youssefwalid

Hi @mrclayton ,

Thanks for the thoughtful response!

To clarify — we’re definitely aiming to fully automate both the capture and the void actions, based on the defined conditions. The ideal flow is:

• If all fraud checks pass → Auto-Capture
• If any key rule fails → Auto-Void

We agree that automation is especially valuable in the context of digital goods, where fast delivery and fraud risk go hand-in-hand. Manual review slows things down and can be avoided if intelligent, customizable rules are in place.

We’d also love to see these conditional rules easily configurable from the plugin’s settings page — with the ability to:

• Enable/disable specific checks (user email match, user country match, user account verification)
• Define the action taken when conditions are met or failed (capture, void, or leave authorized)
• Possibly introduce a new dropdown setting like:
  Transaction Type
  ▸ Authorize → Auto-Capture & Auto-Void
  ▸ Capture
  ▸ Authorize

This would give store owners the flexibility to tailor the behavior to their specific fraud risks and operational needs.

Thanks again for the collaboration — we’re excited about where this is heading!

Best Regards,
Youssef

Hi @mrclayton ,

Let me clarify the reasoning behind the email match rule and respond to the other points as well:

Why the Email Match Rule Adds a Huge Value:

Our store sells digital products, and all orders are delivered via email to the customer’s verified address.

Because of this, we require email verification for all new users during registration, and only registered, verified users can proceed to checkout.

This ensures we have a confirmed identity tied to each purchase — which significantly helps in preventing fraud and resolving disputes with strong evidence.

You’re right that a determined fraudster could match the billing email to the stolen PayPal email on some websites. But here’s why the rule still matters in the real-world context of fraud prevention:

• On our website, users must verify their email address before purchase. And we disabled the ability to change their email address from the billing details or account details area.
  This adds a real identity signal and makes it harder for scammers to align all identity elements unless they also control the customer’s inbox.
• In most stolen PayPal account scenarios, the scammer:
  • Logs into PayPal with a compromised account
  • Quickly purchases digital products (downloads, keys, subscriptions)
  • Uses a disposable or random billing email just to pass checkout

Matching PayPal email to the verified WooCommerce customer email helps detect this mismatch before capture. It’s not foolproof, but it’s a practical layer in a multi-signal fraud strategy.

• In fraud prevention, no rule is perfect, but layered checks raise the effort required to commit abuse. This is especially important in digital goods where fraud is fast and irreversible.

On Real-World Trends (and Our Store’s Impact):

While we don’t have formal statistics in place, our experience over the past few months strongly mirrors the patterns seen in industry reports and fraud forums.

In the 3 months prior to implementing manual review, we received over 100 PayPal disputes and chargebacks, all tied to digital goods. (The registered email address on our website was different than the PayPal account email address)

In every case, the buyer claimed:

“We didn’t make this purchase! our account was stolen.”

And unfortunately, PayPal sided with them — because they had clear evidence the accounts had been compromised (login from new device/location, IP inconsistencies, etc.).

After this, we shifted to a more secure flow: Authorize → Manual Review → Capture or Void based on red flags.

Since making this change:

• We’ve only received 3 PayPal disputes this month, and
• We won all of them, because:
  • We captured transactions only after confirming the account looked legitimate (email match, country match, verified status)
  • We had proper delivery logs and identity evidence tying the order to a real, verified customer

This workflow has dramatically reduced our fraud exposure and saved us from ongoing revenue loss, which is why automating these checks and responses (auto-capture/void) based on red flags would be a huge upgrade

• This reply was modified 11 months, 3 weeks ago by youssefwalid.

Hi @mrclayton ,

Thank you for your quick and open response, I appreciate you exploring these suggestions.

Why these conditional void rules matter — especially for merchants selling digital goods:

1. Digital goods are prime targets for fraudsters.
   • Fraud consumes about 9.7% of revenue at digital‑only merchants — compared to 8% for general e‑commerce and 4.2% fraud rates in other e‑commerce sectors.
   • Fraudsters are drawn to digital products because there’s no shipping address required — making it easy to resell codes, subscriptions, or downloads instantly.
2. PayPal is widely exploited for scams.
   • In the U.S., 28% of reported scam payments in 2023 involved PayPal — more than any other payment app.
   • Moreover, over 60% of merchants surveyed view PayPal as a top fraud channel.
3. Account takeover and credential misuse are rampant.
   • Phishers compromise accounts in large numbers — 35% of recipients open phishing emails and 97% struggle to detect them.
   • Fraudsters then use stolen credentials to make unauthorized purchases.
4. Digital goods merchants lack downstream protections.
   • PayPal’s seller protection does not cover intangible goods — leaving merchants vulnerable to chargebacks long after delivery.
   • Most of the seller are saying, “we’re finding it near impossible to sell digital goods due to digital goods having no seller protection on PayPal…”

How your feature suggestions help mitigate these risks:

• Rule #1 (Payment email ≠ billing email): Helps detect hijacked or mismatched accounts upfront.
• Rule #2 (Non‑verified PayPal accounts): Prevents fraudsters using newly created or unverified accounts.
• Rule #3 & #4 (Geolocation rules): Blocks cross‑country mismatches that often point to stolen accounts or proxy use.

These measures, offered as optional but structured rules, would be invaluable to thousands of merchants who:

• Sell instantly delivered digital items — resellers love PayPal’s ease and lack of address checks.
• Face high chargeback/operation costs — digital‑goods merchants often spend 20% of budgets on fraud management.
• Have little to no recourse when chargebacks hit — they cannot rely on PayPal Seller Protection for digital goods.

These conditional void rules don’t just make sense — they’re essential defenses in the authorize‑review‑capture workflow. They’d dramatically reduce merchant exposure to stolen‑account abuse, chargeback nightmares, and fraud losses — especially in the vulnerable digital‑goods segment.

I’d be happy to help test the feature or provide further input. Thank you for considering these enhancements — they could make a real difference for thousands of merchants and put your plugin at the forefront of fraud‑aware WooCommerce solutions.

Best regards,
Youssef

No, we are using the official one without any edits

Hello,

It doesn’t appear in their wallet transaction history, only debit transactions made by me to remove these fake balances appear. https://ibb.co/cLcmycY

While I am replying to you know, I found that the same users got their wallets recharged again automatically!

Thank you.