E-Commerce Fraud

How to protect yourself from e-commerce fraud:
Internet ScamBusters #39

Over a year ago, we reported in Internet ScamBusters #23 about the dangers of using credit cards online -- for merchants.

Consumers are reasonably well protected, whereas the merchant has little or no recourse when someone commits fraud against a company. That issue, with its "Eight Sure-Fire Strategies Any Business Owner Can Use to Reduce Credit Card Fraud," brought in a lot of positive reader feedback.

Recently, we were approached by eBay Magazine (August 2000 issue) and asked to share our experiences with credit card fraud. As we mentioned in the eBay article: "We think (credit card fraud) is perhaps one of the top three issues facing Internet merchants today."

Shortly thereafter, we were contacted by Sharon Curry, the Fraud Director for a major retailer, about her experiences with people who have become victims of e-commerce fraud.

Because of the timeliness of these two incidences and the ongoing interest in this hot topic, we're dedicating this issue of ScamBusters to e-commerce fraud.

Below is an excerpt of an article written by Sharon, including safeguards and what to do if you've been scammed.

With her years of experience in investigating schemes for the retailer and a Master's degree in Criminology, she's well qualified to take you inside e-commerce investigations up to, and including, the tracks of a thief as well as recovery and prosecution of the fraudster.

There are also some great Internet resources that will be useful whether or not you're an Internet merchant.

So let's get started...

E-Commerce Fraud

Remember the big buzz in the media about Internet fraud? One of the biggest concerns was the threat of credit cards being stolen through the online purchase procedure. While there is always an opportunity for this to occur, it is definitely not the overwhelming disaster that the experts forecasted. The systems that have been put into place to combat this have been remarkably successful.

But my big question is, what about caveat venditor -- seller beware? Where are all of the headlines about consumers defrauding merchants? It's certainly not as sexy as an arrest of over 100 Wall Street con artists defrauding consumers out of hundreds of millions of dollars. Still, the fact remains that e-commerce fraud is a hot issue for both cyber and click-and-mortar merchants.

Safeguards

There are countless ways to safeguard your business from fraud. But here are some simple ways to help yourself.

1. Held orders. Create a "held orders" department where orders can be reviewed manually. Set certain guidelines for what orders will be held. Examples might be orders over $250, which might be raised to $500 or higher at Christmas.

2. In-house database. Create an in-house database of all fraudulent orders by address. Take the time to run all orders through this database.

3. Shared database/Chain calls. Establish a network with other e-merchants in the same business as yours. Share fraudulent order information with them.

4. Telephone database. You can purchase these on CD-ROM or use services such as Anywho.com's reverse telephone look-up. Use these databases to check phone numbers.

5. Issuing Bank. Contact the Credit Issuing Bank (CIB) and they will contact the customer for you. The CIB will confirm the name and address given by the customer. Many times the phone number given to you on the order form is no good; the CIB can help you in this instance. Have your merchant ID ready when calling the credit card company. Here are phone numbers you can call.

6. Call the customer. In the instance where you think you have the correct number you can call the customer yourself. Otherwise, the CIB will contact the customer and have them call you.

7. Document customer phone calls. This is extremely helpful when you've lost merchandise to a fraudster. I recommend that you get caller id and record incoming phone calls. Have your customer service employees document the calls on a log as well.

8. Cyber shoplifting notices. Almost every retailer has shoplifting notices posted, why don't you? Let the shopper know that all fraudulent orders will be pursued to the fullest extent of the law. Since each prosecution will vary according to the fraudster's state of residence, it is best to keep this vague.

What to Do if You've Been Scammed

Yes, there will be instances where you will hit a brick wall on any sort of recovery, but there are some things you can do once you've been scammed. Most law enforcement agencies want to help. The problem is that law enforcement needs tools to do their jobs. Tools in this case means laws. There are not many laws that are specific to this crime. Many agencies use identity theft, mail fraud, receiving stolen goods, and other standard laws currently on the books. Here are the steps you should take when someone has stolen from you.

