WHMCS Anti-Fraud • Fraud Detection and Prevention
You've started your business using WHMCS going through difficulties of starting hosting company. Payments keep flowing till one day you start getting fraudulent orders. What to do now? How can you handle them?
Distinguish between fake orders and real ones sometimes is difficult. Things get complicated when real persons place fraudulent orders instead of bots. Whatever the case, at the end of the day such orders hurt your business because they cost money and time.
The main issue is that you, the merchant, have to accept the financial responsibility. When the payment card account holder did not authorize the charge, you must issue refund at your expense. This includes transaction fees. As if it wasn't enough, most of the times the order has been already activated.
The extent of damage depends on items involved in the order. Hosting packages can be terminated and don't cost you anything apart from your time. Domains are a different story. Once a domain is registered, there's no way of undoing the operation. You registered a domain for nothing losing both money and time.
Adopting multiple different fraud tools is the only way to effectively protect yourself. It's not enough to rely on one tool to defend yourself since every one of them addresses part of the problem.
Deciding on the tools you need isn't easy. Fraud detection in fact fall into different classes and there are always new threats. We don't want to annoy you with deatils so let's go straight to the point and focus on what you can do in WHMCS.
In the table below we divided suspicious activities in three categories. For each of them there's a tool to use.
Captcha can keep out the vast majority of bots. It can effectively stop fake orders, registrations and spam in support tickets. That said, not all Captchas were born equal.
WHMCS integrates reCAPTCHA v2 in 7.0 and later and Invisible reCAPTCHA in 7.7 and later. Of the two you should prefer the latter since it doesn't require customers to do anything. As for Default (5 character verification code), it is proved to be useless. Any bot can bypass it.
Google reCAPTCHA represents your first line of defense against fraudulent orders. This tool alone can save you from hours of pointless struggle. The good news is that it's free and easy to implement.
Captcha can't do anything anything for orders placed by real fraudsters. To stop them we have to use different tactics and tools. The second line of defense is based on fraud protection service.
WHMCS can automatically run checks on orders to block any potential fraud. This is possible thanks to third-party services like FraudLabs Pro and MaxMind. They serve the same purpose therefore you can use one fraud protection at a time.
Their functioning is similar to an anti-spam service. Each email pass through filters and is cassified with a spam score. Similarly FraudLabs Pro and MaxMind classify orders assigning a risk score.
Both solutions are inexpensive but score-based protection has a few shortcomings:
- Some fraudsters know how to bypass these controls
- Legitimate orders could be wrongly marked as fraud and vice versa
- Customers who travel a lot will have many troubles passing checks
You can adjust risk threshold score to prevent false positives. Most importantly, open Setup > General Settings > Ordering and check the following option. This way existing customers that have been verified already, won't be checked again. This option is a life saver for customers who travel a lot.
As a third line of defense, you can implement SMS / Telephone verification. FraudLabs Pro supports SMS verification. There are alternatives in WHMCS Marketplace. Years ago this kind of protection was very effective. It is still useful but nowadays there are many ways to bypass it. Fraudsters buy identities, SIM cards and temporary mobile numbers for a few dollars.
With Captcha, fraud protection service and SMS verification you can prevent most frauds. So far so good but keep in mind that you are the a last line of defense. Learn detecting suspicious orders using the schema provided earlier (Behaviours category).
There are few more things you can do to increase protection. You could disable auto provisioning for new customers. Open Setup > General Settings > Ordering and look for this option. This way WHMCS doesn't register domains or setup hosting accounts without manual intervention.
Alternatively you can restrict auto provisioning to specific products/services. Open Setup > Products/Services > Products/Services. Locate your product and click Module Settings tab. Keep in mind that this option applies to all customers, new and existing ones. It is recommended to use this approach for VPS that attract scammers as honey does flies.
This is the part of the guide that contain bad news. Captcha and fraud protection services don't prevent fraudsters from sending payments. As a consequence, WHMCS still issues invoices for fraudulent orders. We have two problems here.
First. Transactions involved in fraudulent orders are refunded by credit card issuers in a couple of days. In the meantime it is very likely that the order has been already activated. Long story short you lose money but if the involved items are non-refundable (eg. domains), you can't even recover expenses.
Second. The resulting invoice must be registered and cancelled by issuing credit note (aka reverse invoice) that WHMCS doesn't natively support. In some jurisdiction the excessive issuing of credit notes is considered suspicious. You would likely attract attention you don't want.
The core of the problem is that WHMCS stops fraud after the sale. That means you still risk to lose money and time due to chargebacks. The good news is that there is a solution. SMS verification can stop fraud before the sale. Alternatively you can use the anti fraud integrated in Billing Extension that is a WHMCS module.
This anti fraud is based on the principle of invoice suppression. Billing Extension uses it to support monthly invoicing but it can be extended to fraud. In short the module allows to postpone the issuing of invoices for new customers. Such invoices can be issued anytime manually from this interface.
Here is the thing. It usually takes few hours or a couple of days so that credit card issuers, banks and gateways (eg. PayPal, Stripe) detect payment fraud and initiate chargeback.
We can base our anti fraud strategy on that. Just wait a full week before issuing invoices for payments received by new customers. Once the invoice has been issues, the customer is marked as legitimate and is no longer subjected to anti fraud.