Caught in the web of deceit

Credit card companies are privately slapping hefty fines on rogue websites for misusing people's card details amid a big jump in complaints about internet fraud, it emerged this week.

Much of the problem centres on "adult" websites and other disreputable merchants, most of which tend to be based in America or offshore locations such as the US Virgin Islands, that are fleecing credit card-holders in the UK and around the world.

Britain is a mecca for credit card fraudsters. Incredibly, more than half of all credit card transactions in Europe take place in the UK and more than half of Europe's card fraud happens here too. And the growth of shopping on the web has the potential to make matters worse.

This week, British and US regulators added to fears over net purchases when they warned web users to watch out for internet fraudsters. Officials said they were taking action against more than 250 cyber conmen, mainly in the US, who have been tricking gullible web users.

Mastercard/Europay, the international payments organisation, disclosed to Jobs & Money that since June it has fined around 30 websites, many of them sites selling pornographic images and goods, which have generated the largest number of disputed online transactions.

Mastercard/Europay carried out research into where credit card disputes - such as alleged fraud and complaints about unsent goods - were arising, and found that about 50% of them related to e-commerce. And about half of these e-commerce disputes related to adult websites.

One of the most popular scams operated by US-based adult sites involves requests for users' credit card details, either to pay a "one-off" subscription fee or simply to act as proof that customers are over 18. The individual does this, and then he or she finds they are being charged $25-$30 every month by the site - a regular payment they clearly haven't agreed to. Attempts to get the unauthorised payments stopped run up against toll-free phone numbers that only work in America, with no address to write to.

Other sites, some of them auction and holiday websites, are taking credit card numbers and passwords and using them to go shopping at major online retailers that might have been visited by the customer. Research shows that people tend to use one password for all their online shopping and rogue sites exploit this fact. They take the card details and password and visit sites that only need a password before allowing customers to shop. CDs and other goods can be bought in large numbers and sent on to an address in another country.

So what can the victims do? The fact that it may involve porn means some people will be too embarrassed to contact their bank or credit card company to try to get the matter rectified. Some will simply cut up their card, which is immensely frustrating for the card companies, for whom losing customers is an expensive business.

MasterCard/Europay is now hitting back, and earlier this year put in place a policy where if the number of disputed transactions exceeds a certain amount for two consecutive months, it fines the website's bank (it can't fine the sites directly). And these are no token penalties either - the fines start at $5,000 and rise to a hefty $100,000. The October fines were the most severe yet imposed, and are expected to lead to a crackdown on guilty sites.

"Nearly all the people on the list [of those fined] have been what you would call disreputable merchants," says Paul Lucraft at Mastercard/Europay. They are all based in America or offshore America.

Mr Lucraft stresses that Mastercard/Europay is not mounting a moral crusade against adult websites. "It just happens to be that a number of the people who are ripping off the system are hiding behind these sites." It probably costs the porn sites "a few cents" to post images on the net and they are collecting perhaps $30 a month from hundreds or thousands of individuals, he adds.

Lack of confidence in net security is deterring millions of people from buying on-line. Future Foundation, a think-tank, says that security topped the list when it asked people what they consider the most important service criteria. It quizzed 1,000 people and found that 76% of non-internet shoppers say that when they do come to make their first online purchase, they will want to deal with brand names they trust - not least because of widespread fears about security.

Measures are being put in place to give consumers greater protection against online fraud. Government rules came into force this week which give new rights to people who shop via the internet, phone or mail order.

Ministers have amended the Consumer Credit Act so that people are no longer liable for the first £50 when someone uses their credit or debit card to make fraudulent purchases. There is also a new seven-day cooling-off period during which you can change your mind and have your money refunded.

In this climate of concern, some companies are now offering nervous net shoppers peace of mind for a price. A company called CPP (Card Protection Plan) recently launched "e-shopsafe", described as the first comprehensive insurance policy designed to protect internet shoppers against fraud. It costs £10 a year and covers shopping done via any secure site worldwide - but it may only be worth con- sidering if you do a lot of shopping from over-seas websites because some of the protection it offers is already provided within the new UK rights that came into force on Tuesday.

Ms W, a marketing manager from York (she didn't wish to be identified), took out an e-shopsafe policy after she bought a book about environmental volunteer holidays over the internet - but later found her credit card details had been used by a fraudster to buy pornography.

