Avoiding fraud and disputes
Fraud can occur through various different methods of payment. Using the example of card payments, a charge is fraudulent when the cardholder has not authorized the charge. Most fraudulent charges are made using stolen credit cards or card numbers. Often, a fraudulent charge will be disputed by the real owner of the credit card (after being notified that the charge was made or reviewing a credit card statement). Cardholders typically call their bank and the bank will issue a dispute (sometimes called a chargeback).
Radar is a proprietary suite of tools, based on our machine learning algorithms, to help you maximize revenue by catching fraudulent charges and minimizing declined payments. Radar is available to all users who have implemented client-side tokenization via Stripe.js, Checkout, or our supported mobile SDK integrations (iOS and Android). Radar is currently available for card payments only.
- Machine learning: Radar employs advanced, adaptive algorithms that learn from a large global network of businesses. Radar scans every payment against the most relevant signals and automatically blocks or flags fraudulent transactions.
- Risk Evaluation: Radar provides real-time insights about fraud for your business and provides granular info about why payments were blocked or flagged.
- Rules: Reflect your unique business logic by using custom rules to block or flag payments for review by your teams.
- Review: Simple workflows in the Dashboard to give unusual payments a second look.
For businesses looking to enact highly specific fraud controls, you can create rules to manage how your business handles incoming payments. For example, you may want to allow all charges under $5, or flag charges with certain characteristics for review. You can see our documentation for more on setting rules.
That said, even with all these checks, fraud can still slip through the cracks. We very much want our users to be as informed as possible, both so that they can accept or refund any charges they believe are fraudulent and so they are equipped to accept the financial responsibility of any suspect charges that enter their Stripe account. Working together, Stripe’s tools and your vigilance make a strong team to combat fraud.
Fraud is an unfortunate part of accepting payments online, but disputes tend to be pretty rare—well under 1% of the total charges on an account. Should we ever see a higher dispute rate, or a significant increase in potentially fraudulent activity, we’ll reach out proactively to see how we can help.
Keep in mind that fraudulent charges are the account owner’s responsibility. (Excessive chargebacks will not only affect a user’s ability to process with Stripe, but can also affect a user’s ability to access credit cards as a form of payment with any processor.)
One of the best ways to prevent chargebacks is to spot potential fraud before it can have an adverse effect on your Stripe account.
Since Stripe users are responsible for fulfilling orders for customers—and possess the most information about their customer at the time of purchase—they are best equipped to determine whether or not a transaction is potentially fraudulent. There are many indications of fraudulent activity that, while alone may seem fine, together can clearly indicate fraud.
For card payments, Stripe automatically surfaces payments that are of elevated risk for review. However, you may want to further customize your reviews in order to catch anything out of the ordinary. You can customize review through review rules, which can be written in your Dashboard. Though some indicators of fraud vary by the payment methods you accept, some things to look out for are:
- Unusually large orders (either number of items ordered, multiples of the same item, only your most expensive merchandise, or an expensive item/dollar amount that just seems out of line with a normal customer)
- Rush orders/overnight delivery (which would allow fraudsters to take advantage of timing)
- Use of international cards or orders with international shipping addresses
- High-risk shipping destinations
- Many smaller transactions made with similar or the same card numbers, especially over a short duration; this is especially true for crowdfunding/fundraising sites
- Many transactions made with the same card but different shipping addresses, or many cards with the same shipping address
- Many transactions from the same IP address with different cards - this includes failed transactions (fraudsters will often attempt to use many cards, and keep trying until one succeeds)
- Use of obviously or likely-fake information in the transaction (such as fake phone numbers or gibberish email addresses like email@example.com)
- Shipping to a freight forwarder. (There’s a list of known freight forwarders here.)
- Inconsistencies in customer details across multiple purchases, e.g. seeing the same e-mail address but a different name provided for another payment.
- Many failed attempts by the same customer name/email address - your declined charges can provide very valuable information and should be regularly reviewed! The same customer might have many failed charge attempts, and if each failure is associated with a different credit card, any successful charge carries much greater risk for fraud.
- Communication that doesn’t sounds quite right. Fraudsters often use a “script” and will send this to multiple sellers using common/generic phrases. If you see a phrase that appears scripted, try an Internet search by putting the short phrase in quotes. Here is an example of such a search.
- Requests to split a large order into multiple payments across different cards that do not share the same verified billing address information
- Any request that you run a charge through manually, either through your Stripe dashboard or your store - fraudsters may make this request in order to have the charge run with your local IP address instead of their own.
- Any request to “overcharge” a card and pay out a third party (driver, shipper/freight company, etc.) via a different payment method (check, wire transfer, cash, money order, etc.)
- Any request to charge a card and then provide a refund outside the card network (refunding via check or money transfer, for example.)
Consider reaching out to customers making potentially suspicious charges by phone or e-mail to confirm customer and charge details. A phone number that doesn’t belong to the customer or an e-mail that bounces may indicate a fraudulent charge; a nonsensical or evasive answer is, similarly, typically a good indication of potentially fraudulent behavior.
(Remember that even phone or email responses do not guarantee that the person responding is the true cardholder.)
Providing Stripe with more information (name of customer, address, the credit card’s security code, zip code, shipping address, etc.) when creating a charge may help to prevent fraud. For certain high-risk charges, we may block the charge or send you an e-mail advising that you examine it more carefully.
