A lawsuit from the U.S. Federal Trade Commission filed against a group of ISOs on Wednesday (July 30) reads like a how-to guide for ripping off the card brands, as it details the fraud techniques the ISOs are accused of using to sidestep Visa and MasterCard anti-fraud security procedures. And Wells Fargo and First Data were among the victims.
The case against Cardflex—and several related or associated ISOs—is that the group processed more than $26 million in unauthorized charges to consumers’ credit and debit card accounts. How did the group avoid getting on the card brands’ fraudster bad boy lists, the brands’ chargeback monitoring and reduction programs? Therein lies the more interesting tale.
One tactic was to continually create new merchant names, to avoid having too many chargebacks associated with any single entity, which would have triggered Visa or MasterCard alerts. The filing said that the Cardflex group “opened at least 293 merchant accounts in 30 separate corporate names” for processing transactions. The defendants are Cardflex, Mach 1 Merchanting and Blaze Processing.
An executive for one of the merchant accounts described the scam cleanly, saying that it’s purpose was “keeping the (merchant) descriptor different enough so that Visa won’t connect the dots, but keeping them similar enough so that the customer can connect the purchase with the charge.”
“Defendants caused these unauthorized charges by arranging for a group of interrelated merchants, known as iWorks, to obtain and maintain merchant accounts that enabled iWorks to process unlawful credit and debit card payments through the Visa and MasterCard payment networks,” the FTC filing said. “Defendants caused these charges to consumers’ credit card accounts by actively employing, and advising or enabling the fraudulent merchants to employ, numerous tactics that were designed to evade fraud monitoring programs implemented by Visa and MasterCard.”
The group is accused of using load balancing, a process where iWorks merchants shifted sales transactions and chargebacks “among their numerous merchant accounts in order to avoid detection by the credit card networks.”
Said the filing: “Because the Visa and MasterCard merchant monitoring programs require at least 100 total transactions per month, merchants could divide their transactions among multiple merchant accounts in order to keep their total number of transactions artificially below the monitoring thresholds. The use of load balancing to avoid the minimum sales thresholds required for chargeback monitoring programs or to otherwise evade detection by monitory programs serves no legitimate business purpose.”
The come-ons to shoppers were not especially creative, such as “deceptively offering consumers free or risk-free information about products or services such as government grants in order to deceptively enroll consumers in costly membership programs and repeatedly charge consumers’ credit cards without their authorization.” The civil complaint said some of the bogus government grants were touted to pay personal expenses, while others were standard-issue Internet-based money-making scams.
“Evidence of the merchants’ scam included the numerous consumer disputes challenging unauthorized charges; chronically excessive chargebacks; publicly available merchant websites with facially deceptive statements; and notices that several merchant accounts warranted placement in Visa and MasterCard chargeback monitoring and reduction programs,” the government filing said.
In case you’re checking to see whether—or how much—your systems may have been impacted, here are some names to search for: Big Bucks Pro, Inc.; Blue Streak Processing, Inc.; Bottom Dollar, Inc.; Bumble Marketing, Inc.; Business Loan Success, Inc.; Cutting Edge Processing, Inc.; Diamond J. Media, Inc.; Ebusiness First, Inc.; Ebusiness Success, Inc.; Ecom Success, Inc.; Excess Net Success, Inc.; Fiscal Fidelity, Inc.; Funding Search Success, Inc.; Funding Success, Inc.; GG Processing, Inc.; GGL Rewards, Inc.; Hooper Processing, Inc.; Internet Fitness, Inc.; Net Business Success, Inc.; Net Commerce, Inc.; Net Discounts, Inc.; Net Fit Trends, Inc.; Network Agenda, LLC; Optimum Assistance, Inc.; Pro Internet Services, Inc.; Razor Processing, Inc.; Simcor Marketing, Inc.; Summit Processing, Inc.; Unlimited Processing, Inc.; and Xcel Processing, Inc..
The government said these bogus merchants “lured consumers into an expensive bait and switch. After viewing misrepresentations on iWorks’ websites, consumers were led to believe they would be charged only a small fee for shipping and handling, such as $1.99 or $2.99, to receive information about obtaining government grants or making substantial amounts of money. Consumers would then fill out a form and provide their credit card or bank account information. However, buried in the fine print on the iWorks websites (if disclosed at all) or on a separate terms page were additional terms that completely transformed the offer. Instead of providing a free product or service for the nominal shipping and handling fee, iWorks enrolled consumers in multiple expensive online plans and charged recurring fees or other additional fees until consumers affirmatively cancelled enrollment in the plan. iWorks enrolled consumers in online Negative Option Plans for both the advertised product as well as for additional products and services. Pursuant to the Negative Option Plans, iWorks charged consumers’ credit cards hefty one-time fees of as much as $189 and then recurring monthly fees of as much as $59.95 for the core product, as well as recurring monthly fees for the additional products and services costing as much as $39.97.”
The scam last from 2006 until early 2011, when a court granted the FTC a temporary restraining order.
The government argues that CardFlex officer Andrew Phillips offered a “personal guarantee” to iWorks owner Jeremy Johnson. “In a July 2, 2009 E-mail, Johnson explained his understanding of the personal guarantee to other iWorks employees. According to Johnson, CardFlex agreed to open ‘any account in any name or corp we want’ and they ‘won’t need a lot of financial info’ as long as Johnson signed the guarantee. The personal guarantee fundamentally changed the nature of CardFlex’s business relationship with iWorks. Under CardFlex’s agreement with Wells Fargo and First Data, CardFlex was compensated based on the volume of transactions that its clients processed. Although this arrangement could incentivize CardFlex to recommend as many merchant clients as possible, CardFlex was also contractually required to bear the financial risk associated with payment processing for its clients. If CardFlex referred a client to Wells Fargo that was fined for high chargeback rates or was unable to refund consumers, CardFlex could be liable for those fines and refunds. The ‘personal guarantee’ CardFlex accepted placed the financial risk associated with iWorks accounts entirely on Jeremy Johnson’s shoulders and removed the incentive for CardFlex to carefully underwrite and monitor iWorks’ accounts.”
The government cited an interesting example: “On July 9, 2009, for example, Jeremy Livingston signed a merchant processing agreement for a company called GGL Rewards, Inc., which purported to have 250 employees. Livingston left the ‘Other currently/previously owned businesses’ and ‘Who Performs the Product Service Fulfilment’ sections of the application blank. Livingston also certified that he had inspected the business premises for GGL, and that the application was correct. GGL Rewards was actually a shell company that did not have any employees.”
To review the full filing—with many more details—click here.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More