The tale of a scary nine-page background check

I wasn’t too long out of college and at my first “real job” (no background check required) when I stumbled into my very first fraud. I’d been assigned to do some job costing reports because my boss could not find out why the company was losing so much money on a job. After some digging, I found checks that should have been destroyed (and were voided in the accounting system) but had been cashed at the bank. Turns out there was fraud in the accounting department. Not only were “voided” checks being cashed but the payroll person was issuing two checks per payroll for herself and her accounting buddy (including the double 401K contributions for the company AND double vacation hours). The employee had been there for more than eight years – and had been committing fraud for seven and a half of them.

I can remember sitting in the hot warehouse of the company, in the summer, on a box, looking through bankers boxes of check stubs when I found the duplicate stubs. My disbelief that someone would actually DO that. And my fear about who I was going to have to tell and how bad the ramifications would be to me. These were senior people. And I had all the proof in my hands, but still I knew it would be bad, and to be honest, when it all came down, it was.I think since that day I have had a nose for fraud. That whole experience changed how I looked at a lot of things. It honed my detail skills. It made me more suspicious of people who were “too nice”. These women I’d worked side by side with for four years were not what they appeared to be. They weren’t my friends, they were thieves.

Since that day I seem to have walked into a number of cases of fraud, at other companies and with clients in my business. I’ve counseled my clients when they’ve had an employe rob them blind. Fake checks, fake vendors, missing deposits – nothing takes the anguish away when they realize someone they trusted has stolen from them.

It has also made me hyper-vigilant about The Wren Group, Inc. and how to keep us as safe as possible from fraud and theft. I have been studying to be a Certified Fraud Examiner (CFE). And one of the things I’ve learned is how important a background check and a reference check is in the hiring process.

One of the very best ways to prevent fraud in the workplace is to have a sound hiring process including reference checks and most importantly, background checks.

The thought here is that rarely do people all of a sudden start stealing. There have been issues as past employers and potentially even with law enforcement. And for what a background checks tells you (and potentially saves you), they’re really inexpensive, between $17 and $50 depending on the number of states and what you’re checking.

Before your run a background check on a potential employee, you have to have a policy that tells the potential candidate what you will do with the information, especially if it’s negative. Definitely check with an attorney or your background check company for the right language. Basically my policy says that I will give the potential candidate the opportunity to explain any incidents found, and that if what is found influences the hiring decision, they will be informed of what the information was and why.

A couple of years ago I was hiring for a bookkeeper in my office, and found a delightful candidate that checked all the boxes for the position. Great at QuickBooks. Strong Accounting knowledge. Bright. A college graduate. Super personality. Lots of volunteer work. Sounded too good to be true, and I offered her a position contingent on a background check. It’s the first (and only) time I’ve offered a position before I got the results back but I felt so good about this person that i just knew the background check was a formality.

Ha. Nine scary pages of check fraud (about 30 offenses). Two incidents of forgery. Theft by taking. I was aghast. How could my people-meter have been so off? This was a delightful person, great background, perfect candidate. And a thief, forger, and potential company-ending hire. I dutifully sent the required e-mail asking for clarification and explanation and I never heard back from the candidate. I’m pretty sure she’s probably working in an accounting office somewhere and I hope to God she’s not skimming, stealing, or forging there because they didn’t do their due diligence.

Another candidate had a clear background check, but the reference check was a little off. The litigious society we live in has made former employers reticent to give feedback freely. Nobody wants to be honest lest they prevent someone from getting a job and are sued for their honesty. This means that as the potential employer, you have to ask a few questions and listen for the long pauses. Not sure what to ask? Look here: There have been a couple of times when I’ve said to the reference, “I know that you are reluctant to be honest, but I hear something in your voice that worries me. I have a business too. What aren’t you telling me? This is a confidential phone call.” And that has usually worked. Ask tough question, expect straight answers.

There’s been a couple of times recently where a client has told me they’re hiring and asked me if I’d do a background check – or worse, if they tell me they don’t want to do them. There seems to be a stigma that if an employer does a background check, they don’t trust their employees. But it’s not about trust; it’s about taking care of the business you built and maintain every day. It’s about protecting your income, your business, your clients, and employees.

For information on finding a background check company, you can check the web or contact your attorney. We’re happy to share the local company that we use (and have been extremely happy with), just give us a call at our office.

