The Vermont Country Store lost about $7,000 to credit card fraud this month, but the direct marketer limited its exposure and uncovered the action due to the efforts of its distribution and call center personnel.
“We've discovered a little over $40,000 in orders with $7,000 delivered, but with quick action, we were able to mitigate most of the damages,” said Bob Allen, CEO/president of The Vermont Country Store, Manchester Center, VT. “It took some sharp eyes in our distribution and call centers where, almost simultaneously, they noticed the size of the orders. The average order is $60, [but] we were getting a disproportionate number of $300 to $600 orders, and one for $4,765. We started to look at the orders and discovered they were duplicate orders in many instances.
“The orders were authorized as valid credit cards. But they came back with a 'U' [code] from Payment Tech that indicates a foreign-issued bankcard, and that was another alert for us.”
The problem was discovered last week. The earliest order that fell under suspicion was traced to the first week of the month.
FedEx traced any packages that had yet to be delivered and stopped many deliveries. Almost all of the packages were set for FedEx delivery.
“It involved 75 to 100 orders totaling about $40,000,” Allen said. “Roughly 20 packages were caught by FedEx. About 15 were delivered, and the rest we caught at the door and never shipped them, having flagged those orders. Now we review all of those [U-code] orders individually. Payment Tech uses a code, and if it's a 'U' it's almost always overseas, and we do almost no overseas business. Also, orders over $500 are [un]usual.”
But responding to his company's problem was only part of Allen's job. As president of the New England Mail Order Association, he sent a fraud alert to the organization's members.
“I assumed we were not the only company targeted,” he said. “I thought the prudent thing to do was to notify those I could and give them as much information as possible so they could look for their own red flags. We are providing the ship-to addresses for the fraudulent orders to anyone in the industry who might ask.”
Allen said he couldn’t be sure if there was a connection between the fraudulent orders and reports last week that a hacker accessed millions of credit card numbers by breaking into a computer system at a company handling transactions for direct marketers.
“We don't know it to be the case, but it was timed to the reports of the hackers stealing 8 million credit card numbers,” he said. “I hope people have systems or people in place who can ferret this out. We have a lot of long-term employees who would recognize a change in pattern of orders.
“This was a small fraction — less than 1 percent — of what comes in. It's a small amount, fortunately, but it could've been a lot worse, and who knows how long it would have gone on.”
Allen notified the Secret Service office in Rutland, VT, which is investigating.
His alert to NEMOA members specified that:
· All orders were placed via the company Web site with none placed via telephone, fax or U.S. mail.
· All authorizations were returned as approved by Payment Tech, but were returned with a code of “U,” signifying that no billing address was available at the time authorization was sought.
· Payment Tech advises that 99.95 percent of domestic banks subscribe to Address Verification Service and that this code rarely appears on authorizations to cards issued by domestic banks. Therefore, this code appears almost exclusively when the credit card was issued by an offshore bank.
· The most recent order was placed Feb. 19.
· Effective immediately, all orders with an authorization code of U are being suspended by Vermont Country Store and reviewed as potentially fraudulent and released for shipment only after confirmation that the order is legitimate.
