COLUMN: Companies need to do a better job of policing themselves when signing up new customers on the Internet and through mail campaigns, otherwise they risk contributing to an already serious epidemic of personal and business identity theft. Certain companies are making it a little easier for crooks to get a foot in the door due to a lack of safeguards and common sense. And guess what? It just happened to my company.
I’ve never been particularly fond of the current UPS (United Parcel Service) ad campaign, “What can brown do for you?” – it sounds too much like something that is associated with a bowel movement than a reason to ship your packages with them. In fact, part of the reason I shake my head when I hear the UPS ad phrase, is that it’s a bit too much like the slogans used during the last drought here in California to save water “If it’s yellow, let it mellow, if it’s brown, wash it down.”
So, my first reaction when getting a bill for almost $2,000 in the mail from UPS at the end of May, addressed to “Peter Gabriel” at my company address was a four letter word starting with “s” and ending with “t” and with “hi” in the middle.
Apparently, UPS allowed somebody using the name Carol Washington, shipping from an apartment in Plattsburgh, N.Y., to set-up a shipper account over the Internet using my company name and billing address here in California, with a contact name here of “Peter Gabriel” (why not Elvis Presley, or Kylie Minogue?), then ship dozens of overnight letters to people and companies all over the U.S.
What astounds me is they didn’t stop and question somebody in New York setting up an account for a company in California, ask for some kind of payment confirmation such as a credit card before accepting almost two thousand dollars worth of overnight letters, or do (it seems) any due diligence in checking with anybody listed as a principal or point of contact at our company that we actually set-up the account.
So, here comes the mailman with my mail and a nice fat billing statement from UPS for all the packages shipped using “UPS Internet Shipping.”
Did I mention there were 16 undeliverable packages out of the huge pile this person sent, which indicates he or she was likely doing some kind of phishing scam by overnight letter or some other bit of criminal evil. So, UPS was nice enough to show a credit of $312 on the bill. Nice of them.
As you might expect, my second reaction after making a scatological exclamation was to call the toll-free number on the bill, be put on hold, and then finally speak to somebody. I explained the situation, and made it clear the account should be cancelled, their fraud department should get involved immediately, and that we were not (obviously) going to pay any UPS bill related to this account. The nice young lady told me they would take care of it, commented that the person who set-up the account used a valid e-mail address, and that the fraud department would call me by the next day. I said great, hung up, got on with my day and helping my own customers.
Two days later and no call or contact from UPS, their fraud department, an apology letter, or anything. Sigh. Whatever. Great customer relations, people!
A week later and I’ve moved on with my life, and guess what comes in the mail … another missive from the folks in brown. My chirpy optimistic nature is thinking maybe it’s a “Dear Customer, We’re sorry we let somebody ship packages under your name and then sent you a bill. We’ve cancelled the account and are hunting down the source of the evil with our crack team of brown-powered parcel police.” However, it looks like a bill, feels like a bill, and it’s still addressed to the old sledgehammer himself Peter Gabriel.
Yep. It’s a bill for $53.16 “after adjustments.” And in case I have any other ideas, “UPS payment terms require payment of this bill by June 7, 2006.” ShaTizzle!
Another phone call to the brown people, lovely on-hold music, and then a live person picks up. This person looks up the original call, sees my original contact (I am mildly impressed they have any kind of CRM system running), and then informs me she will cancel the account. As I grimace, I ask why the account wasn’t cancelled when I called previously. The person didn’t know, but she made sure it was now cancelled. Then she mentions that on the bright side it wasn’t actually a bill, but a credit letter informing me that the $312 had been applied to the account. Rather than argue that it was in fact a bill showing $53 due after the “credits” had been applied, or the fact that I could care less about credits since it’s not my account, I just said thank you and hung up.
Again, being an optimist I’m thinking maybe they let the account stay active to try to catch the person in the act of dropping off or shipping more packages. But why didn’t the anti-fraud department (assuming they actually have one is what my pessimist side is thinking) contact me. Even a form letter would have been appropriate. After all, they are wasting MY time, not the other way around.
I also wonder why somebody would choose my company name to set-up an account, since I have not offended anybody greatly enough, and have no interaction with the typical person or persons who would perpetrate such a scam. On the other hand, I do have some pretty prominent news and entertainment websites that are easily found in search engines and my company name is found at the top of every page of every site. I think it more likely this fraud outfit or person chose us at random, or might be going through companies alphabetically and we’re not the first or last company to have this issue at UPS.
