Problem with repeated fake orders with the PayPal Woocommerce Plugin

TS2188
Contributor
Contributor

Using WooCommerce PayPal Payments - had a problem with repeated fake orders exploiting a vulnerability with the PayPal button. Added a captcha to the checkout which prevents the bots placing orders through Apple Pay and Google Pay (via Paypal). However, the Paypal button itself can be clicked even if the Captcha has been ignored, so the Paypal button is vulnerable and we can't prevent spam orders. The orders are spaced about 15 minutes apart, for the cheapest items in our store. From multiple IPs: 1[Removed. Phone #s not permitted] [removed] IPs are from all over. Germany, UK, Hong Kong, etc We've had to disable Paypal on all our sites until we can find a solution. Seems to be an issue with the Plugin but who do we contact to fix it?

https://woocommerce.com/document/woocommerce-paypal-payments/#get-help directed us to Paypal.

 

Thanks, hope someone can help 🙂

Login to Me Too
32 REPLIES 32

dedlobster
New Community Member

I'm also having the same issue. Submitting a ticket to WooCommerce about this today. We'll see what I hear back. Disabling PayPal Payments isn't really an option for this site as it's the only payment method we use. So this is very frustrating.

Login to Me Too

JT2312
Contributor
Contributor

Yes something needs to be fixed 

Login to Me Too

JT2312
Contributor
Contributor
Good luck! I’ve detailed the problem and all I got was a long generic response telling me using the plug in means I’m responsible for security The fraud is bypassing something that captcha doesn’t work .
Login to Me Too

AlexDon75
Contributor
Contributor

All the fake orders we receive are paid via credit/debit card and have occurred since we added Paypal advanced card processing.  Does anyone get payments made through other methods such as Apple or Google?

Login to Me Too

JT2312
Contributor
Contributor

this is not happening with other payment methods as they have different security processes.

Login to Me Too

MoeOo
Member
Member
moeoo3826@gmail com
Login to Me Too

TS2188
Contributor
Contributor

We have had this response from Paypal Payments Support:

 

From the plugin's perspective, as long as the orders are being declined, that means both the PayPal system and the plugin are doing their job in preventing fraudulent transactions. Unfortunately, there's not much more we can do from the plugin side if the transactions are failing.

However, there are several actions you can take to help mitigate attempted fraud:

  • Enable 3D Secure: If you use the Advanced Card Processing feature, enabling 3D Secure can add an extra layer of verification, making it more difficult for unauthorized users to process transactions with stolen card information.
  • Activate FraudNet: In the plugin settings, go to the Connection tab and enable FraudNet. This PayPal service uses advanced fraud detection technology to identify and prevent fraudulent activities.
  • Set Payment Intent to Authorize: Changing the payment intent to "Authorize" allows you to manually review transactions before they are finalized. This gives you the chance to verify orders and void any that seem suspicious before capturing the funds.
  • Use Additional Security Measures like ReCaptcha: You can use a ReCaptcha plugin to add another layer of security. This plugin has been tested and works well with PayPal Payments. You can find it here: ReCaptcha for WooCommerce.
Login to Me Too

TS2188
Contributor
Contributor

We are using ReCaptcha for WooCommerce but it's this free version - https://en-gb.wordpress.org/plugins/recaptcha-woo/ 

Login to Me Too

AlexDon75
Contributor
Contributor

We also have recaptcha but fake orders can get through.  3D secure is set for when required at the moment.   We have added some extra filters today through Paypal fraud protection under the business tools such as address and postcode match to see if it helps.  

Login to Me Too

bearblend
Contributor
Contributor

We are having the same issues. Somehow multiple orders are coming through as "processing" even though no payment was actually received. We noticed on our end that for some reason all the orders have the "company name" equal to the "billing city".  We have run security scans and there is no vulnerability on our end. It looks like all the orders say Payment via Credit or Debit Card. Paypal payments is our only transaction system. Do we need to turn it off and get something else? 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.