Problem with repeated fake orders with the PayPal Woocommerce Plugin

TS2188
Contributor
Contributor

Using WooCommerce PayPal Payments - had a problem with repeated fake orders exploiting a vulnerability with the PayPal button. Added a captcha to the checkout which prevents the bots placing orders through Apple Pay and Google Pay (via Paypal). However, the Paypal button itself can be clicked even if the Captcha has been ignored, so the Paypal button is vulnerable and we can't prevent spam orders. The orders are spaced about 15 minutes apart, for the cheapest items in our store. From multiple IPs: 1[Removed. Phone #s not permitted] [removed] IPs are from all over. Germany, UK, Hong Kong, etc We've had to disable Paypal on all our sites until we can find a solution. Seems to be an issue with the Plugin but who do we contact to fix it?

https://woocommerce.com/document/woocommerce-paypal-payments/#get-help directed us to Paypal.

 

Thanks, hope someone can help 🙂

Login to Me Too
1 ACCEPTED SOLUTION

Accepted Solutions
Solved

just_me_or_what
Contributor
Contributor

Yes, same for us! The only way to stop it has been disabling Paypal's "Advanced Card Processing" in Woo Commerce --> Settings --> Payments

View solution in original post

Login to Me Too
32 REPLIES 32

JT2312
Contributor
Contributor

Having the EXACT same issue in Australia . 
Cancelling all PayPal integration until someone speaks to me. Surely this is something that needs to be patched ASAP. 

 

Login to Me Too

TS2188
Contributor
Contributor

I called Paypal direct and spoke to Technical support. They said it happens a lot. Advised me to refund the dodgy orders, and don’t worry about it, as the robots will probably move on to target other sites. 

 

I've also reported that fake orders come from multiple IPs to the plugin support team via WooCommerce.

 

I followed the advice and re-enabled the Paypal plugin, but another of our sites has been targeted overnight. This is bad, we need a solution ASAP!

Login to Me Too

JT2312
Contributor
Contributor

Disappointing. I won't be reinstating the app until I see some sort of action to stop it happening again. or some rules we can implement as sellers to reject payments for example if the email is a bunch of numbers and looks fake. All the fake orders I have are gmails with multiple numbers in the address. thats a flag in itself. 

The criminals will move on is really not a comforting answer to this problem. 

Login to Me Too

just_me_or_what
Contributor
Contributor

Same. All order email are the person's name (likely a fake name, most don't look like real names) - and then a period (.) followed by a random 6-digit number, then gmail.com - (for example, my latest order was from Ban [removed], with email address: [removed] 

Login to Me Too

JT2312
Contributor
Contributor
I’m frustrated have taken PayPal off my website at the busiest time of year over this and still no fix . The exact same Gmail type addresses were what I was getting . You don’t need to be a security expect to tell they are scam emails from a single glance Also in response to above . Just because the charge doesn’t go through that’s not the solution PayPal should say is the answer …..because as small businesses we have to wade through a lot of fake orders to pick out the real ones . We are finding stripe makes people go through recaptcha . If people want to use PayPal with us they need to purchase through another platform like eBay . We’re probably too small for anyone to bother looking at this . My other solution is to wait until the woocommerce plugin releases an update and hope that includes some controls Good luck everyone!!!
Login to Me Too

TS2188
Contributor
Contributor

I've received this reply from Paypal Payments Support:

 

From the plugin's perspective, as long as the orders are being declined, that means both the PayPal system and the plugin are doing their job in preventing fraudulent transactions. Unfortunately, there's not much more we can do from the plugin side if the transactions are failing.

However, there are several actions you can take to help mitigate attempted fraud:

  • Enable 3D Secure: If you use the Advanced Card Processing feature, enabling 3D Secure can add an extra layer of verification, making it more difficult for unauthorized users to process transactions with stolen card information.
  • Activate FraudNet: In the plugin settings, go to the Connection tab and enable FraudNet. This PayPal service uses advanced fraud detection technology to identify and prevent fraudulent activities.
  • Set Payment Intent to Authorize: Changing the payment intent to "Authorize" allows you to manually review transactions before they are finalized. This gives you the chance to verify orders and void any that seem suspicious before capturing the funds.
  • Use Additional Security Measures like ReCaptcha: You can use a ReCaptcha plugin to add another layer of security. This plugin has been tested and works well with PayPal Payments. You can find it here: ReCaptcha for WooCommerce.

 

Login to Me Too

TS2188
Contributor
Contributor

We followed all the recommended actions from Paypal Payments Support but still received a fake order. Then we realised that all fake orders were coming from the Credit / Debit Card via Paypal option on the checkout page. We've disabled this function for the time being, to see if it resolves the problem.

Login to Me Too
Solved

just_me_or_what
Contributor
Contributor

Yes, same for us! The only way to stop it has been disabling Paypal's "Advanced Card Processing" in Woo Commerce --> Settings --> Payments

Login to Me Too

RuthM1
Contributor
Contributor

Me too. I'm not sure what the Advanced Card Processing added to the site but it is disabled now.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.