A Street Smart Guide to Avoiding Customer Information Theft

Start-ups have enough challenges– from raising funds to generating sales—yet sometimes the biggest threat comes from within.  Businesses that take payments via credit card or PayPal should be aware that customer information theft is on the rise and your business can be sabotaged if you don’t have the proper checks and balances in place.

Case in Point:  A company paying thousands per month for advertising/Google adwords was growing their online business exponentially.  Suddenly, sales started to trickle down to almost nil. At the same time, the company began receiving various reports of unauthorized credit card charges.  After the company received notice from a local police department, I was retained by the Board to look into the matter.

 Me:  I have two questions for you – who handles the new customer inquiries? Who takes the payment information   from the customers?

Him:  The same person – our General Manager.

After requesting a customer list and copies of emails reporting credit card fraud, I noticed a large discrepancy – those complaining of credit card fraud did not appear on the company’s client roster.  We soon determined that someone internally was taking customer orders and billing them directly, albeit under the company’s name.  While these customers believed they were being serviced by my client, in reality, their accounts were being diverted elsewhere and subsequently, their credit cards misused.

While we were hopeful that the police investigation would conclusively show the General Manager as the culprit here, it was later discovered that the company emails were set up such that passwords and terminals were used on a shared basis; this means that anyone could have facilitated this fraud under another person’s identify/account. To be sure, I then had PayPal account records subpoenaed. After waiting several weeks, what was ultimately sent were summary account statements that did not provide any level of specificity – not helpful at all.

After reviewing the evidence, the police determined there was not enough to convict any one individual and the investigation was closed.  It was recommended, however, that the company file a civil suit where the burden of proof would be based on a “preponderance of evidence” — much lower than a criminal case which requires “beyond a reasonable doubt.” Suffice to say, by this time, the company was in financial ruins and unable to afford the cost of civil lawsuit.  The story ends like this: The thief got away, the company was ultimately responsible for the credit card theft (due to their lax security policies) and they have now ceased operations.

What can you do to prevent this tragedy from happening in your organization?

First and foremost, common sense would dictate that the practice of allowing the same person who takes orders to also process payment details exposes any company to risk. Without proper oversight and checks and balances in place, lax security procedures enable anyone lacking scruples to sabotage a business. Next, ensure employees/contractors do not share passwords or have access to one another’s passwords or computers – otherwise, fingers can be pointed such that no one person would appear to be responsible in the event of theft. Lastly, if you take customer orders via your website or an 800 number, record those calls and also be certain that there are several people that are copied on the email correspondence (e.g., send to sales@xyz.com) in order to track the progress of the order and payment confirmations.

Advances in technology have made it easier for unscrupulous employees to steal customers and their information – whether changing payment instructions or even using a card skimmer — it is recommended that you implement tactics to prevent internal fraud:

• Reconcile your accounts weekly rather than monthly and by more than one person
• Use authorize.net or your bank to process online transactions so that employees do not get access to customer credit cards.
• Check PayPal accounts or Bank Wiring details regularly– (even if you are not concerned with employee theft, a website can potentially be hacked into and payments diverted).
• Always secure your POS device.
• Have a separate authorizer of credits from the one who onboards the customers.
• Make sure all credits have accompanying internal documentation of customer information (name, contact information).
• Conduct regular internal audits at random times and intervals.
• Review any volume spikes in sales activities and reconcile with website traffic reports and 800 number call volume.
• Protect your passwords and verify internal access controls for online account reporting, email address contacts and checking account change requests.

While an atmosphere of trust is essential for all businesses, protecting the financial stability of your company is just as, if not more important. Hopefully, the suggestions I’ve outlined above will get you thinking about building a plan that will mitigate risk for your company.  If you’ll like further information or a consultation, please email me or leave a comment!

How to Lose Employees and Alienate Clients

The Compassionate Leader. 

As an attorney and executive adviser, I have been regularly called upon by management (or their boards) to manage  crisis.  Whether it is an employee or director matter, a falling out between partners, a threatened litigation, or breach of confidentiality; all companies face crisis from time to time. While external issues are not always in the control of management, internal issues typically are. Whether internal/external, how these threats are handled are indicative of the type of leadership skills management possesses.

In a recent workshop at the Thiel Foundation’s 20-Under-20 Retreat, I asked 30 new entrepreneurs and mentors what they thought was one of the most important qualities in a Leader.  The responses I received ranged from:  a hard worker to a multi-tasker to having a vision.  While these are all important traits, in my opinion, one of the most important ones is compassion and here’s why:

• Employees know whether or not you really care about them – if you listen to their ideas, communicate openly, understand their key strengths, and compensate them fairly.
• Clients will  know if you truly care about them — if you are responsive to their needs, provide proactive customer service and offer solutions that help them work better/smarter/faster.

Sure, management is under a great deal of pressure to meet sales objectives and satisfy their Board of Directors.  At the same time, startups are generally cash strapped and may try to do things on a shoe-string but what are some of the real underlying problems that generally lead to crisis mode?

1. Shutting out those who know the problem best.

Employees are generally aware of the issues at hand and some may have good suggestions on how to turn things around; after all, they are the ones in the trenches who have a vested interest – a continuing paycheck and a potential payout on their stock options. Keeping them in the dark creates an environment of distrust and insecurity.

In one case, the CEO held a weekly conference call with the team. The majority of the time when someone voiced an issue the response would typically be: “This isn’t relevant to the rest of the group; let’s take this out of band.” Needless to say, that offline conversation rarely happened.  After awhile, the weekly conference calls were nothing more than a cheerleading session where most people were on mute (e.g., doing other things) while the CEO congratulated himself and the team or staying in business for yet another week.

2. Promising what you can’t deliver.

Employees and consultants share the same ongoing objective – getting paid for their work and having access to necessary resources. Unfortunately, management doesn’t always get the memo.

In one startup, consultants were rarely paid on time and employees’ expenses were not readily reimbursed.  They’d hear the “check is the mail” and then two weeks later, nothing. “ One employee who reportedly emailed the CEO on a daily basis to let him know there was still nothing in his mailbox finally received his check with an added bonus: a termination notice inside.

In another instance, the product specs were oversold; customer deadlines were not being met and the CEO’s phone went straight to voice mail. Employees had no idea what to communicate to their accounts and so eventually, their business began migrating elsewhere.

3. Gossiping about others.

To me this is probably the worse offense I’ve witnessed in a company — the CEO who gossips about his employees, his board members and even his customers.   Sure it’s hard to be the CEO when you’re at the top of the food chain and no one to gripe to but hey, haven’t you heard…. it’s lonely at the top.

A recent Randstad survey of more than 1,500 U.S. employees found that three out of five workers listed gossip as their top workplace pet peeve. If the CEO is gossiping to me about someone else…what is he saying about me to others?  In that environment of distrust, everyone’s watching his back and not the bottom line.

Compassionate leaders can avoid or manage crisis best when they listen to the concerns/feedback from the team, communicate expectations clearly and honestly and doesn’t disrespect others by gossiping.  A leader that chooses to cultivate compassion will have a significant advantage over those that do not. Business owners may consider this “Dalai Lama approach” to be too touchy-feely, but in truth, cultivating positive relationships is at the core of any successful business or relationship.

What are you thoughts on compassionate leadership? I’d love to hear from you!