Internet Merchant Accounts: How to Reduce Fraud

Suggestions from our readers on how to reduce credit card fraud for Internet merchant accounts

We’ve had a great response to our eight tips on minimizing credit card fraud in Scambusters #23 and we sincerely hope this never happens to you.

Some of our readers have generously shared their own experiences and tips with us for minimizing credit card fraud.

How to reduce credit card fraud for Internet merchant accounts, suggestions from our readers:

I would like to put out a serious warning for anyone considering the supposed 'credit' offer from a company called CMA. They are not only extremely unprofessional and deceptive, but quite rude about it as well. This is what happened. I received an email, actually it was 'spam', and something I usually delete right away. However, with the "enticement" of a guaranteed 2 or 3 credit cards, with no security deposit required, and myself in need of a laptop for my web design and still being at the mercy of my ex-husband's bad credit, I was 'sucked in'. Now, in the email ad it very clearly states 'Risk Free', and invites you to 'Apply Now'... So, thinking I had nothing to risk, I "applied", to see what would come up. Now, I am a very particular person about fine print and finding the 'catches' in everything. I don't know at this point if I just 'missed' the 'catch' or if something was changed since I applied, but it appears that when filling out the application, I had legally bound myself to pay them the $35. Not realizing this, I very innocently emailed them and told them that I was still considering their program, but how would I know that I wouldn't receive offers from 2 of the credit cards I already have? What I received back was an email telling me to make a payment on my account now or risk late fees. Totally befuddled and confused, I again, very innocently emailed back and said 'What payment? I haven't done this yet'... and the reply I received was the most rude, threatening, and harrassing email that I think I have EVER received from a so-called company.

They stated to me that not only was I obligated to pay the $35 (which is something I am willing to admit WAS perhaps my oversight), BUT that I was NOW going to be charged a $75 late payment fee, threatening that they "have my credit report" in their possession, as if holding it hostage almost 🙂 What was ludicrous about this is that it had NOT been 30 days, but only 23 days, so their supposed bill was NOT late, yet they continued their very threatening letter. CMA, a supposed company who boasts of being listed with Dunn and Bradstreet, didn't even spell the name of the credit agencies correctly, which to me, was a big tell-tale sign of their lack of professionalism. AND, what was the absolute WORST most obnoxious part of the email was the last sentence that stated 'You will not hear from us again' ... What kind of company operates like THAT, unless an unethical one?

I have sent them 2 very scathing emails of my own, informing them that they way they conduct business will not be tolerated, and that their treatment of their customers is deplorable. Here we have a company who is supposedly in the business of HELPING people's credit, and the only promise I received from them was that they would HURT my credit if I didn't pay late fees that were not even owed.

I hope that my experience will help others in not falling for their deceptive business practices. And in addition, I have saved all emails from them for my own records, and will share with anyone who have also perhaps been scammed by them.

Darla D.

It is so good to have a Web site like yours, educating and informing the public regarding fraud is very important and for me, it is humanitarian. There's a lot of good folks out there who are victimized every minute of their hard earned money. In this unfair world full of robbers and thieves it is essential to have a site like yours that can help to prevent or stop this thieves and bring justice to the innocent public.

Dina B.

[ Editors note: <blush> Thank you, Dina. ]

Here is one of the methods I use to combat credit card fraud: I have my ordering system programmed so that when we get an order, the customer gets a "thanks" page that thanks him/her for the order and tells him/her the goods will be shipped withing 2 business days, etc., etc.

If the order is either from or is being shipped to a country where I'm reasonably certain I will have trouble getting an English speaking person on the phone at the bank if I need to confim the name/address, the customer gets an alternate page that thanks him for the order and explains that before we can ship to Latvia (just an example), we need to have him fax either a photo of the credit card OR a xerox of his/her credit card billing.

For the trouble, we go on to explain, we will deduct $3 from his total amount. This stops all (so far) fraudulent orders dead in their tracks. I have processed several orders where the person in Solvenia, Kuwait, etc. gladly took a picture of the card or billing and faxed or emailed it to me. BTW, the countries where I figure I can talk to the bank with little problem are: the U.S., Canada, Australia, NZ, UK, The Netherlands, Ireland, and the Scandanivian countries...

I hope this helps someone.

Bruce B.

