T-Data, a small New-York based software company, doesn't take credit cards -- never has in its 20-year history. But a few weeks ago, owner Jeff Duhl found himself looking over $15,000 worth of credit card charges seemingly accepted by his store.
A quick investigation revealed most of the charges had been made using stolen credit cards. Slowly, he caught on: Someone had stolen a batch of credit card accounts, then stolen his company's name, set up an imposter version of T-Data, and rung up thousands of dollars worth of fake purchases. The "profits" were then desposited into checking accounts controlled by the imposters.
"It is ingenious," said Dan Clements, who operates merchant advocacy site CardCops.com.
Duhl wasn't the only victim of this new brand of corporate identity theft: At least 50 other firms apparently also had their identities stolen in the scheme. For credit card thieves doing their best to wring money out of a stash of stolen accounts, it seems like the perfect scam.
How to profit from stolen credit cards
While millions of credit card account numbers are stolen every year -- 60 million last year, and perhaps 120 million this year, according to one estimate -- turning them into cash can be tricky. Merchandise ordered with the card must be delivered somewhere, which is risky. Massive cash withdrawals are quickly spotted by credit card associations.
The scheme Duhl's firm was caught up in is a heady, complex alternative:
First, credit card thieves find a legitimate company unlikely to already be accepting credit card transactions. They then impersonate that company and set up accounts with merchant processing providers, whose role it is to transfer funds between credit card companies and merchants.
Using stolen credit cards, the thieves then start sending small payments, usually $498 or $598 at a time, to the fraudulent merchant accounts. The credit card companies send funds to the processors and they in turn send the funds off to bank accounts controlled by the criminals.
"They are flying under the radar on each transaction unless someone does a whole lot of work," Duhl said.
A key part of the scheme: The thieves went to the trouble of registering the domain www.T-datasoftware.com, then set up a fake Web site. The site looked like a believable business to the merchant processing providers, who gave the thieves their accounts.
Duhl's imposters were able to set up accounts at seven different payment processing firms. When Duhl investigated, he discovered some 50 other Web sites -- most mere imitations of one another -- all sitting on the same computer server.
"They got away with $15,000 (in charges) at my company," Duhl said. "Multiply that by the number of sites, the number of companies, these folks could be getting away with millions of dollars," he said.
It's not clear how much money the criminals really did get away with in the end. Many of the processing firms interviewed for this article claimed they caught on to the fraud after the transactions had cleared, but before the suspects had withdrawn the money from various checking accounts around the country. One did concede, however, that the scheme has real potential.
'Hundreds of thousands' over a weekend
"If you don't catch it you could lose hundreds of thousands of dollars over a weekend," said David Steinberg, chief credit officer at Merchant E Solutions, one of the processing firms used by the thieves.
Steinberg said his company had never suffered such a loss, but that the industry is bustling with fraud attempts. Some 5 to 10 percent of all applications his firm receives are turned away as potentially fraudulent, he said.
Phyllis McNeill, a spokeswoman for Global Payments, another processing firm hit in the scam, confirmed a fake account had been set up in T-Data's name with her company. She said the account was actually set up through a reseller, and was shut down after eight transactions had been performed.
Randy Lobban, director of risk management at North American Bancard, said the con artists were able to open up an account at his firm and pass eight charges through the system, but the funds were never released.
"They never got any money," Lobban said. He alerted the U.S. Postal Inspection Service to the incident.
Representatives at First Data and Wells Fargo also confirmed that fake accounts had been opened at their firms.
An official at Beacon Bank in Minnesota, where one of the checking accounts used to receive the stolen funds had been set up, confirmed that he had discussed the situation with Duhl, but would not provide further comment.
Corporate ID theft
Whoever impersonated T-Data were clever enough to throw a few monkey wrenches in the path of anyone trying to detect them.
When applying for the compulsory credit check needed to obtain the fake merchant account, for example, the thieves didn't use T-Data's tax ID number. Instead, they used the name and credit profile of a man unconnected with the company. Steven Wiencek, who lives on Long Island near the company, didn't even know his credit had been checked until contacted by MSNBC.com for this story.
But the application, which listed Wiencek as company president, gives his Social Security number and driver's license number, suggesting the people behind this scheme have access to a wide swath of stolen credit cards and stolen identities.
Another attempt at misdirection was foiled by an alert mail carrier.
The application for the merchant account used a slight variation of Duhl's address -- apparently an attempt to ensure that mail to Duhl would be lost. But a knowledgeable local postal worker recognized the company name anyway, leading Duhl to discover the dupe.
"Without that, I may not have found out about this for a long time," he said.
The thieves were also persistent. Using one stolen credit card, they attempted to steal $2,500 through five separate faked merchant accounts, according to an affidavit of credit card fraud supplied by Duhl.
Another corporate ID victim, John Bartholomew of Abcom Services, said he was lucky, because Duhl contacted him just as the scam began.
"We are a management company in long-term health care. We would have no reason to use credit cards," he said. The firm had been in business for 21 years, and never accepted a single charge -- until the criminals stole his company's name, Bartholomew said.
True to form, the criminals hijacked his brand name and set up merchants accounts using his company's name and a similar -- but slightly altered -- street address.
The good news is, Bartholomew was able to warn the merchant account providers soon enough that only about $4,000 in charges were run through his company's name. The bad news is, some of the providers are still trying to make him pay the bill for the charges. He figures he's spent about $5,000 in legal fees trying to clean up the mess.
Who are they working with?
Rob Douglas, a consultant who operates PrivacyToday.com, blames the merchant account providers for never checking to see if the name on the account application actually represented a real person who worked at the firm.
"You have to ask what the companies that set up the merchant accounts are doing?" he said. "Who has the responsibility to do due diligence that they are in fact working with who they think they are working with when they open an account?"
But several of the merchant service providers pointed out the difficulty of stopping all fraudulent applications in a world where identities are so easily stolen.
"For all of us, it's a tough business," Steinberg, of Merchant E Services, said. "It's a large, large problem."
Duhl himself blames the banks where the money was to eventually wind up -- wondering how the thieves were able to set up accounts in the post-Patriot Act era. Apparently worried as much about security implications as his personal loss, Duhl contacted the FBI, the Secret Service and the U.S. Postal Inspector's Office. None of the agents he spoke to returned phone calls placed by MSNBC.com.
He says he is frustrated that none of the agencies seem to have taken any interest in the incident -- particularly because at least one phone call was placed to Pakistan using the cell phone purchased in his company's name, and one of the bank accounts used to funnel money was established by suspects who presented Russian passports as identification, he says his own research revealed.
"No one in the government seems like they are going to get interested in establishing a case," Duhl said.
Douglas, who consults with firms trying to deal with the new trend of corporate identity theft, says there's little small companies like Duhl's can do to prevent this kind of incident. But one piece of practical advice he offers larger firms: search the Web once a week for evidence of impersonation.
"As strange as it sounds, companies need to have one or more people assigned to surf the Web and see if there are mirror sites out there, just like we tell parents to surf for their child's name," he said.
Bob Sullivan is the author of Your Evil Twin: Behind the Identity Theft Epidemic