Create complex passwords you know & hackers won’t

I don’t know about you but it’s gotten to the point that I wonder how in the world someone else can hack my password when I have trouble remembering it myself.

When a scare like the Heartbleed Bug happens websites respond by increasing password complexity requirements, making it even more difficult to remember which password goes where – and which one is the one that has the capital letter, and the special character, or the set of numbers. How many of you have paper notes in your desks, wallets, notebooks, wherever, to keep your passwords “safe”?

PC Magazine recently published a list of the worst passwords of 2013. You can read the full article here but here’s the short list:

123456, password, 12345678, qwerty, abc123, adobe123, 111111, 1234567

Anything look familiar? The list was skewed a little bit because of the Adobe breach (and those who used adobe123 as their password) but the simplicity of the passwords above make them easy to steal. The reason that people use simple passwords is pretty obvious – because they’re easy to remember, and I think all of realize we should be using more complex passwords. At the end of the day we’re still left with the same problem: How to remember multiple passwords across multiple platforms without having to resort to writing them all down.

So about six months ago, I tried to figure out what might be a better solution for me to create complex passwords. I didn’t want to use the same password at each site, because if one is compromised, they all are compromised. How could I devise a method to meet all the weird complexity requirements, make it something not easily guessed, but would work across all platforms, yet STILL be unique at each site. Here’s what I’ve come up with, and honestly it works pretty well.

First what you need is a number, two, three or four digits, that means something to you but wouldn’t be trackable back to you. It shouldn’t be your address, birthday, or zip code – nothing current, and really nothing in your past since in this digital age almost every address you’ve ever lived at as an adult is searchable online. Some ideas are: your grandparent’s street address, your basketball jersey number, your PO box in college, the last four of your phone number when you were in grade school or even the model year of your first car. For this blog, I am going to use the example of a football jersey number, 54.

Then you need to decide what characters you’ll replace in your new passwords. If I’d headlined this post with H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? would you have known what I meant? H0w 3@$y i$ 1t t0 gue$$ y0ur p@$$w0rd? means How easy is it to guess your password?

Here’s how that works:

  • a=@ The “at” sign on your keyboard, above the number 2.
  • i=! The letter i,regardless of capitalization is an exclamation mark above the number 1.
  • o=0 The letter o is a zero
  • e=3 The letter e is a number 3
  • s=$ The letter s is a dollar sign

Now you need to figure out how you want to create your passwords using the web address for the website. I usually use what’s between the www and the .com or .net as long as it’s not too long. For I use facebook. – wells. – merrill.

Once you’ve decided how you’re going to abbreviate your website, you’re ready to start putting the passwords together. You need the number you chose, the character replacement, and the website abbreviation.

Here’s how it works using this system and adding the number I chose, 54, listed above. I added the number to the end, but you can add to the beginning if you want.

  • My password becomes F@ceb00k54
  • becomes W3ll$54
  • becomes M3rrill54

Here’s why this works so well: The passwords have complexity requirements – a capital letter, a number AND a special character. The passwords are unique at each site – so if your Facebook password gets compromised, no databot is going to figure out your Wells Fargo password. Best of all, once you come up with your own personal naming convention, you never have to write anything down. It’s in your head and you can pretty much remember every password you need to remember, because it’s all right in front of you.

This may seem a little “techie” at first, but I promise you once you figure out the basics, you’ll have it down pat. Print out the character replacements if you need to – no one is going to know what they’re for, and give it a try. Would love your feedback – is it working for you?


And for security purposes, your mother’s maiden name is……?

In last month’s blog, I shared some of the interesting ways that businesses can be subjected to fraud with their business checks, using simple household things like scotch tape.

Lately I’ve been thinking about passwords and how to keep personal information safe and secure.Now all of us are pretty careful about our social security numbers, our credit card numbers, EIN’s, those obvious chunks of data that could compromise us. It’s not sometimes obvious how small pieces of information could be out in the main stream internet and available to thieves.

So let’s start with what is seemingly a difficult piece of information to obtain, but is a potential key to unlock a whole host of personal data – your mother’s maiden name. Within the past few years, your mother’s maiden name has become one of the top two security questions needed for bank passwords, mortgage accounts, credit card accounts, and other areas where a password reset is needed. So how hard is it to find? On first thought, pretty hard. It’s on your birth certificate, and on your parent’s marriage license, but neither of those documents are ones we carry around. So how does the maiden name get out?