Two months later, three transactions appeared on her statement for amounts under $30 that she most definitely didn't recognise. "When I looked closely I was horrified to see the name of the retailer I had supposedly shopped with. There was no doubt as to what they sold."

She was eventually reimbursed for the fraudulent transactions but the incident has severely dented her confidence. "I was surprised at how easy it all seemed for the fraudster. It has also made me more vigilant in checking my credit card statements."

Parool Patel, a freelance public relations director, was the victim of a similar (non porn-related) incident earlier this year when his statement showed US dollar purchases he had not made. He wondered if it might be internet-related as he had only recently been browsing the net for books and CDs. He contacted the card company which put the transaction into a "dispute account" and has heard nothing since. "I presume they have resolved the fraud or absorbed the cost," says Mr Patel.

In the longer term, a number of further measures are planned to combat card fraud, both online (which accounts for a small but growing percentage of total card fraud losses) and offline. The UK banking industry is currently rolling out a new generation of "smart" credit and debit cards containing computer chips but it's proving to be an agonisingly slow process. Though the roll-out commenced 18 months ago, currently only around 10m of the 120m cards in circulation have chips.

These new cards are more difficult and costly to counterfeit than traditional cards with a magnetic strip on the back, which are falling foul of a fast-growing problem called "skimming", where fraudsters copy data from a genuine card on to a blank card without your knowledge.

This might happen in a restaurant or bar where a crooked waiter takes your card away when you pay and secretly copies it. This is what happened to Adam Mason, 26, a consultant at a London sports marketing company. A few weeks ago he suddenly found he couldn't obtain cash from an ATM with his Barclaycard. When he called the company, they said they had put a block on his card because its fraud office had noticed his plastic had been used simultaneously in London and Morecambe - someone had run up a £400 bill in two days at various stores in the Lancashire town using a counterfeit card containing his data.

Adam had only recently made his first online purchase and initially believed this to be the source of the fraud, but he now reckons it was a result of a visit to "a particularly dodgy bar" where he had put his card behind the counter and had never received a receipt. Barclaycard fully reimbursed Adam and also recovered the counterfeit card, and he is full of praise for the way it sorted out the matter so quickly.

Tips for foiling fraudsters

Here we identify the online fraudsters' tricks of the trade and offer some advice on how to avoid their clutches.

• The password trick: A crook running a rogue website takes a customer's credit card number and password to go shopping at major online retailers that might also have been visited by that person. Many people use the same password for all their online shopping, so the crook will go to sites that only need a password before they allow customers to buy goods. Armed with the person's credit card details, they can then go on a shopping spree.

Tip: Use different passwords on different sites. Also, just as you wouldn't give your credit or debit card details to someone you don't know, make sure you trust the online retailer, says CPP, a company specialising in credit card protection. "Check out an unfamiliar site before you buy," it adds. "Do they have a secure site? Do they provide full address and contact details, not just a mobile phone number? Which trade organisations is the company a member of?" Secure sites typically display a padlock symbol on your screen when you are entering your details.

• The multiple debit trick: Asking visitors to the site to pay a "one-off" fee which turns into a regular amount charged to your credit card every month.

Tip: As we explain in the main article, the sites notorious for doing this are US-based porn sites, so you're clearly dabbling in dangerous waters and some people will have little sympathy for your predicament if this happens to you. If you are going to deal with a website that asks for such a one-off fee, make sure there is a contact phone number that works and check for a full address on the site.

• The undelivered goods trick

Tip: The advice above applies here too. You've got a better chance of sorting the matter out if the site is in the UK - at least it will be covered by our laws. As we have highlighted, new rules came in this week giving greater protection to people who shop online. One of the new rights is that if you haven't received the goods within 30 days, you are entitled to your money back, unless both parties have agreed to a longer period or alternative goods/services are supplied and you accept them.

• The email sales trick: A site that has your card details emails you with an offer to "upgrade" the service you receive. It says this will cost you perhaps an extra $19.99 a month and that if you don't reply within X days it will automatically start deducting the amount from your credit card. You do not get the message in time - it might be an old email address or you're on holiday - and you end up with a regular payment going out that you haven't authorised.

Tip: Check your emails regularly if you subscribe to a site that has your card details. And go through your credit card statement with a fine-tooth comb.