We received several orders in the last few weeks from customers who were located all over the world (Germany, Spain, Brazil, US), but all with Bucharest, Romania ship-to addresses. It wasn't too hard to figure out they were bogus, especially when the same return email address showed up on two different orders from Spain and Germany. These were not intelligent crooks - on some orders they had a different name for the bill-to, ship, and credit card. Be aware of unusual overseas orders!

Michael H.

As a former fraud investigator for a well-known online auction house, I ran across hundreds and hundreds of fraud cases. The unique thing about the Net is, you are getting fraudulent information from all over the US and also internationally. This means to prosecute cases, you have to deal with authorities in the geographic areas where the fraudulently purchased merchandise is being delivered to. In dealing with local authorities, I found that most local police are not familiar with the Internet, how it works, or how to use it. Most law enforcement agencies will not even bother with Internet fraud case unless the loss is over $10,000. In San Francisco, I was told by the police that "The D.A. does not prosecute Internet fraud cases because they are too hard to prove". In Flushing N.Y., I was told that they were "too busy" to do anything, even though the fraud was well over $10,000.

In other cases, I was very fortunate to have worked with police officers who had an interest and knowledge of the Internet. In four cases, I worked with authorities to convict Internet criminals. This is unfortunately the exception to the rule. To this day, there is a pending fraud investigation in Southern California that is obviously some kind of organized fraud ring, which involves hundreds of thousands of dollars, and several Internet companies, that goes unsolved due to lack of knowledge by police. When I tried to get the FBI interested in this case, I was told that unless it was over $100,000, they were too busy.

As you can see from my experiences, the best thing you can do is to protect yourself from Internet fraud by exercising extreme caution before shipping merchandise. The ideas in your article were very good. As far as CyberSource, we found that it was too expensive because you are charged per transaction. For a high volume business, it can really get expensive. It is a good idea to keep a database of known fraudulent information, and to confirm each order with a phone call if possible. A good solution to prevent Internet fraud would be to start a database that is available to all Internet companies, and is paid for by Internet companies, which has known fraudulent information, such as email addresses, delivery addresses, credit card numbers and names. In the long run, it would save millions of dollars. If one company finds out that a credit card is fraudulent, a significant loss could be prevented by sharing this information with other Internet companies. Of course the most fundamental way to stop the card from being used at other Internet companies is to contact the cardholder's issuing bank immediately! Keep up the good work, keep me informed on those scammers!

Kelly Clark, a well-known Internet auction house

What follows is not about a scam, per se, but should be of interest to you nonetheless.

I consult on Internet and business. I'm always reminding my clients that unencrypted email is never a place to put any information you wouldn't want slipping into the hands of strangers and teenage hackers. The other day I talked with a company that provides credit card service for online vendors. Their rep told me "The vendor acquires the credit card information on their site and then forwards it to us via email. Email is perfectly secure..."

I was blown away by that pitch. And somewhat scared by the thought that some vendors must be taking credit card orders on their Web sites and then forwarding them by email...

I told the rep that email is anything but secure, and she thanked me for the information. I doubt she even knew what SHE was saying, much less how to interpret my responses. There is no doubt in my mind that they will continue with that practice.

Ken D.

Last year two of my credit cards were "penetrated", that is someone had obtained the number and had requested that my address be changed. One to a Brooklyn Address and the other to Newark, NJ. Both were street and apartment addresses. I did not lose any money nor did the credit card companies because of their alertness in suspecting this fraud and identifying it promptly. I cancelled both cards, refusing to let either company send me a new card. This might seem a little harsh. Good thing, I actually caught one of them processing a replacement card to go to one of the fraudulent addresses -- their credit card department had not yet "gotten the word." I decided that by cancelling the card that would leave no room for doubt. The most importrant thing here is to pursue the matter vigourously until you are sure everyone in an institution is on the same sheet of music. I eventually got a new credit card from one of the companies, who I had requested to hold off for about six months before sending me anything.

I called the other companies where I have cards and the three major credit bureaus to make sure they were aware of the problems and they all put "stop change" notes in my records. It was quite an education. The only folks I really was underimpressed with is the Post Office's lack of interest when I tried to tell them about it.

I think it is highly unusual to have two credit cards "hit" the same way in a six-month period and that got me to thinking. The only thing in common between the two cards was that I had requested "mail-in rebates" on purchases made by both. As many folks know, these rebate brokers all seem to live in P.O. Boxes in Phoenix, AZ.

