Best Practices for Preventing Fraud

    Learn how to use best practices to protect against disputes and fraudulent payments.

    Creating an effective dispute and fraud prevention strategy that best suits your business can help prevent fraud from occurring. By employing some of these best practices as part of your overall strategy, you can avoid excessive chargebacks and reduce potential customer burden and losses.

    Contact customers to confirm their order

    Contacting customers by phone or email to confirm their details before fulfilling an order can give you time to verify if a payment is legitimate. Contact information that doesn’t belong to the customer or fails to work may indicate a fraudulent payment. A nonsensical or evasive answer is also a typically a good indication of potentially fraudulent behavior. Keep in mind that even phone or email responses cannot guarantee that the person responding is the true cardholder.

    Verify your customer’s identity

    For some, verifying the identity of customers can be beneficial. Asking your customers to connect their Facebook or LinkedIn accounts, for example, can serve as further proof of their identity. Connecting a social networking account doesn’t prove who a person is, but it’s an extra step that a fraudster might not take. Of course, some legitimate customers may not want to go through this additional process, and your conversion rate may suffer as a result.

    Refund suspicious payments immediately

    Refund any payments you suspect are fraudulent as soon as possible. In the Dashboard, select the payment and click Refund as fraud. This refunds the payment and reports it to us so that we can further improve our fraud detection.

    Manually review payments

    Radar for Fraud Teams includes a review process that allows you to place certain payments into review—though keep in mind that these payments are still processed and the credit card charged. These payments are placed into the review queue for you to take a closer look at. If you suspect the payment is fraudulent, you can refund it.

    You should review payments that Stripe has placed into your review queue as soon as possible. Payments with an elevated risk of fraud are automatically marked for review. You can also create additional rules to customize the types of payments that should be placed in your review queue.

    Here are some considerations when reviewing a payment:

    • Does the billing address match the shipping address?
    • Has the billing address been verified by AVS? Does it also match the card’s country of origin?
    • Does the customer’s email address match the cardholder’s name?
    • Is this an order that the customer has asked to be expedited?
    • Have multiple orders from different credit cards originated from this same IP address?
    • Has this customer made many order attempts that have been declined?

    If you’re unsure about a payment when you’re reviewing it, you should always contact the customer by phone or email. If a payment’s billing and shipping address don’t match, look into the shipping address using Google Maps & Street View to find out more. A common tactic that fraudsters use is to have orders shipped to a freight or mail forwarding service or storage facility that forwards the goods to their actual location.

    Use auth and capture when creating payments

    Credit card charge attempts are processed in two parts. The charge is first authorized by requesting authorization for the amount to charge from the card issuer. After a charge is approved, it’s then captured immediately afterwards and the amount deducted from the card.

    Auth and capture is the process of performing these two steps at separate times. The authorization can be made first, which holds the amount on the card and appears on a customer’s statement as a pending transaction. The charge can then be captured up to seven days later. Capturing a charge completes the payment and the funds are deducted from the customer’s card. If a charge is not captured within the time limit, the authorization is released.

    Similar to delayed shipping, this method can allow enough time for potential fraud to come to light, giving you the option to carefully review the transaction.

    Set a custom statement descriptor for each payment

    The statement descriptor is the line that appears on customers’ card statements with information about the company that’s associated with a payment. One way to use a statement descriptor is to insert a short, random code that your customer then has to verify. When you suspect a transaction might be fraudulent, you can contact your customer and ask them to give you the code that is shown on their online statement.

    You can use either edit your default statement descriptor within the Dashboard or set a dynamic statement descriptor whenever a payment is created through the API. While this method cannot help against a fraudster that may have access to a cardholder’s online card issuer or credit account, this is extremely rare. Using the statement descriptor in this manner can provide reassurance that the customer is likely to be genuine.

