What are the 3 questions that we need to answer while investigation?
Who is ordering?
Who is paying?
Where is it shipped to?
Risky category – Electronic items, laptop, high end mobile phone, MacBook, gaming
items
Investigation Process flow:
Queued Order and customer data:
• Queued order
• Customer type – NC (who has completed orders in less than 60 day) TC (completed
order with no chargeback or returns in less than 60-90 days) VC (completed order
with no chargeback or return over 90 days)
• Customer data
Primary Investigation
• Current order
• Ordering pattern
• Sign ins of customer
• Related customer
Secondary Investigation
• IV
• Contacts
• Common MO’s –
Tertiary investigation
• Telephone verification – bank call/customer call
Cross org VC –
Types of action – Pass, Hold, Cancel, VCAC, Fraud, Requeue
CUI – customer under investigation
ATO – Account Take Over
GSI – Get Sign ins
Ekata/whitepages - verify BA/SA and email/phone number
AVS Codes
Shipping methods
Amazon Locker address
VCAC/Sanitize - Veteran customer account compromised
If avs is +ve and BA is new? We will verify the BA using whitepages/google
If avs is -ve and card is more than 90 days old with completed orders ? No verification
required, since card is old with COH and no CB till date
Avs is i8 for the current order, for the same card avs is i3 with old BA for a previous
order? Card is already verified since its giving avs i3 with old BA for a previous order
Risky Delivery methods - One day/Two day shipping
�Amazon Locker address - Lockers installed nearby customer location , only applicable
for NA/EU addresses.
Payment methods :
Debit Card, Credit card, Amazon Pay. Gift cards, UPI, COD, Pay agent, Pay later ,
reward points, promotion credits, Amazon Store card, Venmo , echeck
Store card - SVC or amazonplcc
Echeck as DD - Direct Debit
International customer sending items to freight forwarder address is a good sign / US
customer using a FF address is a negative indicator
2 types of address not visible in customer address widget - Amazon locker and
whishlist address
Soft Decline - transaction rejected due to error in the settings of the card
Hard decline - transaction rejection when there is insufficient funds in the account or
card is expired
Invalid cards - drs 201/591 , CC will be blank for invalid cards
NC using invalid cc is very risky - action would be hold/fraud
Leaked cc- multiple fraud relations by token where cc is added with diff names
CC- credit card country/credit card
BIN - Bank Identification Number
CCH - credit card holder
CCN - Credit card name
ACH - Account holder
ATO - Account takeover
CSSW - Customer self service workflow
Blurb - Email communication sent to cx
Day 4 : GSI Investigation
IP Address - geographical location of the customer
4 sets of numbers/octets
ip Block - [Link] first two octetcs - they are using the same network - weak
relation
ip range - first 3 octets - strengthen the relation btw devices - strong relation
Trusted IP - Green check - IP is old for more than 60 days
UBID - Uniqe browser identification
UBID will change once we delete the cookies
FUBID - FUBID is an additional plugin that does not delete when the cookies are
deleted
Can two users have same FUBID but different UBID - Yes , UBID changes when
cookies are deleted
FP Fingerprint - Amazon identifier made by combining browser attributes like,
browser type, version, plugins, add ons etc .
Removing any piece of these info in the browser will change the fingerprint.
�Masking IP - VPN, Anonymyzer, Satellite - Mil MO, Cruise MO
Fire symbol - CUI was sanitized when that particular IP was used
Sanitized bottle symbol - cx using same IP/Ubid/Fubid/FP was sanitized in the last
180 days
Clock skew symbol - sign in for suspiciously longer period
User login
How is timezone capture - Timezone settings of the device that customer is using
CID - Customer identification Digits
vc; no ato; trusted ip/fp; new cc added with old name; ccn corr accn; old ba=sa ; non
susp mod $ it; cl rc; strng vc rels in rc;
acch - account holder
RFO - repear fraud offender
CCH/CCN - Credit card holder/name
Day 5 - Related Customer section and External IV:
Related customer section - displays acc related to cui through various attributes
Physical attributes - Easy to replicate - Address, Phone, Payment, Name
Virtual attributes - Hard to replicate - Device, IP, UBID, Email
Strong relations - Combines both physical and virtual attributes
Weak relation - Only has only either physical or virtual
Impactful weak relation - Weak relation but impactful to investigation, ex: NC having
weak vc relation with same cc/addy
Non-impactful weak relation - Weak relation and not useful in investigating CUI acc
ex: Accounts related by only addy (re-shipper) incase of international customer
Impactful strong relation - Strong relation impactful for CUI account. Ex: NC CUI
having strong vc relation with addy/ph/cc/ubid/ip
non-impactful strong relation - Strongly related but non impactful for investigation -
Customers signing in using shared computer from Public library, internet cafe's,
offices etc
Weak payment relation - weak relation where payment is involved - only
addy/p/phone
External IV :
To find relation btw cch/ach and shipping name if all are diff individuals
If ACH and CCH are different and to find if they are from same org
To verify international customer
validate an email - e-profile
to verify SA - if it is a corp mo, gov , edu , mil
�List all the Non-Fraud MO's with characteristics of each ?
1. Education MO
Using their current temporary residency as BA
Using a parent's cc
Ip address corr to SA
SA near to a school
Annotaion - .edu, .edu ip, .edu edom
IP domain carrier and e dom corr to edu domain
2. Gov MO
SA for a Gov or embassy
International IP with a US CC
BA,SA, Customer name, CCH match with gov office or officials
BA not on file with the bank
IP or email dom include .gov
Annotation - .gov, .gov ip, .gov sa
3, Corp
BA not verifiable by bank
High dollar/quantity
Low dollar e Gift certificate in high quantity
Fraud related by BA, SA, IP address, Phone no.