To fully utilize our fraud detection tools, Stripe users should:
- When creating charges, send customers' names and e-mail addresses. These can be captured directly from a form with Stripe.js or included in Customer-creation API calls. If you don’t use Stripe.js or Customer objects, you can include e-mails in the description field on charges.
- Use Checkout or Stripe.js, which help with PCI compliance and also give Stripe more information about a charge
- Review transactions in your dashboard through the Radar tab in your Dashboard
- Use Stripe’s fully-integrated fraud tool Radar to write rules that can customize fraud prevention on top of Stripe’s machine learning models
- Regularly monitor and adjust your account’s fraud protection rules.
- Make sure the donation makes sense for your campaign; if you’re running a small, personal campaign, and you receive a very large donation from an unknown individual that doesn’t seem to make sense, scrutinize the charge carefully and consider refunding if you cannot verify the individual making the donation.
- Watch your declines: many declines to different cards in rapid succession indicate a fraudster is testing stolen card numbers.
- If it does look like someone is testing cards on your website, consider implementing a CAPTCHA during checkout to slow them down - this usually encourages a card tester to move on.
- If you receive a large donation, and the donor reaches out to you to say they made a mistake and only meant to donate part of the amount, be wary - fraudsters will sometimes make a large donation (such as $5,500) and later tell you they only meant to donate a smaller amount (like $550) and ask you to refund the rest. This is done to test a stolen card’s credit limit. If this scenario appears, it may be prudent to refund the entire donation.
- Customers misusing digital goods or services are more likely to be using stolen credit cards (e.g. a customer sending spam using a product for messaging, or making many purchases in a short period of time for downloadable content or “in-game” items).
- Watch for multiple accounts using similar email addresses or the same credit card. You can surface this in your review queue through a review rule.
- Watch for multiple charges to the same email address in rapid succession. You can surface this in your review queue through a review rule.
- Watch for unexpected or significant changes in account activity. If the purchase frequency or dollar amount of payments for an account increases significantly, it may be an indication of fraudulent activity.
- Even though digital goods are not shipped, it is very important to collect and verify as many card details as possible, including CVC, street address, and zip/postal code. Consider rejecting charges that fail the CVC and zip/postal checks.
- View evidence about the transactions, including IP address, email logs, usage logs (i.e. did they log in and actually use the service?), and so on. Pass us this information, so that you can view it as you review a charge.
- Check whether the shipping and billing addresses match. Although a difference in address by itself doesn’t indicate fraud (the customer may have purchased a gift, etc.), it indicates that the charge should be looked at more carefully. If the addresses do match and the customer is using a credit card from the US, Canada or UK, check to see if the zip/postal code and street address verifications passed.
- Watch for customers who ask to change the shipping address after the order is placed. Fraudsters may use a legitimate address to obtain a successful charge but later ask that products be shipped elsewhere.
- Review the credit card’s country of origin (the country in which it was issued) in a charge’s payment detail in the Stripe dashboard. The billing address provided should match this country. Where the shipping country that does not match the card’s origin or is a country typically not shipped to, it is important to take extra steps to verify the legitimacy of the charge.
- Ensure that shipping methods are appropriate, especially for overnight shipping at a high cost. People using stolen credit cards don’t usually worry about how expensive the shipping is and want goods right away, before the card number is reported as stolen or compromised. Never agree to use a customer’s “preferred shipper” or agree to pay a third party shipping company on your customer’s behalf; these are usually a second front for fraud.
- Consider instituting a 24-48 hour shipping delay for high-value orders or shipments to non-verified addresses or first-time customers.
- If you have a verified billing zip code, make sure the shipping label generated by your shipper displays this zip/postal code after you enter the address. Some fraudsters will provide a valid billing zip code, but the rest of the address (street, city, and state) is fraudulent, and automated systems such as USPS self-service will often autocorrect the zip code you enter - effectively changing it from the verified billing zip code to the fraudster’s.
If you’d like to familiarize yourself with the zip code prefixes in the US by region (you’ll be surprised how quickly you’ll learn to spot irregularities!) a great reference map can be found here.
Generally, Stripe cannot see the shipping address customers provide and shipping information is not necessary to successfully accept a payment. However, you can improve Stripe’s fraud detection by sending the shipping address when creating a charge.
We recommend that you issue a full refund as soon as possible for any charge made with a credit card that your review leads you to believe may have been stolen or used without the true cardholder’s authorization.
The best way to issue a refund for potentially fraudulent charges is through the ‘Refund and report fraud’ link on the charge’s detail page. This will refund the charge and report it to us so that we can improve our fraud detection systems in the future.
If you do not issue a refund, or if you aren’t able to identify a charge as fraudulent, the cardholder may dispute the charge with their bank, resulting in a chargeback. In some cases, the bank may automatically file chargebacks on a cardholder’s behalf in cases where a card is stolen or otherwise compromised. These bank-initiated disputes are generally aimed at a range of charges within a compromised period, and are designed to protect the cardholder while the bank investigates each charge to determine its legitimacy.
When you receive a chargeback, the cardholder’s bank immediately refunds the transaction and charges a fee. Stripe, in turn, will withdraw the full amount of the charge plus a chargeback fee from your bank account. See How Does Stripe Handle Chargebacks for more information.
For a more in-depth guide to understanding and preventing online fraud, check out our detailed documentation here.
As always, Stripe is happy to help answer questions about potentially fraudulent activity on an account. Please contact us with concerns about specific charges or to discuss preventing fraud when using Stripe.