January 16th, 2007 by Jamie Estep
What it actually takes for the government to investigate fraud
Filed in: Fraud, Merchant Accounts |
I just got back from a vacation, which is why the posting had ceased for the past week and a half. The following is a personal summary of a situation that I recently had the pleasure of enduring, and a personal opinion about businesses having fraud committed against them.
The Fraud:
We recently had a situation where a customer committed fraud against us. I am going to avoid disclosing exactly what this person did, because he essentially found a security gap in the processing system that allowed him to steal a lot of money, very quickly, very effectively, and that security gap has not been closed that I know of. As I know, he has stolen over $250,000 from several processors in the US.
Now, when a business is confronted with a situation like this, it is warranted to file a police report, and report it to the FBI and secret service. This is much easier said than done, and most businesses that have fraud committed against them, don’t even make it through this process.
To say that law enforcement personnel have no clue about anything related to electronic fraud, or fraud occurring across multiple states is a gross understatement. When trying to report this to the police, we were bounced between police stations about thirty times, and at no point did any person actually know where the fraud should be reported. It didn’t matter if we talked to an investigator or a receptionist, nobody knew where this actually needed to be reported.
Eventually, we found that the fraud needs to be reported where it actually occurred, which was in another state from us. We had to do the homework ourselves just to figure out where this needed to be reported at.
We then went to report it…
First we had to fight to even get the opportunity to fill out a police report. At this point we were absolutely sure we were filing it with the right state, but nobody at that state agency seemed to believe us (More likely they just didn’t want to deal with it). Finally we were introduced to an investigator that agreed that we were doing the correct thing at the correct location. Initially the investigator didn’t even believe that this situation could have happened. We are still shocked ourselves that it can happen, but it definitely did happen. After listening to the situation, he sent us some paperwork which was a police report and a bunch of signature documents, and we sent it back. He said he would look into it… The moment we first contacted the police station, to the moment the paperwork was actually filed took four days.
We then went to the secret service to report the situation. While they were much more knowledgeable about situations like this and electronic fraud in general, it didn’t appear that our situation was large enough to warrant their investigation. Even so, they said that they would consider it. They took our information and said that they would get back to us. They were very professional, and I wish that the police stations were even remotely as organized. Our entire dealing with the secret service was about 30 minutes, and we felt like we got a lot more accomplished.
In the weeks following the fraud we reported, processors in the US saw several other cases of the same situation with other processors. The total amount grew, and passed $250,000 the last I had heard. It may still be growing.
Finally, after five weeks the police station got back to us and said that they would conduct a formal investigation. We then sent over all of the information that we had, and now we wait again.
No Justice:
The truly sad thing about fraud that is electronic in nature, is that there in virtually no recourse once it happens. Unless you have an extraordinary case involving a ring of fraudsters, months worth of fraud, and millions of dollars in losses, there is virtually no chance that you will ever recover your losses. This person got away with a quarter million dollars in a few weeks, and I highly doubt that he will ever be caught. There were several chances that police could have got him, and there will probably be many more, but the bureaucracy of the system and the quantity of fraud and theft that occurs, prevents any quick action which would be required to catch people like this.
This person committing the fraud had better knowledge of the internal workings of the processing industry than any person I have ever talked to. He knew exactly what to do, how to do it, and when to do it, to get away with a lot of money before anything could be done about it, and he did it several times. The last few times, he did it with large financial institutions, while they were looking for it, and he still got away. He is most likely some employee, or ex-employee of a processor or bank, that thoroughly did his homework.
Conclusion on Fraud:
Online and retail businesses need to take appropriate steps to prevent fraud, chargebacks, and data loss before they happen, because the simple truth is that once that fraud is committed, it’s already too late to recover anything.