On the advice of one of the merchants where I had made one of the purchases, I now check the cash register receipts that I send to the rebate brokers to make sure my credit card number is not on them. I am sure, although I couldn't prove it, that this was the source of my problem.

The main thing that this taught me was to protect those credit card numbers! Use your imagination -- say to yourself "if I was a crook, how would I get my hands on this?"

Regards, Al G.

A few weeks ago, I got a phone call from Office Max. They asked me to verify the delivery address for the new $2500 computer I ordered. I informed them that I had not ordered a new computer and asked them for the address to which it was supposed to be delivered. They cancelled the order, of course.

I immediately called American Express and they cancelled my account (and sent me a new card). I also called the police department in White Plains, New York, where I live, and an officer came to my home within a few minutes. He took down all the details and told me the case would be turned over to the detectives' dept. for investigation.

I later called the detectives' dept. to ask whether they had checked out the address where the computer was to have been delivered. They told me they had and that the case was being investigated by the Secret Service. They had several other cases of credit card fraud by the same person at the address where my computer was to have been delivered and that an arrest would be made shortly.

This is one case that turned out well. Office Max did the right thing by checking on the delivery address when it was different from the credit card billing address and I was able to notify the credit card company and the police promptly.

-- John H.

As the Assistant Purchasing Card Coordinator for the University of Utah, I was pleased that someone forwarded me a copy of your issue #23 including the article on Credit Card Fraud. This is an area of concern to our Purchasing Card (P-Card) users as well as to merchants. Every day the University does hundreds of MO/TO and NET transactions throughout the country. We hope that our Cardholders are helping to improve not hinder vendor relations by using our P-Card.

We, the University of Utah Purchasing Card program administrators, have taken a very pro-active stance in developing better merchant relations: ie. calling the vendor before requesting a 'chargeback', requiring our cardholders to keep accurate records of phone orders (we recommend fax confirmations), encouraging MasterCard (our provider) to develop a 'flat fee' instead of a percentage discount rate, and helping vendors find a way to lower their 'discount rate' by refering them to our issuing bank as a preferred vendor or to another provider who has agreed to assist small vendors who do business with the University. Additionally, we have developed some internal processes which discourage card number theft. Although I cannot share all of these procedures with your readers (for obvious reasons) I would like to share a few of them that Merchants can use, too.

We tell our cardholders :

First: Merchants should NEVER put the credit card number and name on the outside of the package. This is the first place a crook looks to steal a card number because he can also get a mailing address/billing address. And he doesn't even have to 'steal' anything to get it.

Second: ALWAYS be prepared to give the vendor your 'billing' address as a source of verification. If the billing address doesn't match what the bank has on file the charge will be declined. (This is a step which we have created with the bank. More people should do the same. However, in the instances where we have had CC Fraud attempted it was only successful when the vendor _failed_ to follow this procedure before putting through the charge.)

Third: The Merchant should NEVER keep a card number 'on file'. Each transaction should be treated as 'new' -- what if someone called a vendor pretending to be the cardholder (or her representative) who happened to 'forget' the card but wanted to make her 'usual' purchase? This exposes the University and the Vendor to fraudelant transactions. Additionally, these 'files' are often easily accessed -- in one instance the vendor simply 'posted' card numbers on a wall for all his employees and anyone else to see. On the NET we don't know how this is handled by vendors, but for all concerns we hope that they are kept secure per transaction and _not_ filed at all.

Lastly: Be prepared to provide the Vendor with fax confirmation of your order and ask for confirmation of the shipment via fax whenever possible. This verifies to the vendor your order and who placed it. It also verifies to the cardholder that the order is valid. When ordering over the NET we recommend doing a screenprint of the order when it is placed along with whatever confirmation is offered.

Even with my personal card I try to follow procedures which will reduce the risk of fraud because it can cost me as well as the vendor. Charges, even fraudulent ones, made against a card before realizing there is a problem may be my responsibility to pay. Only after I report a problem to the bank does the 'fraud' protection on the card become effective. The procedures which I have mentioned are just as valid for individual cards as they are for Corporate Purchasing Cards.

Unfortunately there are some people who would like to get 'something for nothing' by stealing a card number. They can find ways to do this because of carelessness on the part of the Cardholders and Merchants, too. Thanks for doing your part in eliminating this costly form of fraud.

Elizabeth Bogue
Asst. Purchasing Card Coord/Asst Buyer
University of Utah

Also see: Online Merchant Accounts: How to Reduce Fraud