I enjoy Facebook as much as anybody. I keep up with friends and colleagues, and get to participate in groups and hobbies I enjoy. I share pictures of where I am, my children, my hilarious pets, and articles I find interesting. And as much as Facebook can be fun and interesting, it can be a treasure trove of personal data ripe for the picking.

If you’re a female with a Facebook account, then your maiden name is probably listed right on your profile. If you’re a dude, and your mom is on Facebook, it’s probable that her maiden name is right there for anyone to see. It’s listed for an innocent enough purpose – so those from your past, who you may not know now but you knew before you got married – can find you. Go check – is your Facebook (for the women out there) first name maiden name last name? While I’m penning this blog, I’m thinking of a number of my lady friends, and I think almost all of them use their maiden name. I did a quick count and 70% of my women Facebook friends (including my mom) list their current first name, maiden name, and last name up front on top of their profile.

How about your hometown? How many of you were born in your hometown? If it’s listed on your profile, then you’ve given a potential identity thief a second key piece of information in a quest to steal the data they need. Further, if you’ve listed all the places you’ve lived, you’ve put even more personal information out there for someone to steal.

Isn’t it nice to get birthday wishes on Facebook? Is it nice enough to give that information out to the whole world? ‘Cause if your birthday is on your profile, you’ve done just that.

Last is the lovely “family” part of the FB page – you know, where you list who is in your family. It’s in the about section of your profile.

With these four seemingly innocent pieces of data, you connect many dots for an identity thief. Your full name, your birthday, your family, your mother (and probably her maiden name) as well as your hometown and a list of where you’ve lived.

How to tighten your security and the information you share:

First fix. On Facebook you can list your maiden name in your profile (thus making it easy for people to search for you who KNOW your maiden name already) but not show it.

Go to the little settings gear on the top right, click settings, and then next to your name, click edit. When the window opens, you can put in your name as it is now, then under your Alternate Names, list your maiden name. Uncheck Include this on your timeline and then your maiden name is searchable for those who knew you, but not available to those who didn’t.

Your hometown is nice to list on your profile, but don’t make it too specific. If it happens to be the town you’re born in, you might want to go a bit broader to the nearest metropolitan area.

Next Fix: It’s easy to hide your birthday from your profile. Go to your profile, about, then basic information. You can list your birthday, but click the lock, and “only me”. Now your birthday is there, but it’s secure.

Last Fix: Click “About” on your page, then family, then edit. You can make your family members visible only to those who need to see it.

It goes without saying that you should also lock down your profile so that only friends can see what you post, about you, and most all of your profile This is handled under the settings gear as well, but click Privacy on the left side. This is where you control who sees what and who can find you on Facebook.

For more information about Facebook and privacy, click here.

Look for next month’s article about an easy way to learn different passwords for the web – and never have to write them down.

How Scotch Tape could cost you $100K

I was recently at a conference in San Francisco for Intuit Premier Resellers. Since it’s a reseller channel, we are regularly updated with business trends and how they relate to items we can sell, and this specific presentation was about checks.

As part of the presentation, I received a book called The Art of the Steal by Frank W. Abagnale. You may know the name – he is the author of Catch Me if you Can – which was made into a movie starring Leonardo DeCaprio.

The Art of the Steal was written to protect people and their businesses from fraud. In the book. Frank details some of the ways that businesses can be hit with fraud, and I was really blown away by how easy it is to do what’s called “washing a check”.

First I need to explain how the process starts. Most all the printers we use today are laser printers. These differ from dot matrix, ink jet, and even typewriters in how they lay ink down on any type of paper. Laser printers “lay” the ink on top using heat to attach the ink to the paper.. The other three methods actually inject ink or impact ink onto the paper.

A thief who wants to defraud you via a check can use scotch tape to do it. This process is called washing, in part because sometimes both scotch tape AND acetone (nail polish remover) are used. They’ll take a check and a piece of Scotch tape, the gray cloudy kind that doesn’t pull up paper when you use, and place the tape carefully on top of the payee, then the date, dollar amount and amount line. Then they scratch, using a fingernail or a coin, over top of the laser print. It’s kind of like a lottery ticket in reverse. The tape pulls the laser printing right off the check. If there’s any residue of toner left over, all they have to do is use a dental pick, toothpick, small x-acto knife, or even an eraser to pull it up. The signature line is left alone. Now, Voila’! Here is a signed, blank check for someone to fill in at their discretion.

