Tag Archives: payments

shopping business money pay

5 Lesser Known Risk Factors in Payment Fraud

When you’re analyzing payments to determine if they are fraudulent, what should you look for? Stripe Radar is great at blocking the more obvious fraudulent payments, and allowing the payments that are clearly not fraud, but what about the payments that are in between? There are a number of less obvious factors you can look at to determine whether a payment is fraud.

How to Decide if a Payment Under Review is Fraudulent

Here are 5 lesser known factors we’ve identified when working with clients of Streamhacker Technologies. We’ll describe each of these in more detail below

  1. History of adding & removing cards
  2. Specific fraud insights
  3. Fast plan upgrades
  4. Lack of product usage
  5. Multiple IPs and payment attempts

While this article uses examples from Stripe, these factors can apply to almost any payment platform.

History of adding & removing cards

When a customer uses multiples cards to make payments over a relatively short period of time, that’s a big warning sign of card testing. When combined with fast plan upgrades, multiple IPs, and lack of product usage, then you can be confident it’s fraud.

Much of the time, Stripe will show this behavior in the Related Payments section of a charge. You can see an example here.

However, sometimes you need to go into the customer profile to get the full picture. In the Recent Activity section, you can see if the customer added a new card. Here’s an example of what it looks like when someone changes cards within ~1 day of signing up.

On its own, this is suspect but not necessarily fraud. However, if there’s more than 2 cards, that’s quite suspect. Also very suspect if the cards come from multiple countries. If you click on Show details for any of the cards, you can see the countries.

Above you can see 2 different cards from 2 different countries. And in this case, the customer’s IP address was in a third country. Very suspicious behavior.

Specific Fraud Insights

On a Stripe charge payment, there’s a Fraud Insights button that shows you various fraud factors. Three that we’ve found to be useful are shown below.

A low authorization rate and more than 0 declines associated with the customer’s email are significant fraud indicators. The name-email similarity match is a small additional indicator on top. These insights are most useful when combined with the other indicators discussed here.

Fast Plan Upgrades

A “fast plan upgrade” is when someone subscribes to the lowest plan of your service, then upgrades to one of your highest plans within a few minutes. This may be another form of card testing. Maybe your lowest plan is $10 and your highest plan is $100 – those are very different purchase amounts, and a card tester may want to find out if the card that works at a low amount can also be used for larger purchases. If the first upgrade attempt fails, and they switch cards to try again, fraud risk looks a lot more likely. These related payments show an example of this exact behavior.

Here’s what happened:

  1. Attempted to purchase low level plan at $10, but that failed
  2. Switched cards and tried again, Stripe risk score was still 0
  3. One minute later, successfully upgraded to a higher plan, and got a risk score of 47, which Stripe still considers “normal”
  4. 1 day later, tried to upgrade again to an even higher plan, but that failed with a higher risk score

Note: 2 payments are showing as Refunded because they were successful until being refunded as fraud.

Lack of Product Usage

If a new customer doesn’t use your product much right away, that’s ok. But if they also change cards and/or try to upgrade plans without using your product at all, that’s suspicious. In Streamlining Stripe Reviews with Webhooks and Zapier I described how we helped a client highlight product usage metrics as part of their Stripe review process. Getting some product usage metrics into your Stripe charge metadata is very useful for fraud analysis, so you can quickly look at all your risk factors in one place.

Multiple IPs and Payment Attempts

Many people use VPNs and proxy servers for very legitimate reasons. And sometimes people are traveling. Just because the credit card country doesn’t match the IP country, or there’s a low authorization rate for an IP address, that doesn’t necessarily mean a payment is fraud. But when the IP address of a customer changes over a short period of time, and they make multiple payment attempts from multiple IP addresses, that’s unusual. Stripe’s Related Payments section helps to show this kind of behavior.


Deciding whether a payment is fraud can be tricky, and is not always obvious. But there are risk indicators you can look for, and when you see multiple indicators together, you can be more confident in a fraud assessment. Conversely, if you only see one of these indicators, then a payment likely isn’t fraud. Whatever your assessment is, take detailed notes. Stripe’s charge UI has a nice feature where you can leave a note for future reference – be sure to use this so you have a history of why you made a decision, and can revisit these decisions in the future, when you have more information.

Here are some helpful links from Stripe on identifying and preventing payment fraud:

If you think your team or company needs help managing payment fraud, contact Streamhacker Technologies to see what we can do for you.

Streamlining Stripe Reviews with Webhooks and Zapier

If your company is handling payments through Stripe, you’re likely familiar with their Radar product, which helps protect you from payment fraud. And if you’re using Stripe Radar, then you may have experienced the issue of receiving a lot of Stripe Review emails. Handling all of these reviews can be time-consuming and difficult to manage effectively, and the Stripe review email doesn’t provide any useful information on its own. Getting one email for each review means they can pile up, and sometimes you might go through all the reviews within the Stripe dashboard, but the emails are still in your inbox demanding attention, as if the review is still open. In this case study, we’ll explore how Streamhacker Technologies helped a company tackle this problem using the Stripe API, custom webhooks, and Zapier.

The Problem: Too Many Stripe Review Emails

The billing team found themselves inundated with a high volume of individual review emails from Stripe Radar. Although these emails were meant to highlight potentially fraudulent charges, they often caused annoyance and frustration. The team observed that by the time they opened some reviews, they were already closed due to another team members action, or by automatic fraud controls that got triggered after the review email was sent. In most other cases, the information they needed to make a fraud determination was found elsewhere, in a separate system, with no direct links from Stripe. This back and forth was an inefficient use of their time and attention, and they needed a better solution.

The Solution: Webhooks and Zapier

We devised a solution that utilized Stripe’s API, custom webhooks, and Zapier to streamline the payment review process.

First, we created a custom webhook to retrieve additional customer information associated with each charge. This information helped indicate which reviews were more actionable, by including things like customer age and product usage metrics.

Then, we created a Zap to do the following:

  1. Get all open Stripe reviews
  2. For each Stripe review
    1. Call the custom webhook to get additional information
    2. Add that information as metadata to the Stripe charge under review, including links to systems with additional information about the customer
    3. Append select information to a Digest
  3. Send a single digest email every morning, containing all the open Stripe reviews, with specific indicators to help decide which reviews require attention
  4. Create a mail rule to automatically close the individual Stripe review emails

The Result: Efficient Stripe Review Processing

After implementing this solution, the team noticed a significant reduction in time spent processing fraud reviews. They were able to quickly identify reviews that required action, analyze the payments and customer behavior faster, and they no longer wasted time opening reviews that had already been closed.


Simple custom webhooks + Zapier = more efficient business operations. In this case, we were able to help the team save significant time and attention by improving their existing payment review process, which freed them up to focus on other business problems.

If you think your team or company might benefit from a similar solution, contact Streamhacker Technologies to see what we can do for you.