I’m very happy โ MaxMind’s minFraud service immediately stopped all fraudulent orders to my webhosting service (integrated via WHMCS billing software).
I’ve hosted a successful webhosting service for years without any issues regarding fraudulent orders. But starting some weeks ago, was getting hit with as many as 100+ fraudulent registrations per day.
It was driving me crazy. So much time spent filtering out fraudulent vs legitimate orders. Then having to refund and cancel fraudulent orders. These clowns even clogged up my ticket support channels complaining why their account wasn’t activated yet. (Like duhhhhโcuz you ordered with a stolen credit card!!!)
Long story short, MaxMind quickly (and easily) fixed all my problems!!
- Do you want some storytelling? Read on…
Getting hundreds of fraudulent orders on WHMCS daily!!!
Like I was saying…
I’ve hosted a successful webhosting service for years without any issues regarding fraudulent orders. But starting some weeks ago, was getting hit with as many as 100+ fraudulent registrations per day.
I remember waking up late like 11am and said wow…“100 new customer sign-ups?!”
That was definitely not normal and I highly doubt that my little boutique hosting service would go viral suddenly. So anyway, I logged into my billing software to take a look and sure enough…they were ALL fraudulent orders.
See for yourself…
All the obvious telltale signs were there:
- fake-looking names (John John)
- fake-looking scammer emails ([email protected])
- fake-looking information in the “Company” field
When you click into each order info for more detail, you realize how much more fake it looks. The addresses don’t match up to the city and post code.
Why do fraudulent sign-ups exist?
Hackers make fraudulent webhosting orders for spam purposes.
It’s usually hackers using stolen credit cards to sign-up for webhosting, with the intent of using the webhosting for further hacking purposes. They might upload scripts which use your servers to hack other servers, or host spoof sites to phish information from less tech-savvy users, or to send spam emails.
What other ramifications do you have with fraudulent orders?
The ultimate problem with fraudulent orders is that they eat up so much time and resources. You’ll be pulling your hair out stressing and blowing tons of time trying to put out multiple fires:
- Filtering fraud orders vs legitimate orders – you might have 2 to 3 legitimate orders buried within every 100 fraudulent orders. It’s so important to filter carefully so you don’t accidentally cancel legitimate orders.
- Filtering out legitimate customers – many of these fraudulent users will write to your ticket support when blocked, which steals time away from supporting real customers.
- Refund fraudulent transactions – you must refund fraudulent transactions immediately. Or else, the original credit card users will file credit card disputes. Which cost you extra in dispute fees (up to 60% of transaction amount) and also hurt your vendor reputation…you may even lose access to your credit card processor.
- Stopping future fraudulent orders – this is the big one I’ll go more in depth next.
Preventing fraudulent orders
Methods to prevent fraudulent orders:
- Waiting it out – this is the worst idea. I thought the fraudulent orders would stop after the first day since they stopped after about 2-3 hours. But nope, the pattern kept continuing every day…putting in 100+ fraud orders every day!
- Google Captcha – I didn’t even bother with this. I assume it would work well. But I also suspected many of the placed orders were manually placed.
- Third-party verification service – there are several 3rd-party verification providers you can choose from, depending on your registration system. I’ll go over the ones I considered below.
WHMCS fraud verification providers
These providers are basically like an API service that integrates with your billing system. When an order comes in, the information is checked against the provider’s database and algorithm to decide its likelihood of being a fraudulent order. It’s similar to how a spam-blocking algorithm works.
If the order seems very likely to be fraudulent, then the order is blocked…no transaction made, and new account is not activated. (The order information might still be registered for archival purpose, but the user profile is not activated.)
The pricing for these services are per order look-up. Something like $0.004 per order verification. So pretty cheap, but not dirt cheap. Still very worth it for the time-savings and peace of mind.
In WHMCS security options, I saw options for 3 different verification providers:
- Validation.com – they’re out of business.
- Fraudlabs – aka “IPQS” or “IPQualityScore”. I didn’t choose them because their website looked old school and ugly.
- MaxMind – I chose this one because the site looked the most professional, had a higher range of services, reasonable pricing, and also free demo. It turned out to be the right choice…read on for more details.
My review of MaxMind’s minFraud verification service
MaxMind has several web database services.
- minFraud – their fraud prevention service.
- GeoIP – geo location database service to give you more information on users.
- Proxy Detection – detects users coming from VPNs and proxies, to prevent fraudulent activity.
They have a large database of information, and machine-learning to provide useful information in real-time that doesn’t yet exist in their database.
My minFraud service review:
It was a great experience. I was afraid it would be some overly technical process and learning curve to overcome, but nope–it was simple!
- You can sign-up for the free demo and they respond within 1 business day with $5 credit in a starter account.
- Or if you need to stop the fraud NOW, you can just sign up for an account immediately and put some money in it.
- Go to your WHMCS security settings, activate MaxMind, and enter your MaxMind User ID and MaxMind License Key.
- I think the default settings were fine but I did tweak some things to the following:
- Fraud Risk Score – set to 20
- Reject Country Mismatch – checked
- Reject Anonymous Networks – checked
And that’s it! Immediately all fraudulent orders were blocked. And my 4-day nightmare was officially over! I couldn’t be any happier.
Thank you, MaxMind!
- I’ll put an affiliate link at some point if they approve me...
- …but you can check out MaxMind today!
Stripe radar ยข5 per transaction.
That’s kind of expensive compared to MaxMind price, which is like 100x cheaper. But thank you for sharing. I’m sure some people don’t mind the convenience.
I also got a wave of spam orders starting of 4 days ago. I used Fraudlabs and it’s stopped the spam orders.
But, is there a way to stop signups also? Like putting the spam looking account into pending status before being created?
Because, this would increase the database size, plus, I started receiving emails saying “please remove my email from your hosting as I haven’t signed up”.
I imagine WHMCS might have an option somewhere to cancel the newly created account if payment doesn’t go through? If not, I don’t think it’s too hard of a custom module to create.
+1 for Maxmind. I’ve been using their mini fraud suite on my WordPress site for over a year and it’s done a great job at removing a majority if not all fraud.
The only hard part is finding a good WordPress fraud plugin that integrates with Maxmind natively. Unlike the default Woo Anti-Fraud plugins which costs hundreds of dollars and don’t even work.
Glad to see someone mention Maxmind instead of Stripe radar. my business isn’t suitable for stripe, so its hard to find quality workarounds.