This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.
SALT LAKE CITY — Recently I received a phone call from a potential customer who asked about my inventory of body fat analyzers and wanted to know how quickly she could have 50 of them delivered to an address in Miami. Satisfied that we had them in stock and that they could be shipped right away, she placed the order. Her phone number included a Miami area code. However, the billing address for the credit card she used was in Maryland. This scenario wasn't completely unusual, but worth a deeper look.
A bit suspicious of the details of this order, we did a little investigating to find out more about the company name she provided along with her order. We couldn't find anything. We did a reverse phone number search. Nothing turned up.
Still, I authorized this person's credit card in preparation for fulfilling her order. The next day I got a phone call from someone with, not so ironically, the exact same name. She asked why there was a credit card authorization on her card. Bingo! My hunch was right.
I explained to this person that someone had placed an order the previous day using her credit card, and that the impersonator had asked us to ship more than $1,000 worth of products to an address in Miami, which turned out to be a UPS Store location.
The combination of today's methods for storing data and the prevalence of ethically-challenged people eager to find credit card information to use or re-sell has made this a real issue for owners of online businesses.
Having been in the industry of online retail for more than 10 years, I've seen this situation too many times. In fact, my businesses have been victimized several times when our desire to gain a new customer overpowered our sense of caution. In one year alone, a small online sporting goods company I operated lost close to $10,000 to fake customers. In the particular situation I just described with the fraudster in Miami, my business stood to lose more than $800 had we not been notified by the actual cardholder that we were being taken.
The combination of today's methods for storing data and the prevalence of ethically-challenged people eager to find credit card information to use or re-sell has made this a real issue for owners of online businesses. The anonymity that exists in cyberspace adds to the problem.
For online business owners, here are some things you need to know to protect your business. Merchants who send products to people who are not who they purport to be are certain to incur a loss as soon as the real cardholder notices that a fraudulent charge has been placed on his card and notifies the card issuer. The online store owner is always completely exposed to the risk when this kind of online fraud is committed. Credit card processing accounts typically show no mercy to online store owners who, in good faith, sell items to thieves who appear to be legitimate buyers.
Signs of online fraud
Sadly enough, my online businesses have been victimized by credit card thieves enough times that I've seen some trends develop. Here are the most common signs that a customer is shopping your store using someone else's credit card.
- Multiple quantities of the same item.Most of the fraudulent orders I've received include large quantities of the same item. These people know that they only have a few chances to make good on a stolen credit card, so they try to make it pay off as much as possible on any one transaction. They tend to order multiples of products that don't seem natural. For instance, someone ordered 20 football jerseys in the same size and color from a sporting goods store I used to own.
- Expedited shipping.Someone purchasing with a stolen credit card is likely to use expedited shipping without any apparent regard for the exhorbitant shipping cost. Most fraudulent orders are placed using overnight or 2nd-Day Air shipping. People who are committing fraud typically understand that they need to hurry so as to not be detected before they've gotten what they want.
- Billing address and shipping address geographically far removed.Although there are often customers who need to have something shipped to a sister office in their company or who have some other legitimate reason to request an order be shipped to an address that is hundreds or thousands of miles away from their billing address, using geographically disparate billing and shipping addresses is typical of those who are committing fraud.
- Using a Hotmail, Gmail or other non-professional address.This rule applies mostly to customers who claim to be ordering for companies. If the stuff on the right side of their email address (e.g. firstname.lastname@example.org) doesn't match up with the organization they claim to represent, and instead they use a free email service, there is more likelihood that the person really isn't associated with the company. There are several other smaller signals that, when considered together, can help a store owner recognize when someone is trying to commit credit card fraud. For business owners who want to be extra careful, more advanced fraud prevention tactics can be put into place. Usually a business owner is faced with balancing the ability to conveniently sell products to customers with the possibility of being exposed to fraud because of a security policy that is too lax. Vetting the customer
With the available access to information about people, companies and all sorts of other data, suspicious customers can often be detected through social media or by doing a few Google searches. This kind of research typically increases suspicion about a potentially fraudulent order when there don't seem to be any online traces of the person placing the order.
Our store typically sells to doctors, hospitals, schools and other organizations. It is easy to look up these people on LinkedIn, Facebook on their own websites. Businesses who typically sell products directly to consumers, rather than to other businesses, might have to dig a little more to find out whether their customer seems legitimate. We have used Google Maps to look up the address, and in many cases we've found ship-to addresses that look like they are abandoned houses or that otherwise don't match up with the rest of the information provided on the order.
Merchant security measures
Merchant providers and online gateways (which allow online store owners to process credit cards) typically have at least some rudimentary protections to keep online store owners safe. One of these protections is the address verification system resource, which allows store owners to match the billing address (typically the street number and/or the ZIP code) provided by a customer to the address on file with the credit card issuer. The security code on the credit card can also be entered by the store owner through a credit card gateway (like authorize.net), which reports whether the security code matches what the credit card issuer has on file for any particular card.
Both of these protections can be circumvented by credit card fraudsters, however, simply by obtaining all of that information along with the credit card number and expiration date for the card they have stolen.
The only true way to make sure that your business is protected when shipping to a credit card owner is to insist that the ship-to address they provide is attached to their credit card account. Credit card companies normally allow cardholders to add shipping addresses to their accounts. A store owner can verify with the credit card company that the address where the goods are going is recognized by them.
Reporting the crime
This part of the process — having lost some amount of money to a credit card thief — can feel like eating crow for a business owner. Those who are willing to spend a few hours filling out a police report (which might as well read "How I allowed my business to get conned") can report having goods stolen from them through their local police department.
I have done this multiple times, but unfortunately I've never seen anything come of it, even when there was very clear evidence and the value of loss was high. Investigators apparently had more pressing issues to deal with than worrying about online fraud. The best practice is to try to keep this kind of thing from happening in the first place.
Richard Robbins operates online retail stores, including ProHealthcareProducts.com. He has had several years of experience dealing with online fraud.