you can. Many payment gateway providers have an account area that you can log in to and configure anti-fraud rules that block certain countries or certain types of payments.
Screen orders before they’re sent
It’s worth your time to review the orders that you send out before they are dispatched to see if you can recognise the signs of a potentially fraudulent transaction. This is particularly the case for those selling in online marketplaces like eBay and sending out items standard post, as these marketplaces typically have policies whereby if an item isn’t delivered the seller is held responsible even if the buyer did not choose tracked post. You might want to set yourself a threshold of orders to review each day and take a look at the accounts of those buyers, or in the case where it’s your website look up the area where the package is being sent to see if there are potentially any delivery issues. If you feel that the transaction is of particularly high value, or you are suspicious of the buyer you might want to consider sending the item with tracked post as a form of insurance for yourself as a seller. If the package did go missing in that circumstance you would be able to follow up the tracking number with Australia Post or your courier service and protect yourself from a forced refund from the marketplace, or a chargeback via Paypal for a transaction on your website.
Avoiding high risk countries and don’t process transactions that you are suspicious of
You can configure your online store or payment gateway not to accept transactions from a high risk country like Nigeria and in many cases block transactions from everywhere except the countries you do want to post to. The easiest way to do this is to not define postage methods and prices for the countries you do not want to sell to. If you are ever suspicious of a transaction that does come in, don’t post the item. You are within your rights as a seller to refund the transaction through your payment gateway and terminate your selling obligations to that customer.
Change your passwords, regularly
Do you use your partner’s, pet’s or child’s name as your password? Or the name of your car or favourite sport? Or some other easy-to-guess password? Do you then use the same password for your store admin, all of your email accounts, financial website login and all accounts that you sign up to online? If so, you are putting your business at risk because if there is a data breach at any of the places where you have used your easy-to-guess password then someone who obtains that password can access all of your other logins as well. You should ensure that you use a password that includes a mix of letters and numbers and change it on a regular basis.
Accepting Paypal? Block Anonymous purchases
Recent changes to Paypal’s terms and conditions will allow Paypal disputes to be placed for up to 180 days after a transaction, which is a longer period than even credit card chargebacks. You can go into your Paypal account and require customers to have signed up a Paypal account before they can pay you. While this makes it a little bit less convenient for the average customer to pay you, many people using Paypal already have a Paypal account – especially those who sell things around the house on ebay or are business people themselves. Paypal have a number of safeguards in place for sellers subject to their terms and conditions.
Keep your computer up to date
It’s important to ensure that the computer that you access your website and other important business software from is well protected from viruses and spyware programs. Anti-virus and Anti Firewall programs need to be kept up to date with information about how to identify new types of viruses that appear. There are also other types of protective software like key scramblers that you can install on your computer to protect you in the event that something gets past the defences of your anti-virus program. These programs make it harder for a third party program to watch what you type on your computer (like your Internet banking or Store Administration password).
Ensure your online shopping cart is PCI compliant
PCI standards compliance is a set of business rules (and including security standards for the underlying technology in your website), agreed to by the major providers of credit cards like Visa and MasterCard. The technology standards that must be met for compliance are quite rigorous and many shared hosting scenarios will not offer PCI compliance so that the hosting environment that they offer is as compatible as possible with a wide range of software applications. As the maintenance cost of compliance can be considerable, many hosting companies cannot justify the costs of providing a PCI compliant hosting environment for the prices that they charge.
Hosted ecommerce software like Ozcart can provide you with a PCI compliant hosting environment and a certificate that you can show your bank as proof should your bank require it. The shopping cart software provider takes care of the compliance and you just pay your monthly fee for your ongoing access to the site and support.
Scammers send out regular emails designed to trick business owners into clicking on a link and providing their login details, that they will then in turn use for identity fraud or to steal money directly from you. They will send out emails that look like they came from your Bank or from Paypal, asking you to verify your details or telling you that you have purchased something that you haven’t. Some fraudsters contstruct fake website login pages that look like the login screens of the company that they are pretending to be. They might tell you that they are the police and you have a speeding fine to pay, or a travel agent and that you have purchased a holiday that you know you did not buy. Sometimes they tell you that your payment accounts are blocked and you just need to verify your identity to free up your funds again. They will tell you anything to try and get you to “log in” and provide your details to them – so they can scam you.
Give your customers confidence
Make sure that the checkout of your shopping cart shows the padlock on it, which means that your website is protected by an encryption technology called SSL. On Ozcart websites, an SSL certificate is included free for the first year and then renews annually after that. If you’re not an Ozcart customer, check with your hosted ecommerce software provider about what applies for you. A “shared” SSL certificate will lead to a security warning on checkout so for the most confidence in your business a private SSL certificate for your website domain is what you should be looking for.
Your business has been de-frauded?
Know where you can turn
If you do get scammed as a seller, there are a number of avenues that you can pursue. The first of these is to check the terms and conditions of the payment provider that you are using as they may have a defined policy for protecting your rights as a seller. Paypal for example have a defined process of reporting a fraudulent buyer – see information on Paypal’s process here: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Help/general/TopQuestion4-outside
The Australian Federal Police take fraud seriously and have a website available where you can report the fraudster. If you visit the Australian Cybercrime Online Reporting Network (ACORN) website you can go to the Report a Cybercrime page. They also have information about currently circulating scams to be aware of.
When you report a crime, the information you’ll be able to provide will include:
- The country of the fraudster (it doesn’t have to be an Australian)
- Many types of online fraud and cybercrimes like: Spam or phishing, Online scam or fraud, Online identity theft, Issues buying and selling online, Attacks on a computer system or virus, Cyber bullying, sexting, online harassment or stalking, Illegal, prohibited or objectionable material online, Online child abuse or child sex abuse material. As a business, reporting a fraud you’d select issues buying and selling online. You’ll be given the opportunity to mention if any dispute resolution process was completed through your bank, payment gateway or marketplace.
There are fraud reporting tools for citizens in other countries too. The Australian Government ACORN site is located here: www.acorn.gov.au