1. Documentation. Pull together all documentation, including any phone records you may have accumulated. Include the original order, who the cardholder victim is (if applicable), date it was sent and identifiers for the merchandise (serial numbers, etc).

This is where you will want to take a deep breath and do some basic research on your con. Do the reverse phone number lookup if he's called in. Run the name of the fraudster through Anywho.com or other online phone books. Check TheUltimates.com to research e-mail addresses. If your loss is high, then it would benefit you to pay $30 to have a private investigator skip trace the "Ship To" address for you. You can try to identify the e-mail address domain name at Network Solutions. It can give you limited information about who owns the domain name.

2. Follow the product. Where was the merchandise sent? Hopefully you have established a firm policy against shipping to drop boxes and post office boxes. If you have, then the address will be a firm physical address. Don't give up if you find out that the address is a deserted house. The police may have an investigation established on that location.

3. Shipping Information. Pull the shipping information to get documentation of who signed for the merchandise and the date and time it was received.

4. Local Police. Contact the local police who have jurisdiction over the address where you sent the merchandise. To locate the appropriate law enforcement agency you can use the area code and telephone information or Internet sites like the police directory at http://www.copscgi.com/. Explain to them what happened. Police are interested in "sexy" cases. When I call them, I usually tell them that, in the majority of cases, the fraudster has stolen from more companies than mine and it could result in a high dollar case. It would amaze you how often this is true.

This is where it can get tricky. Some police will not go in after
the fact, but others will. If the fraudster has another order on deck, offer to help the police conduct a controlled delivery. A controlled delivery is a delivery that the seller has complete control over in order to collect enough information from the fraudster to prosecute him. Let's say your company has an order pending for a $500 television set for a fraudster who has already received other pieces of merchandise. Contact the police and arrange to deliver the television under their supervision. In some cases I've had police dress up as UPS and make the delivery themselves. The moment the con signs for the package, the arrest is made on the spot. I enjoy controlled deliveries. Nine times out of ten the controlled delivery will net the law enforcement agency more than the fraud against your company.

If there are no more orders pending, then there are some tricky things you can do to help the police identify the fraudster. What things you can do depend on what type of business you have. The key to this "after the fact" solution is to flush the fraudster out again. What can you do to get the con to call in and talk to you? What can you do to engage the thief in an e-mail correspondence without arousing his suspicions? Use your imagination. Your objective is to identify the individual(s) who ordered and then received the stolen goods. One trick is to send an e-mail to inform them that a part on a delivered product had a recall and you need to ship the replacement part. Then do a controlled delivery with that shipment.

Maybe that customer ordered over a certain dollar amount and your company wishes to send a freebie as a "thanks." And, oh, what a thanks it will be! When the fraudster signs for the "gift" you can nab him on a controlled delivery.

As you read this some ideas will pop into your minds. You can inform them that they are due a refund and then make arrangements for the check to be hand delivered. I could go on and on. There are all sorts of things you can do to help the police do their jobs. All you have to do is make the offer and be diligent.

If you have any questions about e-commerce fraud feel free to contact me at Fraudchick@aol.com.

Here are some helpful databases:

Telephone Databases This includes reverse telephone directories.
http://www.theultimates.com/
http://people.yahoo.com/
http://www.anywho.com/
http://www.infospace.com/people1.htm
http://www.tollfree.att.net/tf.html

E-mail Databases
This includes reverse e-mail searches.
http://www.theultimates.com/
http://people.yahoo.com/
http://www.infospace.com/email1.htm

Internet Domain Databases
http://www.networksolutions.com/
http://www.dotcomdirectory.com/nsi/basic.hm
http://www.networksolutions.com/cgi-bin/whois/whois/
http://www.websense.com/locator.cfm

Want to go it alone? Here is a comprehensive archive of databases from the Dow Jones to people finders like DBT (Auto Track), http://www.lainet.com/factfind/database.htm