It's easier to steal a million dollars a dollar at a time than a million dollars once. So goes an old saying.
If the allegations in a civil case filed in a federal court in Chicago hold up, you can even haul off $10 million if you stick to $9 here or 20 cents there.
The suit, filed in March by the Federal Trade Commission, contends that over at least four years, scammers placed more than $10 million in bogus charges on consumers' credit and debit cards.
Then, the suit says, they moved the money to bank accounts in Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The suit was filed in U.S. District Court for the Northern District of Illinois.
The scammers evaded detection by keeping each charge under $10 and stealing from each cardholder only once, spreading the theft across more than a million cardholders, the suit says.
The identity of defendants has not been discovered; it may have been only a single "John Doe." All the FTC says it knows are the names of shell companies.
"No one has appeared to defend the companies," said Steven Wernikoff, a trade commission staff lawyer overseeing the case.
When the commission filed a motion to seize the U.S. assets of the companies, less than $100,000 was recovered. It hopes to recover sums transferred abroad, but Wernikoff said that "it's going to take some time."
Most of the fraudulent charges that appeared on victims' statements were for $9, but at different times, charges of just 20 cents were favored, Wernikoff said. Maybe the scammers should have stuck with $9: "There were more complaints about the 20-cent charges because they looked really odd," he said.
When the complaints eventually piled up, the trade commission began investigating.
The scheme depended upon the scammers persuading banks that they had a legitimate business so that they could secure merchant accounts through which the credit card charges were routed, the suit says; false storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.
The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.
"One thing that the banks can do a better job at is vetting merchants much more carefully," said Avivah Litan, an analyst at Gartner Research. "That's been a weak spot for many years."
Wells Fargo deserves credit for checking merchant references that helped uncover the problem. The perpetrators used stolen identities, with names, Social Security numbers and addresses of seemingly random individuals, the suit says.
Daniel Fuchs, a deputy attorney general in California, was surprised to receive a call one day from Wells Fargo about a merchant account application filed in his name. (When you steal identities, it might be best to stay away from the staff at the attorney general's office.) By law, consumers are liable for no more than $50 in fraudulent charges on a credit card and no more than $500 in fraudulent charges on a debit card, if reported by specified deadlines. But in practice, most major banks offer full protection from losses attributable to fraud. Someone must first identify the fraud, however.