RSS Feed

* The Business of Software

Sorry for the rant but I need to get this off my chest. This morning I received a packer for the "new merchant account" that I never signed up for. It seems that someone else is pretending to be my company to commit fraud. I'm so angry I can't see straight. They even went and duplicated my web site and placed it on a different domain very similar to mine. They also went to the trouble of setting up a fake phone number with an answering system!

I'm not sure what I'm going to do. Has anyone had a similar experience? Should I go to the FTC, FBI, or just get some private ass kicker to go after these punks?!? I've already contacted the merchant service and let them know that the account is a fraud. I'm just afraid that I'm going to start getting invoices and creditors at my door for stuff my company didn't buy.

Contact the webhosting company that hosts the fake website. Usually they're very responsive when they hear about fraud situations. If they ignore you contact the company the webhosting resells of, or the company that stores the webhosting server. Of course, contact the webhosting company saying you've reported their server.

This should get their site off the air within 24 hours.

If they're hosting the website from their internet connection at home I don't think there's much you can do to get them shut down.

Getting the domain name transfered to your name will undoubtedly be a lengthy process, so they will be able to move their hosting if they're kicked from their server.

Shutting down their merchant account is probably not very hard; a phone call and a fax of your driver's licence may solve that problem.

Just happened to me about two months ago.  Same exact thing.  Go to your local police station and file a police report to CYA.  Don't expect them to help or even understand what is going on.  The biggest identity theft cases they deal with are typically "someone stole my wallet, what should I do?".  I had to explain what was going on about ten times to the officer I dealt with and he still didn't understand what was going on.

In any case, put a 90 day alert on your credit file with each of the major bureaus, contact the merchant and ask them specifically which accounts were opened or applied for (typically they do mastercard/visa, discover, and amex), and contact the domain registrar and hosting company that is hosting the fraudulent site and report the fraud to them and ask that the site be taken down.

I'd be curious to know which merchant account company the person who did this used.  The one they used on me was based out of New York and even though I had a nice big warning on my credit report that said I AM A POTENTIAL FOR FRAUD they still issued an account to this guy even when the address and phone he gave didn't match up to mine.  You'll find out throughout this whole process that these companies and the credit bureaus don't give a flying f*ck about consumers who have been victims of identity theft.

Good luck.

P.S. - also see if the credit merchant place will disclose the bank account information that the account funneled to...typically they won't and you'll get a lot of runaround answers but you might get someone who's honest and cares about catching the thief.

I would have called the FBI first and asked them what to do. In 1999 I had a client that was being blackmailed by a hacker that broke into there system and stole CC information. 

Needless to say the FBI was very helpful, but all they could do is track down the culprits to a source in Russia.  At least everything was done that could have been done.

At this point they probably know that your on to them, so they probably starting to cover their tracks...but the FBI still might be able to help.

I'd report them still because they'll just move onto the next target and keep going if you don't.  Plus the satisfaction of knowing that you got them busted would be worth the effort.

"I'm just afraid that I'm going to start getting invoices and creditors at my door for stuff my company didn't buy."

After re-reading your post I just wanted to clarify something with regards to the comment above.  If your situation is the same as mine was (and it sounds like it is) then you won't be getting any invoices or calls from creditors - the scammer doesn't purchase items in your company's name - he/she uses the fraudulent merchant account to process charges on stolen credit cards.  The funds are funneled through the merchant account into his/her bank account and the charge shows up on the stolen credit card statement as 'PO'd Software' so when the person who had their card stolen gets the bill they'll be thinking you charged them for something when you weren't supposed to.

It's fraud merchant account is basically a way for the scammer to use the stolen credit cards without as much risk as, say, going to a store and trying to use them there.

Just wanted to try and clarify a little...hope that helps.

Something similar happened to me recently. Basically someone was using my company name, and bank details (easily obtainable) to write fraudulent company cheques to purchase goods.

In the UK, security checks are very limited (no cheque guarantee card is required, just a business card) so they managed to purchase £1500 worth of goods before I noticed (the bank didn't notice at all). I notified the bank and everything was refunded to my account, no problem...

... however, debt agencies are now pursuing me for the full balance plus charges. I'm about to get in touch with the police, just to cover my back, but I don't think there is a lot they can do.

Thanks all. I feel a little bit better now. I put an initial alert on my personal credit report. I noticed that there was an inquirey on there from a different merchant service. I've called them to warn them and I'm waiting to hear back. I'll go to my local police next and then probably the FBI.

