Tons of abusive orders

[addison74]

On a website that I manage, cash on delivery is offered as a payment method. According to the terms and conditions, if the customer refuses the delivery, on the next order he can no longer pay COD, sanction is applied to prevent abuses and damages.

We haven't encountered any problems so far, but there is a customer who refused the delivery three weeks ago. On Thursday last week, he placed an order for the same products. We phoned him 5 times at different hours but he rejected the calls then we sent a message to inform that he cannot pay COD based on T&C of the website, with which he agreed. We did not receive any reply. Yesterday he started placing the same order using Re-Order feature in the Backend obviously to annoy us.

This is an abusive usage of the website and we blocked the IP's used in the orders, but he can use others from different places. Have you faced such a situation when someone places tons of orders?

I will try to implement a method to prevent the sending of the order, by which I can block the IP address, if he send the name, phone number, email address in the transmitted data. Obviously he can adapt and even use false data, but at that moment we can complain to the authorities.

[Flyingmana]

I think its good to already consult a lawyer about this, as he already does violate the t&c and might so be liable for causing extra work and cost.

It might be good to think about a system to block or put on hold orders containing certain names/address parts, just in case the person decides to escalate further

[addison74]

Thank you @Flyingmana for your reply. The store owner does not want to require that the first delivery in history be paid by card or by bank transfer, as I suggested. However, he agreed to analyze the sales impact that the first order in the history should ask the customer to validate the order by sending an SMS with a certain text from the phone mentioned in the order. If the validation is done in 1-2 days, he can go further with other requests.

What will the gentleman in question do in such a situation? He will continue to place orders that we will delete ASAP, we will block his customer account, we block his IPs, email addresses, finally he will deflate. If he doesn't stop then I will give all the evidence to the owner of the store to sue him.

[fballiano]

I also implemented a "first order has to be paid by card before you get access to cash-on-delivery" for a customer, it was quite effective.

[m-overlund]

We do hide "Pay later" options for B2C customers and only let companies choose those.
So they choose if they're private person, company etc. to toggle on other payment options.

All our Pay later options for B2C are through services where a 3rd party company takes the risk (anyday.io, klarna etc.)

[elidrissidev]

You could also force the "no COD order after refusing a previous order" policy by forcing the customer in question to select a different payment method from the checkout before submitting the order. Or if they're placing multiple orders in quick succession then rate limiting could also be a solution.

[addison74]

At the moment it is quiet but we are monitoring the connections to the webserver because he can appear at any time. I will let him create an account, but once he creates I have to find a way to suspend it so he can no longer use abusive Re-Order and trap the email address. Do we have in OpenMage an option to suspend an account by setting a value in the database? As far as I know, there is no option of suspending an account. After that we have to delete his orders because he made enough mess, we did it directly in the database because OpenMage does not allow to edit/delete orders in the UI. I did not look for functional extensions for this feature or a PHP script.

What can I say? There are such crazy people or stupid kids. When you realize that 15-20 orders come every 5 minutes, it's not very pleasant at all.

[empiricompany]

For some stores facing the same issue, we move customers to a blacklist group and hide the payment method.

Usually, that has been sufficient, but potentialy a customer can simply register with a different email and choose COD as the payment method.

A similar approach could be implemented by checking the shipping address through an observer and blocking it if blacklisted.

[addison74]

This extension seems to solve the problem https://github.com/Vinai/customer-activation, but I don't know how functional it is. Practically, the customer's account is no longer confirmed by the applicant but by the administrator.

[addison74]

The Amasty extension would have been interesting if it was also applicable to payment methods, depending on the conditions to exclude certain payment methods. For example, if the number of orders is 1, then only offer methods X and Y, not Z.

[m-overlund]

They seem to have one, but only for M2

[addison74]

An interesting idea would be that when a customer in bad faith logs into his account, he should belong to a specially created group. From that moment the [Add to Cart] button will disappear everywhere. The website from a shopping cart becomes just a catalog.

[kiatng]

I use this extension to allow payment methods by customer group: https://github.com/riconeitzel/PaymentFilter

As suggested by @empiricompany , you can create a new customer group called Blacklist and block the payment.