SMS fraud alertsBeta
Turn on SMS fraud alerts to:
- Minimize accidental blocks on transactions that appear fraudulent
- Conduct additional verification on authorizations Stripe deems high risk
- Conduct additional verification on authorizations you determine require it
SMS fraud alerts allow your cardholders to retry non-fraudulent transactions that would have otherwise been blocked. All cardholders with an associated phone number can use fraud alerts.
High-risk transactions
Stripe blocks transactions above a certain risk level. The risk level of a transaction is determined by the network you’re using. High-risk authorizations are identified by a value of suspected_fraud in the request_history.reason field, and won’t trigger issuing.authorization_request webhooks when declined.
SMS fraud alert flow
You can see fraud alert activity with the Authorizations API. Declined authorizations that were challenged with a fraud alert have a value in the fraud_challenges field. Subsequent authorizations that the cardholder verifies as genuine have a value of true in the verified_by_fraud_challenge field.
The following shows an example of a fraud-challenged and declined authorization:
{ "id": "iauth_1CmMk2IyNTgGDVfzFKlCm0gU", "object": "issuing_authorization", "approved": false, ... "fraud_challenges": [{ "channel": "sms", "status": "pending" }] }
This example shows a subsequent authorization that has been verified by the cardholder:
{ "id": "iauth_1CmMk28Jx923VfJJwMCejmX", "object": "issuing_authorization", "approved": true, ... "verified_by_fraud_challenge": true }
Note
Verified, genuine authorizations trigger issuing.authorization_request webhooks. If you use real-time authorization, consider verified_by_fraud_challenge when deciding whether to approve an authorization.
To use SMS fraud alerts, make sure that:
- The phone number associated with your cardholder is valid and correct
- Existing transaction decline logic doesn’t conflict with SMS fraud alerts
We start sending SMS fraud alerts as soon as you enable the feature. Cardholders might receive an SMS fraud alert and contact your company’s customer service to learn more. Make sure your internal teams are prepared to answer questions that they might receive from your customers.
When a cardholder receives an SMS fraud alert, they can override the declined transaction by verifying that the suspicious transaction is legitimate and initiated by them. SMS fraud alerts are only available to cardholders in the US and UK with an associated phone number.
The cardholder verifies the override with a one-time SMS prompt with the following language:
Did you attempt a [Amount] transaction at [Card Acceptor]? Reply YES if you did, or NO if not. Reply STOP to opt out
If the cardholder replies “YES,” they receive the following:
Thanks, please wait a moment and try again.
To complete the purchase, the cardholder needs to initiate the transaction a second time, at which point they won’t receive the SMS prompt. If the cardholder replies “NO,” they receive the following:
This transaction was declined. We recommend you cancel your card and request a new one. Review your account for other suspicious transactions.
Define your own logic
Users who prefer to manage the rules that dictate when an SMS fraud alert is sent can do so using real-time authorization webhooks. Users may choose to trigger SMS alerts in scenarios where they detect spending that appears suspicious and want additional verification (for example, a cardholder using their card out of the country). Below is an example of how to trigger an SMS fraud alert in a webhook response:
SMS fraud alerts are currently limited to beta users. You must be an Issuing customer to join the beta. To request access to the beta, log in to your Stripe account and refresh the page. Contact Stripe for more information.