I agree on the comments about the merchant service and credit reporting companies not giving a darn. This guy used a phony address and phone number and still got a merchant account in my company's name. They even shipped the guy a terminal after he had done an address change request with them. These companies really don't seem to know what they are doing. It's really sad.

As for the location of the merchant service, yes, they are in New York. But they are just a little sales group that sells services from a much larger authorization company. I seriously doubt that they even care.

I just hope it doesn't kill my personal credit score. I've been golden for such a long time that I would hate to have it tarnished again. Back in college I racked up some serious debt and have finally climbed out of that hole.

Anyway, thanks for all of the support and information. I'll get through it if it kills me!  :)  They'd just better not find the guy. For his sake...

FWIW try not to let it get to you too much.  I worried about it for days and was stressing myself out until finally I just accepted that I did all I could to deal with it and to make sure it wouldn't happen again - then I let it go.  It's a pain in the ass and a big stressor but compared to some other negative things that could happen (e.g. sickness, divorce, etc.) it's small potatoes.

One other thing - even though you have an alert on your credit files I'd suggest getting a $5 a month plan from one of the credit bureaus where any changes to your credit report are immediately sent to you via email.  The sad truth is even with an alert on your credit file many places will ignore or miss it and still issue credit against your name.  With the alert plan even if someone does a credit check on you an email is sent so you're aware of everything that is going on.  Yeah...it sucks to have to shell out $5 a month for something that should, IMO, be free, but it's worth it from a peace of mind perspective.

Was the merchant account granted by a company with the initials APS out of Plainview, NY by any chance?

"he/she uses the fraudulent merchant account to process charges on stolen credit cards."

So why do they need the duplicate website and phoney domain?

"So why do they need the duplicate website and phoney domain?"

So the company granting the merchant account thinks they're legit.

I'm still waiting on responses from two other merchant services as to whether or not they have issued bogus merchant accounts in my company name. For those interrested, United Bank Card declined the application. Good for them! They've also been very helpful so far.

The saga continues... and I'm not getting anything else done today it seems. Thanks for the feedback. I can tell you that this morning I felt so sick I almost threw up! I'm a little more relaxed now.

"Was the merchant account granted by a company with the initials APS out of Plainview, NY by any chance? "

No. Initials were UPC out of Somers, NY. As I said earlier though, they are just basically the pimping agency for the bigger banks. They just sell the accounts so they don't really take much time to make sure they are legit.

What kills me is that they even set up a fake phone number and I called them and got their voicemail. It's weird hearing somebody (even a machine) answer the phone with your business name! The guy from the bank in question said he called the same number and someone actually answered! I'm sure that it is just some Skype internet phone account bought with a fake credit card. But I'm half tempted to call them and give them a bunch of crap. The only reason I don't is because I really do want to go to the FBI and having them answer a phone line (even an internet based one) may be helpful in at least locating them. I want to make sure they can't do any more damage but I don't really want to tip them off until the Feds have had a decent crack at tracking them down.

Oh well. It appears that they won't make much (if any) money off of the deal because I have caught it in time. They'll just go on to the next company and try it all over again. And if UPS hadn't slapped the address change sticker on the package and sent it to me anyway, I never would have known it was going on!

Thanks again. I really do feel better about it now.

Skip the ploice, you need to contact the FBI since this involves the violation of numerous federal statutes.

"Skip the ploice"

Wrong.  You need to get a police report from your local jurisdiction.  Ask anyone who's an expert in dealing with fraud and they'll tell you to get a police report.

If you have a lawyer you use, and even if you don't, this would be a good time to get legal advice.

In particular, "lawyer letters" can sometimes get responses from banks and domain registrars that your own faxes and phone calls won't.

It would be $1,000 well spent.

"You need to get a police report from your local jurisdiction."

Not unless the guy who stole your name is in the same town you live in. What jurisdiction are they going to have? THey won't even write up a report for something that has happened outside the city, much less the state or country. But if you don't believe me, by all means, please, contact them and tell them that people in another state are impersonating you and that none of it has happened in your own area. Please do this and report back on your experience.

I went ahead and got the police report. This will let me put a seven year alert on my credit report so that creditors will have to physically contact me to advance any sort of credit.

I'm still debating whether or not to go to the FBI. I called them and got a voice mail so I hung up. I'm sure that they will not be able to do anything. Do I really want to start dealing with the FBI if there isn't anything they can even do? It's probably not worth the trouble.

The police report is still useful not because the police will actually do anything about it, but because it can be used as supporting evidence on your behalf if you are ever taken to court over debts that were incurred by the thief.