Annotation - .corp
4. Military
Orders shipped to friends, family or military base
SA in .f status
email or Ip dom as .mil
Risky items like electronics, video games etc will be ordered during down time
Diff time zones like when they are stationed
Sign in with AF/JP/DE (military bases) - APO/FPO
APO-army post office , FPO - Fleet Post office
BA and SA includes ranks such as SGT
5. Reseller
VC with numerous SA
same BA diff SA
Strong VC relations
Order history will be similar
Annotation - rs, ,r/s, .rs MO
6. Seasonal Worker
laptops, camera and electronic items.
same cc on multiple accounts.
time zone that correspond to customer name regions.
�relation between the ip address, billing address and SA, phone number which can
indicate fradualant activity.
SA verified to Amusement park, Carnival, Cruise ship.
Annotation: ip D/C [Link], mtnsat
[Link] American
South amaerican billing address shipping to resorts or hotels.
Freight forwarder address which is used for shipping address and BA.
Multiple CC with diff names.
High dollar order for popular electronics when trvelling.
Annotation:
8. Venezuelan
Yearly spending limit of 300 USD in CC
cannot use multiple cards for purchase
For high dollar purchase they need to fill up their GCs
Borrow CC/DC form friends or family to make purchase and give them cash
Payment and GC order velocity but not risky
9. Purchase Delegation
Cannot be used to purchase digital content or GCs
Associated with corp, military and Edu MOs
It is an option of an account holder to delegate the buying authority to another person.
(buyer).
The buyer places the order on behalf on payer.
Requeue - when a bank call is required - CDPT Customer Data Protection Team
NC - If acn and ccn are different and we are unable to verify through primary/sec
investigation
positive avs , ach corr to cch, but BA is not verified
negative avs code
acn dnc ccn, BA=!SA , risky items ordered and negative avs
VC - new payment added with a -ve avs code
new cc added with diff name unable to relate acn and ccn
cc velocity noted - more than 3 cards added in a week , risky op
Bank call not required - International customer accounts
banks which will not verify customer details
Fraudulent accounts or Negative MO pattern acc
Customer call -
when we require authorization from the CCH on a recent order placed
if the order is very high $ or does not matches with OH of cx, we can go for a CCH
auth
�only to a verified cch number
cc used is old, new SA is added in acc and unable to verify SA
Never use the term "FRaud"
Never reveal the item
Never share bank details
voicemail - leaving a voicemail to cx about the authorisation
Timings - monday to fri - 9am - 8pm
Sat/Sun - 10am - 8pm
When shouldn't we make a CCH call -
when it a corp MO -
Cancel action - when VC asks to cancel the item
Pass - if everything is verified
Fraud- clear fraud activities
Hold - when we require more information
Requeue- when we require a bank call
VCAC- Veteran Customer Account Compromised
Cancel –
Bad debt
red- existing bad debt in the acc
yellow- existing chargeback
blue - cx has cleared the bd
drs code
07 - no negative information
08- dd holds some negative information
27- cx entered incorrect information
88 - high risk with the dd
Fraud risk , credit risk
DRs code
Customer type - NC/VC?
Debt - if there is an existing bd in acc/ strong related acc
Hold action - fraud risk involved with echeck
Fraud action - obvious or rfo acc
VCAC - ato happens
Pass - eliminated credit/fraud risk
cancel - when there is credit risk - echeck cancelled pay by cc
NC customer
NC with credit risk - first instance - cancel , ecpbcc
third instance - hold , echeck_nope
NC with outstanding bd - close and trs_response
NC with strong bd rel - Hold, account closed related bd
�VC customer
VC with credit risk - first instance - cancel ecpbcc
second instance - cancel, disable and ecpbcc disable
third instance - Cancel and send echeck_nope
VC with existing bd -
1) if the debt is less than 10% of last 16 months of OH , and greater than 250$ , cancel
and send trs vc response
2) if the debt is less than 10% of last 16 months of OH, less than 250$ , pass the order,
trs_vc_response
3)If the debts is 10% or more of last 16 months of OH - cancel , trs vc response
4)debt exists, cx was warned twice previously for using same dd - close , trs response.
Chargeback - when cx contacts credit card company and disputes the charges on their
card with amazon
reasons - items not delivered on time
unauth charges
seller issues - undelivered items/wrong items/defective items
Prime - due to renewal of subscription
Service- seller related complains , undelivered items/wrong items/defective items
Fraud - credit card holder unauth the charges /did not place the order
different chargeback status :
Pending - cb is new
Success - amazon won the dispute
writeoff - lost the dispute
recovered - seller is responsible
unresolved - all other status
when cb is due to ato - check for recent sani, and if the order disputed is an
unauthorised order
Actions for cb scenarios :
NC with unresolved cb - Hold and send ffh
NC with strong related unresolved cb - hold- account closed related cb
VC with unresolved cb - Hold and ffh
VC with strong unresolved cb exceeds the threshold - Hold and acrcb
Unresolved cb >$300 for a vc with total OH <$2500 - Hold and ffh
unresolved cb due to ato - sanitized the acc and send sani first/sani second
Dormant VC acc - vc with no activity for 1 year - Fraud ffh
