Probably the best resource for fraud prevention is INTERNET SCAMBUSTERS. I highly recommend you support their free web site as they provide businesses with fantastic information. Rather than duplicate their effort, I have copied their document on credit card fraud for merchants who do online purchasing.
Reprinted from Internet ScamBusters Issue #23
May 31, 1998
Over the past four years, there has been an enormous amount of publicity about the dangers of credit card fraud on the Net. When you add movies like "The Net" to the news articles about Internet fraud, it's hardly surprising that consumers are nervous about giving out their credit card numbers over the Net.
Yet, as many savvy Internet shoppers now know, the reality is that it's actually much safer to enter your credit card number on a secure on-line order form than it is to give your credit card to a waiter at a restaurant. After all, what's to stop the waiter from writing down your credit card number and placing orders on the phone with it later? And research shows that the rate of fraudulent purchases made by cell phones is much higher than credit card fraud on the Net.
Naturally, we do encourage you to take precautions when giving out any confidential information (including your credit card number) over the Internet, over the phone... or anywhere else for that matter. Always use common sense -- it is the best rule of thumb.
However, this article is not about the dangers of credit card fraud for consumers. Rather, it's about a much more prevalent -- and much less publicized -- aspect of credit card fraud: the dangers of credit card fraud for businesses who accept credit cards over the Net.
There has been a tremendous increase in the number of merchants who have been scammed by crooks who place fraudulent orders using stolen credit card information. Unfortunately, merchants are not provided the same protection as consumers when it comes to credit card fraud. In fact, merchants are completely at risk.
Here's a personal example: Our company experienced its first encounter with credit card fraud last month. Someone stole a credit card account number, then used the stolen number to purchase a $500 product from our company. The crook knew the cardholder's correct address, provided our company with that information, but requested that the product be shipped to a different address.
Since it's not uncommon for our customers to request a "ship to" address which is different than the "bill to" address, at first, we didn't think much of it. Our policy is to send the invoice to the "bill to" address -- which we did. A few days later we got a call from the customer (whose card number was stolen) informing us that he never purchased anything from us.
This particular scamster used one of the free email services (Juno) to open an email account in the stolen cardholder's name -- which made the transaction appear more legitimate. We informed Juno's security department of the fraud taking place. (Juno said that they shut down the scamster's account.)
Although we got authorization and approval from our merchant account vendor, we bear all the loss.
We contacted the banks and the merchant providers involved, and even contacted the police. The banks, merchant providers and police were not able to help -- mainly because they were too busy or felt that the dollar amount involved ($500) was not significant enough to warrant further action.
Based on this experience, we decided to do some research and see how other merchants handle this problem. We discovered that credit card fraud has become (and is quickly becoming) a serious problem for many Internet merchants. In fact, given the scope of this problem, we were surprised this issue has not received more publicity.
We also discovered that crooks can now create fictitious credit card numbers based on the algorithms used to produce authentic numbers. These fictitious credit card numbers pass through verification and will be given approval codes. Further, there are newsgroups which post stolen credit card data (so if your card number is stolen, it may be posted to the world in a matter of minutes).
Eight Steps To Minimize Credit Card Fraud For Merchants
Here are some tips to minimize your risk of credit card fraud:
- Begin taking a few extra steps to validate each order. Don't accept orders unless complete information is provided (including full address and phone number). We also now require Address Verification for all of our credit card orders.
- Be wary of orders with different "bill to" and "ship to" addresses. We now require anyone who uses a different "ship to" address to send us a fax with their signature and credit card number authorizing the transaction.
- Be especially careful with orders that come from free email services -- there is a much higher incidence of fraud from these services (hotmail.com, juno.com, usa.net, etc.). Many businesses won't even accept orders that come through these free email accounts anymore. That's because it's so easy for a scamster to open a free, anonymous email account in another person's name and then send you, the merchant, an order using the fake email account and a fraudulent credit card number (just as in our example above).
Since there are so many free email services, how do you know if the order you receive is from one of these free email services? You can check a list of 700+ of these free email services.
You can also find an excellent article published at this same site, which provides a good (although not foolproof) suggestion for verifying email addresses: check every Email address by typing "www" in front of the domain name of the email address into your browser.
For example, if you got an order addressed from audri@scambusters.org and you typed www.scambusters.org, you'd get to the ScamBusters Web site, which is a legitimate Web site. Or, if you got an order from sallysmith@netcom.com, you'd type in www.netcom.com and you'd be at a legitimate ISP. On the other hand, the article suggests that if you got an order from joesmith@cyberdude.com and typed in www.cyberdude.com, you'd find yourself at a site which offers 150+ free email domains. (We're not saying cyberdudes, juno, hotmail, etc. are not legitimate. Rather, we're suggesting that orders that come from these free email services warrant additional care and attention.)
What precautions should you take with orders from free email accounts? We recommend sending an email requesting additional information before you process the order. More specifically, ask for: a non-free mail address, the name and phone number of the bank that issued the credit card, the exact name on credit card, and the exact billing address. Often, you won't get a reply. If you do, you can easily verify the information (which you should take the time to do).
- Be especially wary of orders that are larger than your typical order amount, and orders with next day delivery. Crooks don't care what it costs, since they aren't planning on paying for it anyway.
- Pay extra attention to international orders. Do everything you can to validate the order before you ship your product to a different country. We won't ship international orders which have different "bill to" and "ship to" addresses.
- If you're suspicious, pick up the phone and call the customer to confirm the order. Believe us, it will save you a lot of time, and money, in the long run.
- Consider using software or services to fight credit card fraud online. We haven't tried any of these services. However, we have heard positive reviews from colleagues who have used Cybersource and Clear Commerce Corp.
- If you (as a merchant) do have the misfortune of being scammed by a credit card thief, you should contact your merchant processor immediately and inform them of the situation. In our case, our merchant provider was able to give us the name and number of the cardholder's bank and we were then able to contact the cardholder and inform them that their card number had been stolen. (Many people aren't even aware that their account number has been stolen.) You should also want to contact your bank, and the authorities as well. (As we mentioned, the authorities will probably take a report, but may not do much else depending on the dollar amount of the fraud.)
If readers have had better success in getting the police and other authorities to pay attention to the problem of credit card theft, please share your experiences with us -- we want to provide our subscribers with useful resources for dealing with this issue. Email us and tell us your story.
One Final Useful Resource
As we mentioned above, Dan Janal has written an excellent book on how to protect yourself against online scams and cyberspace invaders called "Risky Business: Protect Your Business from being Stalked, Conned or Blackmailed on the Web," (John Wiley & Sons, April 1998). Dan also wrote an article called "30 Essential Steps You Should Take Right Now to Fight Online Crime and Protect Yourself " which you can read for free. Tips #5, #18, and #21 provide some good ideas for merchants to minimize the risk of credit card fraud.
Finally, if you have additional tips for minimizing credit card fraud to merchants, please send us an email at creditcardfraud@scambusters.org and write CC Fraud in the subject field. We'll post the additional suggestions and tips we receive on our Minimizing Credit Card Fraud page.