And if they fill it in for $100,000, then that $2.69 roll of scotch tape just cost you $100K.

So what do you do? The first and most efficient way to stop these types of thieves is to have checks that are chemically treated to withstand these sorts of fraud attacks. The plain paper checks you receive from the bank or even order from a check printer are not devised to thwart the thief. They are basic checks.

If you have checks that look like this- in purple, green, yellow, red, or pink, where there is soft color and no markings, then you have basic checks like the ones on the clip on the right.

Premier checks are made to withstand many types of fraud, including our scotch tape example with a technology called toner adhesion, which makes pulling up the toner with tape nearly impossible. They also have features like chemically reactive paper, invisible fluorescent fibers, microprinting, and a prismatic color background.

Back to the reseller conference I started with above. In addition to the software and hardware I can sell, Intuit has extended the product offering to include checks, deposit slips, and deposit stamps. I was previously able to extend a 30% discount on the orders, but now am able to increase that discount to 35%. For a custom quote, just call our office at 770-554-5414. We’ll need a blank check copy faxed over and then the new secure checks are sent directly to your office.

So what areas can you improve in your business besides checks to help decrease your chance for fraud? Find out in our next article.


Are you a Facebook Novice or Facebook Ninja? (or do you know?)

The Wren Group has recently been dipping its toes into Social Media – LinkedIn, Twitter, and of course, Facebook.

While I’ve been reluctant to embrace Facebook as a company (spam fears, management of the page, how Facebook might help our business), the fact is that FB is here to stay, at least for a while anyway.

There are a couple of resources we used to try to get us to the Ninja end of the scale, although we started as Novices.



Eight smart steps to prepare your business for chargebacks

In the event of a chargeback, is your business prepared?


According to Wikipedia, “the chargeback mechanism exists primarily for consumer protection”.

Notice that the definition has nothing to do with the merchant or business.  Do you have the necessary steps in place to protect yourself and get your money back?  While chargebacks are not often used (generally about .01% of all credit card transactions are disputed), in the wrong hands,a chargeback can be a powerful weapon used by the unscrupulous consumer.

Some keywords and their definitions in this article

  • A Chargeback is the return of funds to a consumer, forcibly initiated by the issuing bank of the instrument used by a consumer to settle a debt.
  • An Issuing Bank is the bank that is named on the consumer’s credit card (American Express, Wells Fargo, Chase, etc.)
  • The Consumer is the one who charged the item on their credit card and requested the issuing bank to initiate the chargeback
  • The Merchant is the business that accepted the card from the consumer
  • The Merchant Processor is the company that processes the merchant’s credit cards.
  • Reason Codes define why the chargeback is requested.

Chargebacks were created to cover the consumer, as defined above, and to address fraud.  In those instances where a consumer might purchase something from a merchant and doesn’t receive it, or it’s broken, or it’s not what it was supposed to be; and the consumer does everything to reasonably work with the merchant, a chargeback can be used to make the consumer whole.  Additionally, if a consumer reports their credit card stolen, the credit card company issues chargebacks for any charges that are fraudulent.  For all of these reasons, the chargeback is a great tool.

Here are some things you may not know about chargebacks:

  • When a consumer submits a chargeback, the issuing card company contacts your merchant company and a course of action is taken.
  • Chargebacks are generally categorized into four areas:  technical, clerical, quality or fraud
  • There are numeric codes in each area that define the chargeback.  For example a C32 is damaged goods or merchandise received;
  • Most often, the course of action is removal of funds from the merchant account.  Sometimes, based on the reason code and how old the transaction may be, an inquiry is initiated instead of the money being removed.
  • If money is removed from the merchant’s account, it’s usually within 48 hours, but often sooner.
  • A notice of chargeback is usually mailed via USPS – this means you’re missing the money before you even know the chargeback was initiated.
  • Once the consumer initiates the chargeback, it is the merchant’s responsibility to prove that the charge was valid.
  • Chargebacks can be won by the merchant, but refiled by the consumer, as long as a different reason code is used.  This cycle can happen continually for up to 12 months (based on the consumer’s bank).