Fast forward to the first week of September. Yes, you guessed it … another letter from the brown brigade. Smaller envelope, one sheet inside. Hey! Maybe they are sending me a follow up letter. But no, it’s a “COLLECTION ALERT” for the $53 from the May 27 invoice. “If payment is not received within 5 days, we have no alternative but to audit your account for further collection activity.”
Hmmm. My first call is to my lawyer (who I call maybe once a year to say hello), to say what kind of negligence suit or other “kick these brown bastards to the wall” type action can we take. He laughs and says maybe I should try calling them first. I laugh and say, it hasn’t done any good this far, and I wasn’t really serious about the lawsuit, just venting. Lawyers love those types of calls about as much as I like getting bills from UPS.
I do want to mention that the UPS drivers down here in Southern California are always super nice, pleasant, and even though they are more likely than FedEx to leave boxes on my front porch that advertise expensive electronics are inside, they do a good job. I asked the FedEx driver about leaving boxes marked “20-inch LCD Monitor” on doorsteps without even knocking, and he said “We always ask for a signature with anything that is clearly expensive electronics.” I was pleased to hear that. Even the DHL guy will “drop, knock and run,” to let me know a parcel is on the welcome mat. UPS guys do tend to not bother to even knock and just leave stuff unless it has a “signature required” sticker on it. But I’ve never had anything stolen.
So, I call the new number on the UPS collection letter, and I’m forced to input “my” account number before I can talk to anybody (little bit of entrapment there if you ask me), so when I speak to somebody, she asks for my account number, and I tell her I have an account number I can give her but it’s not mine. She asks why it’s not mine. I explain the situation, and she says she needs to forward me to the accounting department, and I go right to hold music, and after about ten minutes it drops me into a voicemail system where I’m to leave my number and somebody will call back. Oh joy.
As I write this, I have yet to hear from anybody at UPS.
Now, to their credit, it is difficult to verify each and every person who signs up for an online account, but there are simple business practices that many companies (like mine) follow. For instance, we use I.P. tracking to double check where somebody is actually from; if they put their billing address as Texas, and the I.P. (Internet Protocol) is in Florida, we double-verify information.
Other security practices include: When we take credit cards, we use AVS (address verification system) to ensure the billing information provided matches what is on file with the credit card company. When the name on the card is different from the person placing an order, we require a faxed authorization with signature and the security code off the card a second time (we won’t accept any online orders without matching security code), and phone number from credit card, which we call and check. We also check the phone number to ensure it’s really for the card company. And if the order is from Peter Gabriel, Danny Elfman, or Avril Lavigne, we really check everything (we did get an order from actor Richard Hatch once, and his assistant forged his signature … but that’s another story).
If the card is from an international bank that isn’t supported by AVS, we require a faxed photocopy of card front and back where we can see the name and security code. And if any order is over a certain dollar amount, we use other methods to validate authenticity of the person, company and payment information. And, even if somebody completes checkout successfully online, they cannot use our system to actually do anything until a live person allows it on our side. We had one person use over 20 stolen credit card numbers to get into our system one Sunday last month; they finally had a card with correct billing info, security code, and other data, made it to our support area, and were stopped by the fact they still need to have us personally approve anything they do there. Fraud stopped. Stolen card reported. I.P. addresses blocked from reaching our Web servers.
We had one of our own online customers actually complain that we required her to put in her correct billing information because “your competitor didn’t require that.” I pointed out that just because some other company doesn’t care to have security practices in place, we do, and that she should know what the billing address for her credit card was. She had to call the credit card company to figure out what they had on file and then when she put in the correct information in our order system, the order went through without any trouble. After more than ten years on the Web, it astounds me that companies still don’t “get it” about online fraud and security practices, and even more that people who do business online actually get offended when we use such procedures.
But some big companies do have some clue. With many online businesses which provide online sign-up, account holders have only provisional access to services until their billing information is verified, or they do a test billing of $.50 or similar to authenticate the payment method is legitimate before extending credit.
What seems truly illogical to me is that UPS allowed somebody to set-up an account with completely fraudulent information, with the exception that they used an actual company for the billing address (mine), and then let them ship a large number of overnight letters from a different state (and from an apartment no less) without any kind of check and balance in place, or provisional limitations, or payment validation/verification.