    Country and card type limiting

    If you’re experiencing increased fraud coming from certain countries, you can set up rules to block payments from any country you do not want to accept payments from, using the :ip_country: and :card_country: rule attributes. For example, you can create the following rule to block all payments and cards originating from Canada: Block if :ip_country: = ca and :card_country: = 'ca' Similarly, if your business only supports the country it operates in, you can create a rule that blocks any payments from all other countries. For example, a rule to block payments that don’t originate from Australia is: Block if :ip_country: != au and :card_country: != 'au'

    You can set limits on which type of cards to accept, either by brand, (e.g., Mastercard), or by funding type (e.g., pre-paid). This can be particularly helpful if you see excessive fraud from certain card types. To block payments from all Visa-issued debit cards, an example rule would be: Block if :card_brand: = visa and :card_funding: = 'debit'

    Delay shipping orders

    If you’re shipping physical goods, consider delaying the shipment of goods by 24-48 hours. This time gives cardholders a chance to spot any fraud on their accounts. However, not all cardholders check their statements on a daily basis, and their card issuer may not proactively contact them about the transaction.

    Customers that request overnight or expedited shipping should be considered higher risk, as the increased cost of such services is of no consequence to fraudsters. One tactic you can use to identify these types of payments is to offer same day or overnight shipping at a very high cost–many times more expensive than any other shipping option you provide.

    It’s far less likely that any legitimate customer would pay such a high cost, but a fraudster would want the goods to be shipped as soon as possible and have no regard for the additional cost. You can then manually screen any customers that opt for the expensive shipping option and scrutinize the order to determine if it looks genuine.

    Ship to a verified address

    Shipping to a verified billing address which has passed ZIP code and street address checks is always the safest option. When using an address that has not been verified, you cannot prove that the order was shipped to the legitimate cardholder if the payment is later disputed.

    This doesn’t prevent you shipping to a different address, though you should do all you can to mitigate the risks involved. For instance, you may only want to ship orders to a different address for returning customers you already know to be legitimate, or who provide a fully verifiable billing address. In addition, any of the following could indicate the payment is suspicious:

    • The order is much larger than normal, or is only for your most expensive products
    • The customer changed the shipping address after placing the order
    • The customer requested expedited shipping
    • The products ordered have a high street resale value
    • The shipping destination is vastly different from the billing address or the card’s country of origin (e.g., billing address is Spain, shipping address is France)

    Reviewing the order and the shipping address information can help you determine whether or not the order presents an unacceptable risk to you.

    Create rules to manage incoming payments

    Using Radar for Fraud Teams, you can create rules to manage how your business handles incoming payments, blocking any that you would consider suspicious or placing them in review. There are also additional methods you can implement that work alongside any features of Radar for Fraud Teams that you use. You should also be aware of common types of fraud and make sure your business is best able to identify fraudulent payments.

    Use rules to automatically block payments or place them in review

    Our fraud prevention toolset, Radar for Fraud Teams, is built directly into the payment flow and combines a customizable rules engine with powerful machine learning algorithms. It can detect patterns across payments from every business processing payments with Stripe, assessing the risk of each one. You can use Radar for Fraud Teams to create a highly effective fraud prevention strategy. Using rules, you can adopt methods that evaluate payments based upon your specific criteria and take the appropriate action automatically. You can also create rules that make use of multiple criteria, allowing you to allow or block payments that meet multiple conditions. The following recommendations for rules can help prevent many common attempts at fraud.

    Benchmarking your dispute rate

    Your account’s dispute rate is an important metric to use when reviewing the efficiency of your disputes and fraud prevention methods. You should also consider it a trade-off, estimating an acceptable percentage of disputes you’re willing to accept, compared to the revenue you might lose by blocking risky payments. A dispute rate of 0.3% may be acceptable if working to reduce it further would risk blocking a substantial amount of legitimate revenue. For example, you may create rules that block payments from a certain country which prevents $100 of fraudulent payments—but also results in $2,000 of genuine payments also being blocked. In this case, the loss from disputes is much less significant than the revenue from legitimate customers that would be lost. Your disputes and fraud prevention strategy should work to maximize your revenue while keeping your dispute rate as low as is acceptable.

    Even with all these methods, it’s still possible for instances of fraud to occur. We provide detailed information about disputes and fraud so you can be as informed as possible as users are ultimately responsible for them.

    It’s important that you regularly evaluate your strategies to make sure they’re effective and keep up with different ways fraudsters may try to commit fraud. Working together, Stripe’s tools and your vigilance can work best to avoid disputes and fraud.

    Next steps

    Now that you have learned some of the best practices for preventing fraud, you may want to learn about dispute measuring, or move on to related subjects:

    If you require assistance with a dispute, please contact Stripe support.

    Was this page helpful?

    Thank you for helping improve Stripe's documentation. If you need help or have any questions, please consider contacting support.

    On this page