If you accept credit cards, you are vulnerable to a chargeback.  Depending on the volume of your business, and the average amount of each transaction, many businesses consider chargebacks a cost of doing business.  For a company whose average ticket is $30, and who might do $60,000 in sales in a month, a couple of chargebacks probably aren’t worth the time of the business owner to resolve.  But what if your average ticket is $3500 and you might do $60,000 in sales a month and you get a chargeback?  Suddenly you realize that your cash flow is a lot more vulnerable than you think.

Here are some ways to protect and prepare your business.

1.  Don’t take credit cards over the phone without a written authorization.  Before you internet business readers groan and stop reading, hear me out.  If you’re subject to a chargeback, the very first thing on the list to prove that it’s a valid charge is a signed sales draft.  If you’re taking a credit card on the phone without a written authorization you’ve probably just lost the chargeback battle.  It used to be that writing /s/ and “over the phone” on the signature line was enough.  These don’t necessarily count any more.

2.  Make sure the written authorization to charge a consumer’s credit card is clear.  Under what circumstances can you charge the card?  Is it recurring?  Do they have to review the invoice?  For one-time purchases do they have to initial an amount field?  This document should be ironclad

3.  What is your return policy and is it clearly started on whatever the consumer signs?  Take a look at your receipts or invoices that you print and give the customer.  Is it clear?  Is there an exact number of days and under what circumstances you’ll accept a return? has a great article about writing a clear return policy, which you can read here.  To win a chargeback, you have to have a very clearly defined return policy that the consumer can understand.  A tie goes to the consumer, so make sure it’s consistent and easy to interpret.

4.  Keep all the pertinent documentation from the charge itself.  Other things you have to provide when you fight a chargeback are the cardholder number, authorization number, transaction amount, and date.  These are usually all found on the sales slip.  It sounds obvious but don’t throw these things away.  Ideally they’re stapled to the written authorization in step one.

5.  Document and have the consumer sign an authorization if items are to be shipped to an address other than the one that you have on file for the consumer.  Example:  consumer buys auto parts but wants the parts shipped to a third party body shop for paint an installation.  Shipping items to someone other than the consumer can get you in trouble without written authorization.

6.  Print and save the tracking and delivery information.  If you’re shipping products, proof of delivery is necessary to prove the items were delivered to your consumer’s address or the address where they wanted items shipped.  Print these confirmations out when items are received. If you ship USPS, note that they only keep delivery confirmations for six to twelve months.

7.  If you receive a chargeback notice, don’t ignore it.  Fight it immediately.  Pull together your documentation and go after it.  You can win if you have the documentation and the backup to prove it’s valid.  Take a look at the reason code to help you fight it better.  If the reason is items never received, show the shipping confirmations and you’re one step ahead.

8.  Consider having two checking accounts at your bank – one for merchant deposits only and one for operations.  In the event you have a large chargeback, it doesn’t hit your operations checking, it hits your merchant checking.  Keep your merchant checking account balance low just in case.

You might have guessed by now that I was recently subjected to a chargeback.  Actually four chargebacks.  It started with two – one from January, one from April.  They were both American Express, and given what I’ve heard about AmEx, I was afraid I would lose them.  Luckily I had enough documentation that I won the first round.  Then the consumer opened them again, this time with a different reason code.  These are still in process.  And the monies came in and went out of my account a number of times, and in total, between phone calls, documentation and letter writing, I’ve spent about 20 business hours so far fighting them.

Based on what I’ve learned, I’ve made some changes.  We don’t charge a credit card without a written authorization.  The authorization is clear about what it is for, and the return policies are crystal clear and noted in a couple of places.  It’s my hope that this article prepares you for the possibility of fighting a chargeback and gives you knowledge to have documentation which will make you successful.

$1.73 Pending Ghost Charge exposes Merchant Fraud

Merchant fraud is not something you would necessarily relate to a Sunday afternoon lunch with your family.  Seems like I’m up to my eyeballs lately in credit card fraud of one type or another, and I guess by now I shouldn’t be surprised when fraud sneaks into my happy moments and gives me something else to deal with yet it never ceases to surprise me when it happens.

Merchant Fraud

During our lunch, my son, who is 16 and has his first car, said something about the engine sputtering a little when it started, and having trouble turning over.  We immediately suspected the starter or alternator, so we drove over to the closest auto parts store for a diagnosis.  Indeed, the starter was the culprit, so out pops my Amex to pay for a new one.

