Hosting is one of the most-targeted businesses for card fraud. The product is digital (no shipping address to verify), services activate instantly (instant gratification for the fraudster), and chargebacks land 30-60 days later when the customer is long gone. Run hosting without fraud prevention and you'll be banned from your payment gateway within months.
This is the layered defense that works.
The attack patterns to defend against
| Pattern | What it looks like |
|---|---|
| Card testing | Tiny orders ($1-5) on stolen cards to see if they work. Hosting trial signups are perfect for this. |
| Stolen card hosting | Real hosting orders with someone else's card. Used for phishing sites, spam, mining, etc. |
| Affiliate fraud | Self-referrals or coordinated rings to extract commissions. |
| Trial abuse | Multiple trial signups from same person to extend free hosting. |
| Friendly fraud | Customer pays, uses service, then disputes the charge claiming they didn't authorize. |
Layer 1 — Configure your payment gateway aggressively
Enable 3D Secure (mandatory)
3DS requires bank-verified payment. Most stolen-card fraud fails 3DS because the fraudster doesn't have access to the cardholder's bank app. For Stripe: enabled by default on the Payments module; verify.
Enable risk rules at the gateway
- Stripe Radar (built-in) — score every transaction, block above threshold.
- PayPal's Fraud Protection Advanced — similar.
- Razorpay's Risk Assessment — similar.
Default thresholds are usually too permissive. Tighten them.
Decline high-risk countries
If you don't sell to certain countries, block them at the gateway level. Otherwise card-testing from those regions wastes your transaction quota.
Layer 2 — WHMCS fraud screening
WHMCS supports two providers natively:
- MaxMind minFraud — pay-per-check ($0.005-0.02 per check). Score 0-100; you set the block threshold. Comprehensive signal set: IP geo, email, device, payment method.
- FraudLabs Pro — alternative, free tier of 500 checks/month, then paid.
Enable: Setup → Fraud Protection. Configure threshold (start 60-70 for blocking; tune up/down).
Behavior on flag:
- Below threshold: order proceeds normally.
- Above threshold: order held in "Fraud" status; admin gets email; provisioning paused.
Layer 3 — Custom fraud rules
Beyond what gateways and MaxMind catch, add WHMCS hooks for your own rules:
add_hook('ShoppingCartValidateCheckout', 1, function ($vars) {
$errors = [];
$email = $_SESSION['cart']['user']['email'] ?? '';
$ip = $_SERVER['REMOTE_ADDR'] ?? '';
// 1. Block disposable email domains
$disposable = file_get_contents(__DIR__ . '/disposable_domains.txt');
$emailDomain = strtolower(substr(strrchr($email, '@'), 1));
if (str_contains($disposable, "\n{$emailDomain}\n")) {
$errors[] = 'Please use a permanent email address.';
}
// 2. Block free email + first-time customer for high-risk products
$freeEmail = ['gmail.com', 'yahoo.com', 'hotmail.com', 'outlook.com'];
$cartProductIds = collect($_SESSION['cart']['products'] ?? [])->pluck('pid')->all();
$highRiskProductIds = [12, 15]; // your VPS / IPTV products
if (in_array($emailDomain, $freeEmail, true) && array_intersect($cartProductIds, $highRiskProductIds)) {
$errors[] = 'For this product, we require a business email address.';
}
// 3. Block known-fraud IPs (your own blacklist)
if (isOnFraudList($ip)) {
$errors[] = 'Order cannot be processed.';
}
// 4. Velocity check — too many signups from this IP in 24h
$recentCount = Capsule::table('tblclients')
->where('ip', $ip)
->where('datecreated', '>', now()->subDay())
->count();
if ($recentCount >= 3) {
$errors[] = 'Too many recent signups from your location.';
}
return $errors;
});
Layer 4 — Manual review for high-risk orders
Some orders look suspicious but not obviously fraudulent. Hold them for human review:
- First-time customer + high-risk product + free email.
- IP geo mismatched with card country.
- Multiple failed payment attempts before success.
- Order placed at unusual hours from new device fingerprint.
Set up an admin workflow: orders in "Pending Review" don't provision automatically. Staff reviews; approves or rejects within X hours.
Layer 5 — Monitor your false-positive rate
Too aggressive = legitimate customers blocked. Track:
- Daily count of blocked orders.
- Manual approval rate (of held orders, what % were actually legit?).
- Chargeback rate (your gateway shows it).
If chargebacks >1%, you're under-screening. If manual approval rate >90%, you're over-screening.
Defending against friendly fraud (chargebacks)
When customer pays, uses service, then disputes — different defense:
- Log everything. When they signed up, when they used the panel, IP at each login. Submit as chargeback evidence.
- Welcome email with terms. "By signing up, you accept ..." — printed receipt.
- Honor refund requests politely. A customer who got a refund through you won't initiate chargeback. The gateway counts only chargebacks against your account; refunds are free.
- Dispute every illegitimate chargeback. Submit your evidence. You'll win some; you'll show the gateway you defend.
How to verify your defenses
- Place test orders that trigger each fraud rule. Confirm they're blocked / held.
- Place a legitimate order. Confirm it goes through cleanly.
- Check your gateway's fraud dashboard weekly for first month.
- Review held orders weekly — approve / reject; tune the rules based on patterns.
Common pitfalls
"Customer X failed fraud check but I know them — how to approve?" Add a per-customer "Trusted Customer" flag in custom field. Hook reads the flag and skips screening for them.
"Gateway started declining everything." Your fraud score may have ticked over their threshold. Contact gateway support; they may temporarily increase your limit if you can show you're aware and actively reducing the chargeback rate.
"Customer paid with stolen card; service is fine but I'll get a chargeback in 60 days." Once you notice (gateway flags it later, or via MaxMind retroactive scoring), suspend service immediately and refund the original payment. Better to refund than to face a chargeback fee.
My take — fraud prevention is an ongoing tax
You can't set-and-forget. Fraud patterns change; your rules need to evolve. Allocate 1-2 hours/month to review held orders, dispute patterns, gateway alerts. That hour saves you the months of pain from getting your payment account closed.
Going further
I configure fraud prevention for hosting + IPTV + SaaS businesses on WHMCS — gateway tuning, custom hooks, manual review workflows. Tell me your chargeback rate and I'll send a quote in 24 hours.
