Monday, February 5, 2007

Internet Fraud - Fraud Alert

The following is a post I submitted to the Led Digest
Marketing Email Discussion Group on my
personal experience dealing with well over $150,000 in
fraudulent orders in the last 5 1/2 years, most of which
were from international sales.

Their email digest list is one I strongly urge you to
subscribe to as it is one of the few that provides
valuable first hand information from the experiences of
real marketing professionals and the subscription is Free.

I debated all week about adding my 2 cents to the subject of
International sales because this post could easily evolve into
being being a book sized post.

But a large order from South Africa prompted me to jump in
with some comments and suggestions.

Our international trade marketing services business attracts
fraudulent orders like moths to a light on a summer night.

The primary reason for these orders has been the directories
we offer that contain the contact information for importers
around the world with about 12% of them having email addresses.

The fraudsters (as I like to call them) attempt to use one form
of fraud (credit card) when purchasing our directories which they
then use to email their infamous "Nigerian" scam emails (which
are no longer limited to Nigeria but still primarily centered from
countries on the African continent).

Our "fraud flood" actually started about 5 1/2 years ago and hit
the $150,000 mark sometime early last year when I stopped
keeping a tally because we were literally receiving 5 fraud orders
for every 1 legitimate order.

The order the sparked me to post this came from South Africa
(becoming a fast 2nd or 3rd to Nigeria). It was for two Mexico
Business directories with a total cost of $1,390.00.

The order upon initial review, looked fairly legit, spelling was good,
the first and last names were not reversed (an easy sign to spot
from new, not to educated fraudsters).

The email was a free email,that is a definite security flag but the
IP address on the order checked out for South Africa - things were
looking fairly positive.

Let me divert for a moment - in regards to the IP address capture.
I installed this little bit of script on our order forms in September
2006 and almost overnight it reduced our fraud order rate from
about 5 to 1 by about 90%. I 'guess' because their IP address shows
on the order form as they are filling it out and they cannot change it
that it scares some of them away?

By the way, http://whois.sc is about the best and fasted IP checker
I have found on the Internet - just copy the IP from the order and visit
whois.sc and paste and hit enter - very fast and more details than
any other I have used yet.

The next check was the first 6 digits of the credit card with our
merchant services bank lookup. The 2nd BIG security flag is raised.
The bank is in Mumbai, India. I then request the customer submit
a faxed or scanned copy of the front and back of their credit card
via fax or scanned attachment to an email and the "TOP" portion of
a recent billing statement so we can verify the billing address he has
submitted (we emphasize the top portion because we don't need to
see their transactions - just their address).

This morning, I have a two page fax waiting for me. The first page
goes on to assure me that because he is currently on travel and does
not have a billing statement but assures me that he is the owner of
the card (we emphasize in our email requesting this data that it is
meant to protect legitimate credit card owners as it does us).

Now what was interesting about the copy of the credit card was that
it had the number, expiration and name imprinted on it but you could
not see any bank info, logo or other details? On the back side the
number in the signature area and the CVV number matched but the
card was not signed and again, none of the other info you normally
see on the back of a card was there, nothing??

The icing on the cake came when I got a call from this individual
shortly after reviewing the fax. He was asking how quickly he would
get his order, whether there was a download link where he could
get it rather than waiting for a CD to arrive. Very, very anxious.

Enough flags, I called the issuing bank in India and believe it or not
they helped me by advising me the card's billing address was in
India, not South Africa. I usually do not bother replying to these
fraudsters but I sent him an email telling him what I learned and
advised him that we would only accept payment via Western Union.

I am sure (based on a lot of experience) I will never hear from this
slug again since he has crawled back under the rock from where he
came and will be looking for his next fraud venture.

The main point for making this long post is to 'hopefully' pass along
some of the experiences we have had over the years and some of
the ideas and resources we use to help combat this growing problem.
It is also meant to alert those to the fact that you cannot be
complacent in what you use to evaluate the validity of an order because
as you can see from this post, they may very well have adapted or
have a means of imprinting cards?

If anyone has ever seen a credit card like I described here, I would be
very interested in hearing about it? My thoughts were that the actual
owner may have been on travel in South Africa and had a card copied
at a hotel or something and the copy was used with us? It is a new
one so any feedback would be appreciated.

Hope this helps someone avoid getting burnt.

Ron Coble
Coble International Marketing Services
http://www.importexporthelp.com

No comments:

Post a Comment