Simple limitations might have included: a limit on shipment amounts of $50 until payment is verified, no use of shipper account number from other locations until account is verified or some kind of limit of no more than one package pick-up, no drop-off of packages until payment and account info validated – pick-up only to authenticate the shipper address. I could go on and on.
Another very simple method of online anti-fraud screening might have been to hold for validation any company/corporate account set-up that uses a different email address from the actual company name. We do this here when we get a client claiming to be from an existing company but they’re using a free e-mail account like AOL, Hotmail, Yahoo, or Gmail. Most “real” companies have a domain name that in some way resembles their business name, like, oh, ups.com. If somebody signed up on our website and claimed to be UPS, Inc., and used an email of email@example.com, we would double check this account before allowing them services.
It has gotten harder to use I.P. tracking for some kinds of scams, particularly with portals like AOL, where all the mail comes from the servers in one state, so anybody using a @aol.com email account is a bit harder to track. But we flag these to check too, because of that. Sadly, AOL used to be a pretty safe and secure place to socialize and hang out, circa 1994-6, until they opened up the 1,000 free hours with no credit card or checking account needed. Then it went to hell. If you can get 1,000 free hours to send spam, attempt fraud, or just do bad things online, well then the bad guys had a pile of free account CDs coming in the mail every week from the AOL folks. I jumped ship on that whole place in 1997. Seems I’m not the only one. Of course, you can still get free AOL email.
Quite stupidly AOL also has a number of anti-spam features set-up, like ISPs and hosting companies being required to register their mail servers with the AOL postmaster system to avoid being “spam blocked,” and they allow people with AOL accounts to register any message as “spam” even if they requested it. We had to block anybody using an AOL email account from signing up for our online newsletters because the people would sign-up then when they got a newsletter, they’d say it was “spam.,” and AOL would send a “violation of our terms” warning – but hide the email of the complaining party, so that you couldn’t actually remove the person from your mailing list, that they double-opted into. The only solution was to block all AOL sign-ups since AOL doesn’t seem to have a clue how to manage email communications in a logical way, at least based on my own experiences. But then, this overall lack of savvy is just one of many reasons why people have left AOL behind in droves for the “free” Internet or for broadband connections that don’t suck. Time-Warner really lost out on that whole AOL acquisition deal.
While the above security practices may seem like common sense, many companies don’t follow any or all of these kinds of procedures, and this contributes to the online identity theft problems.
Another oddball is the Advanta credit card company (www.advanta.com). I get letters here from them, offering my staff credit cards with my company name on it. What makes this incredibly unwise is the fact they are addressed to the employee, but not the company or HR person. So, in effect, they are trolling for employees to sign-up for a credit card, which would also have their employer’s company name on it. That’s going to cause a lot of headaches for companies since they might not approve or allow such cards being issued, but (without reading all of the fine print, it would appear) the employee need not tell their employer. Can you say “class action lawsuit waiting to happen?” This is particularly bad for ex-employees, too, since a malicious employer has all of the employee’s personal data such as social security number, home address, date of birth, and the like. So, a particularly evil manager or spurned lover could, in theory, set-up a credit card account for the ex-employee with malicious intent. Aside from all of that, the stupidest thing is that Advanta is sending credit card offers here to people who have not even worked for us for more than two years!
Ironically, they offer a Fraud News Alert on their home page about how identity thieves are trying to steal your information, and their Identity Theft Toolkit page proclaims “Identity theft is a serious and costly business! And while you can’t completely prevent identity theft from occurring, at Advanta we believe that knowledge can help minimize your risk and access can help you restore your credit if you are ever victimized.”
So, as you can see business and personal identity theft is not going to go away any time soon, particularly when major corporations continue to focus on shareholders, the stock price, and showing growth in their customer base and incremental revenue. But unless these corporations do a better job of policing who they allow to become clients and develop stringent practices and procedures to thwart fraud — and not contribute to fraud — they are only jeopardizing their potential relationships with legitimate customers.
Hey! Next time you need to ship a package, ask yourself:
What can brown do to you … er … for you?
[tags]Christopher Simmons, Internet security practices, ecommerce security, UPS ad campaign, When Advertising Attacks[/tags]