When you purchase a starter, in addition to the charge for the part itself you are charged what’s called a core charge.  A core charge is when the auto parts store charges you what is essentially a deposit on the piece of the part that requires recycling, and the store refunds you the core charge when you return the defective part.  My son and I agreed he would return the starter when he replaced it in his jeep, and the other night called me to tell me he had indeed done what he agreed to do and asked me if he got the credit or I did.  (Teenagers! Really son? Who paid for the part in the first place?  But I digress…)

So after our call I logged in to my amex to see if the credit had hit, but there was nothing there.  Usually credits aren’t pending, they just hit once they are processed.  But in the pending area of my charges, there were two really weird transactions.  One for $1.73 from a hardware store in Seattle; the other, $9.65 from a home medical supply company in Lincoln, Nebraska.

Uh-Oh.  Someone’s got my Amex again.  I am a dutiful cardholder and watch my account like a hawk, and I KNOW that I haven’t been in Washington or Nebraska, so I call Amex to report the fraud.  Here’s where thing get weirder.

The Amex rep says that neither charge was done with a real card, and there is a $9.65 charge and a credit, but the $1.73 is just an authorization.  Why would someone steal my credit card info and then make a charge AND a credit moments later?  And why charge my account for such little amounts?  Usually you hear about big fraud – $1500, $5000, or some obnoxious amount of money that is obvious.  Amex’ stance is that it’s pending and since it has been refunded the charges will never hit my actual statement.  Pay attention to that fact – a pending charge that has been charged and refunded will never hit the cardholder account.  So it’s a ghost charge that doesn’t hurt me now, but more importantly it doesn’t leave any trace that the charge even happened after a few days.

So I decide to call the two merchants that have charged my card.  I’ve never done that before, but I looked them up based on my pending charges and gave them a call.  The hardware store in Seattle was pretty frustrating.  ”Ma’am, there’s just no way we processed your card.  All of our cards are processed in person, we don’t do any sort of on the phone transactions at all.  There’s no record of any charge in our system for that amount.”  I was given over to a manager who said while they did do internet business, it was from their parent company who processed everything at the headquarters level.

The home medical company, who I got to the next day, was more helpful, probably because a day or so had gone by and there were other credit card holders calling them as well.  Apparently I was one of a few hundred that had a charge from them on their pending charges.  The local office gave me to accounting, and I spoke with a lovely woman who knew exactly what had happened.

There are two thefts going on.  Thieves had obtained the merchant ID processing numbers and either programmed machines or created fraudulent virtual terminals to run stolen credit card numbers. This is the merchant fraud. There are a number of articles out there about protecting your terminals in your office but none that I could even find about this type of theft.  Then they ran my stolen Amex number to see if it was a good number, and by running a charge and a credit they guaranteed they had a good number.  But since the charge would negate and never hit my account, I would never see it.  It would be a ghost.  Bingo.  Credit card fraud.  Two for the price of one.

I was telling this story in my office, and someone asked, why would they steal a merchant ID and program a machine?  What is the point of merchant fraud?  The money would not be deposited into the thieves accounts – it would be deposited in the unsuspecting merchant account.  This is true.  However, the thieves weren’t after the first deposits of the fraudulent charges, which is why they returned them.  They were after checking the card numbers that were stolen to see what they could charge later.

And the little amounts?  Often charges are done under $10 the first time because so many people don’t actually look at the detail of their bill until the end of the month, and who worries about $10?  It’s not till they hit in the hundreds, or thousands of dollars until someone pays attention.

Unfortunately there’s no way to know how the thieves got the merchant accounts in the first place.  If you’re a business and you take credit cards, you have a merchant number, which opens you up to merchant fraud.  The number is usually 16 digits like a credit card number.  It’s printed on the top of any merchant statements you receive, and sometimes listed on the deposit line of your bank account statement.  It’s also online when you log in.

Bottom line is that we are all trained to protect our credit card numbers as consumers, but this is the first time I’ve seen or heard of merchant numbers being stolen.  I guess it goes to show that as our lives get more technical, so does the crime.

My advice would be for business to protect their merchant numbers as they would their federal ID number and company credit card numbers.  And consumers need to make sure they’re checking their credit card accounts regularly for pending charges.  Waiting until the end of the month when the paper statement arrives won’t necessarily show you all the transactions that have been done on your account.