When Hamilton, Ont.-based florist Rosanna Yeomans received an order on Jan. 2 for $44,000 worth of flowers from a church in Ghana, she thought her small business was off to a great start in the New Year.
But that success quickly turned sour when she got an e-mail from Amsterdam-based bank ING Direct informing her that the credit card numbers used to make the purchases were stolen from the bank. It turns out the man claiming to be Rev. Ben Wallace from Ghana was taking Westdale Florists to the cleaners.
By Jan. 7, the fraud was clear. Soon, Yeoman’s bank account was frozen and her point of sale (POS) provider, Dallas-based Chase Paymentech Solutions LLC, was demanding $44,000 back.
It’s enough of a hit that the business is in danger of going under.
“I’m trying not to let that happen,” Yeomans says. “We’re just a small company. The amount we’re being asked to pay back might as well be $1 million.”
The fraudster got money out of Yeomans by claiming a shipping company had to be paid through Western Union before the orders could be completed. He had several different credit cards that he said were limited to $1,500 each, complete with expiry dates and the three-digit security code on the back. The “reverend” ended each phone call and e-mail with a heartfelt “God bless you.”
After the money was cleared and in her bank account, Yeomans did use Western Union to wire $16,000 to a company called ATS Shippers. She now suspects that was merely another proxy for so-called Rev. Wallace to cash in on the fraud.
Yeomans says she wasn’t familiar with African countries’ reputation for these sort of scams. But she was still cautious because of the size of the orders. She says she involved her bank manager at each step of the transaction and got the go-ahead – along with congratulatory high-fives for her apparent business success. She also put the card numbers through her POS machine and they were approved.
She waited for the money to be cleared and in her account before moving forward with sending the shipments. Needless to say, ATS shippers never showed up to retrieve the order.
“The most frustrating part is that I did everything I was supposed to do,” Yeomans says. “I don’t think I could do anything more than I already did.”
But there were two warning flags that should have been raised here, according to Gord Jamieson, head of payment system risk at Visa Canada. The fact that Wallace had used several different credit cards to pay for one purchase and the fact it was a “no card present” transaction done over the phone.
“When a card is not present, the merchant assumes all liability for the transaction,” he says. “There have been no steps taken to verify this is actually the card holder making the purchase.”
Many Canadian small businesses believe they aren’t in the crosshairs of fraudsters, according to a survey released by Visa Feb. 27. Conducted by Ipsos-Reid, the survey polled 885 small businesses (those that had less than 250 employees) that accept card payment about data storage and security practices.
More than four in 10 businesses believe data thieves and hackers are not interested in targeting a business of a small size, the survey shows. More than half of the businesses have never looked for outside information on how to keep customer information secure.
“They feel they wouldn’t be the interest of data thieves or hackers, when our information tells us pretty much the exact opposite,” Jamieson says. “Hackers are targeting small businesses for the most part, and we can see that in the number of breaches here.”
Visa is informed of security breaches involving credit cards and regularly investigates such incidents. So far in 2009, the credit card company has already looked at six merchants – all small restaurants that have been breached.
Yeomans says falling victim to the fraud was a rude awakening to the amount of scams that do occur. She was also surprised by how little help was offered to her – by the large corporations involved, the police, and her own bank.
When the florist first called the police to report the fraud, they declined to take a statement, she says. It took a call from her lawyer to arrange for a meeting with a detective. But that didn’t prove very helpful either.
“When the detective came over to take a statement, the first thing he said was there was probably nothing they could do,” she says.
Yeomans informed ING of her predicament.
Now she’s on the hook to pay a further $22,000 back to Chase Paymentech – already having $22,000 taken out of her bank account to give back to the POS provider without her authorization. She’s also been blacklisted by the company and has found another POS provider.
“I’ve offered to pay them $11,000 back, but they say they’re not going to lose a single penny on this,” Yeomans says.
Chase Paymentech doesn’t comment on its relationships with specific merchants, says spokesperson James Wester. But he is not sure of what sort of scenario would arise that a merchant would have to pay money back to his company.
“What we do is provide the service and access to the card networks of Visa and Mastercard,” he explains. “We’re not the ones that actually provide the authorization or get the money from the cardholder’s account.”
The POS provider does work with its merchants to try and identify fraud risks and it promotes data security standards set by the payment card industry. But it is not responsible to act on fraudulent credit card transactions and doesn’t purchase insurance to protect against fraud, Wester adds. All merchants should be aware of the risks of fraud.
“No one is too small to become a victim of this,” he says. “Understanding what happens in an electronic transaction is something we want our customers to be aware of.”
About one-quarter of Canadian small businesses don’t know where to get the information they need to have better security, according to the Visa survey.
Visa is hosting several free anti-fraud information sessions for small businesses across Canada in March. Companies will be given an overview of the survey results, a look at what sort of vulnerabilities are exploited by fraudsters, and an explanation of Visa’s new chip and PIN-based cards will help cut down on fraud.
“We think it’s important to get out there and talk to them,” Jamieson says. “It’s shared responsibility between the issuers, the merchants, and the providers.”
Yeomans is doing her own part to make others aware. She’s recently discovered that other florists in Canada were being targeted by the same fraudster – and the perpetrator is still attempting to pull of his scam. A shop in Quebec was hit, as was another one in North Bay, Ont.
The fraudster wasn’t unnerved when Yeomans confronted him with his scam being uncovered on the phone.
“He was very polite about it,” she says. “He just said thank you and hung up.”
Flowers Canada has since posted information about the scam to its Web site, hoping to deter further incidents.