Table of Contents
Fraud Prevention in FoxyCart
minFraud in Foxy
Though we strongly recommend setting up any and all available anti-fraud prevention tools at the gateway level (and most gateways do have fraud controls available, though sometimes at an additional cost), FoxyCart does have integration with MaxMind's minFraud service. Click that link to get a feel for what minFraud is, or just understand that it looks at all the available data from the customer and transaction and provides a riskScore.
What to do with it?
You can enable minFraud in the “payment” page of your FoxyCart admin. Simply set it to any number greater than 0 to enable it. Any transaction with a riskScore higher than the number you enter will be declined.
Though every store and customer base will have different riskScore averages, MaxMind's general recommendation is to definitely reject anything with a riskScore of 60 or higher, and to screen anything with a riskScore between 4-59. FoxyCart defaults to minFraud off, so our recommendation is:
- Set it to 60 to start with.
- Monitor your normal scores (you can see the score on completed transactions) and see what's in a “normal” range.
- Adjust the score down to what's a comfortable upper-normal. For many of our users, that's as low as 4.
If you're already experiencing fraudulent orders, start at 15 or lower instead of 60, as above.
As a potential point of reference, MaxMind shares the following approximate distribution of riskScores across minFraud customers:
|riskScore range||Percent of orders in range|
|0.10 - 4.99||90%|
|5.00 - 9.99||5%|
|10.00 - 29.99||3%|
|30.00 - 99.99||2%|
Make the error message helpful
You can change the language for the error message displayed to the blocked customer in your store's “language” page, under “minfraud”. For example, you could include a phone number at which they would be able to further verify their identities.
Where is the score shown?
On any transaction that has a risk score of greater than 0, an entry for “Minfraud Score” will be shown within the transaction report within the administration.
There's no magic bullet to eliminate all fraud while allowing through all legitimate orders, but with your gateway's fraud filters and FoxyCart's minFraud integration you can get as close as possible.
Google's reCAPTCHA on the Foxy Checkout
Foxy's reCAPTCHA integration can be useful to preventing bots from aggressively scripting and pushing through transactions in an automated way. Note that reCAPTCHA is specifically to ensure that a human must be behind the request, but it has no opinion on whether that human is an honest person or a fraudster.
Foxy defaults to reCAPTCHA being off, but has 2 different options:
- Enabled, Always. As it sounds, this will include reCAPTCHA on every checkout.
- Enabled, Automatically as Needed. This will require reCAPTCHA for checkouts loaded by IP addresses that have triggered multiple errors in a preceding window of time. We attempt to set this so it would very rarely be shown to a legitimate customer, but would effectively make bot-based bulk fraud impossible. We don't publicize the exact thresholds, and may change them as needed.
Note that reCAPTCHA isn't required for API-based or UOE-based transactions.
The pre-payment web hook can be used for custom anti-fraud integrations.