Start-ups have enough challenges– from raising funds to generating sales—yet sometimes the biggest threat comes from within. Businesses that take payments via credit card or PayPal should be aware that customer information theft is on the rise and your business can be sabotaged if you don’t have the proper checks and balances in place.
Case in Point: A company paying thousands per month for advertising/Google adwords was growing their online business exponentially. Suddenly, sales started to trickle down to almost nil. At the same time, the company began receiving various reports of unauthorized credit card charges. After the company received notice from a local police department, I was retained by the Board to look into the matter.
Me: I have two questions for you – who handles the new customer inquiries? Who takes the payment information from the customers?
Him: The same person – our General Manager.
After requesting a customer list and copies of emails reporting credit card fraud, I noticed a large discrepancy – those complaining of credit card fraud did not appear on the company’s client roster. We soon determined that someone internally was taking customer orders and billing them directly, albeit under the company’s name. While these customers believed they were being serviced by my client, in reality, their accounts were being diverted elsewhere and subsequently, their credit cards misused.
While we were hopeful that the police investigation would conclusively show the General Manager as the culprit here, it was later discovered that the company emails were set up such that passwords and terminals were used on a shared basis; this means that anyone could have facilitated this fraud under another person’s identify/account. To be sure, I then had PayPal account records subpoenaed. After waiting several weeks, what was ultimately sent were summary account statements that did not provide any level of specificity – not helpful at all.
After reviewing the evidence, the police determined there was not enough to convict any one individual and the investigation was closed. It was recommended, however, that the company file a civil suit where the burden of proof would be based on a “preponderance of evidence” — much lower than a criminal case which requires “beyond a reasonable doubt.” Suffice to say, by this time, the company was in financial ruins and unable to afford the cost of civil lawsuit. The story ends like this: The thief got away, the company was ultimately responsible for the credit card theft (due to their lax security policies) and they have now ceased operations.
What can you do to prevent this tragedy from happening in your organization?
First and foremost, common sense would dictate that the practice of allowing the same person who takes orders to also process payment details exposes any company to risk. Without proper oversight and checks and balances in place, lax security procedures enable anyone lacking scruples to sabotage a business. Next, ensure employees/contractors do not share passwords or have access to one another’s passwords or computers – otherwise, fingers can be pointed such that no one person would appear to be responsible in the event of theft. Lastly, if you take customer orders via your website or an 800 number, record those calls and also be certain that there are several people that are copied on the email correspondence (e.g., send to email@example.com) in order to track the progress of the order and payment confirmations.
Advances in technology have made it easier for unscrupulous employees to steal customers and their information – whether changing payment instructions or even using a card skimmer — it is recommended that you implement tactics to prevent internal fraud:
- Reconcile your accounts weekly rather than monthly and by more than one person
- Use authorize.net or your bank to process online transactions so that employees do not get access to customer credit cards.
- Check PayPal accounts or Bank Wiring details regularly– (even if you are not concerned with employee theft, a website can potentially be hacked into and payments diverted).
- Always secure your POS device.
- Have a separate authorizer of credits from the one who onboards the customers.
- Make sure all credits have accompanying internal documentation of customer information (name, contact information).
- Conduct regular internal audits at random times and intervals.
- Review any volume spikes in sales activities and reconcile with website traffic reports and 800 number call volume.
- Protect your passwords and verify internal access controls for online account reporting, email address contacts and checking account change requests.
While an atmosphere of trust is essential for all businesses, protecting the financial stability of your company is just as, if not more important. Hopefully, the suggestions I’ve outlined above will get you thinking about building a plan that will mitigate risk for your company. If you’ll like further information or a consultation, please email me or leave a comment!