Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

The “Free Trial” Scam​

Data analytics uncovers a sales force fraud using prepaid credit cards to boost commissions.

Comments Views

​I specialize in high-crime, low-income areas, where the average household is on government assistance.” These were the exact words of Erin Turner, one of the top sales representatives at a home security company who was now under investigation for fraud. Bruce Dwyer, the company’s forensic auditor, sat baffled by the comment, wondering how so many people living on government assistance could afford a home security and automation system with a $50 monthly monitoring fee. During the interview, Turner produced a purse full of prepaid credit cards and explained to Dwyer how she obtained them, what they were used for, and how she provided the numbers to some of her customers to facilitate installation of a security system.

Dwyer’s investigation was the result of an analysis of a national summer promotion. The premise of the offer was a limited time, deeply discounted installation with a three-year monitoring agreement. The marketing analysis had produced mixed results. The company had made a lot of deeply discounted sales but many of the units were already being discontinued for nonpayment. Some of the sales representatives had disproportionate disconnect rates. Management suspected fraud. Dwyer was tasked with conducting the investigation. He decided to start with what appeared to be the largest offender, Turner, who also happened to be one of the top sales representatives.

Turner built her book of business using the company’s promoter program, where sales representatives are encouraged to develop a network of professionals and small businesses — promoters — that would refer potential customers to them. If a referral turned into a sale, the sales representative earned a commission and the promoter earned a referral fee. Turner was working with one primary promoter in a handful of large apartment complexes. A quick review of her personnel file revealed the promoter to be Turner’s sister.

During the interview, Turner told Dwyer that her sister was going door to door and convincing the neighbors to install a security system. Her sales pitch was that the system was free to install, they could try it for six months without making a payment, and if they were not satisfied with the service they could simply stop making payments. There were no strings attached. Turner’s sister provided customers with a prepaid credit card to get the installation completed.

On Dwyer’s flight home, he made a list of all the sales representatives and wondered if they also were abusing prepaid credit cards. A prepaid credit card is activated when the cardholder pays a small fee and “loads” the card by putting a set amount of money on it. Once a prepaid credit card is activated, the number is live until the card’s expiration date or the holder cancels the card. When a transaction occurs, the balance on the card is reduced. Dwyer discovered that the company’s billing and collection system could only validate that a credit card presented was “live.” In other words, the system could not determine if the credit card presented for installation charges and recurring payments was a credit card, gift card, or prepaid credit card. Furthermore, if it was a prepaid credit card they could not validate that enough funds were available for the installation charges, let alone the recurring monthly monitoring fees.

As luck would have it, Thomas Border, the IT specialist responsible for credit card transactions, had noticed a pattern of abuse with prepaid credit cards. Together, Dwyer and Border analyzed all credit card transactions for a six-month period to identify and quantify a pattern of abuse. To conduct the investigation, credit card transactions had to be matched to a bank identification number (BIN) database to identify prepaid credit card usage. The 16 digits on credit cards are the result of a complex algorithm. The first six digits are referred to as the BIN. The BIN can determine what institution issued the card and the type of card it is. Dwyer and Border obtained the customer account numbers associated with the cards and the names of the sales representatives who made the sales to identify who had either provided or accepted prepaid credit cards.

Based on the findings, Dwyer then conducted investigations of the other sales representatives and discovered a similar pattern of abuse. In some cases, Dwyer identified sales representatives who signed up 25 to 30 customers on a single prepaid credit card. Most of these accounts would immediately default on their payments, but the sales representatives collected commissions on each sale, regardless. At one point, Dwyer estimated that the scheme was costing the company almost $5 million annually over the course of two years. The sales representatives involved in the scheme were immediately terminated.

Lessons Learned

  • Prepaid credit card usage is a common fraud scheme among commissioned sales forces, so internal auditors should compare all credit card transactions against a BIN database to identify prepaid credit card transactions, find out which customer accounts used a prepaid credit card as payment, look at the payment history while focusing on customers who have made zero or a single payment, and identify the sales representatives on the account to uncover any wrongdoing.  
  • The many-to-one test identifies how many customer accounts are associated with a single credit card number. After identifying a target list, internal auditors should look at the customer content (name, address, and location) to see if they are family members or small businesses that might be legitimately sharing a credit card. If no commonality can be identified, internal auditors should investigate. Incidentally, this procedure also works for checking accounts.
  • The scheme could have been caught sooner if the finance department was working more closely with the company’s credit card processor. Processors can assist with identifying prepaid credit cards in their transaction database.
  • Companies can decide not to accept prepaid credit cards for recurring monthly payments, but it must first check its agreement with its credit card processor as it may be legally required to accept prepaid credit cards as a form of payment.
  • Exception reports identifying sales representatives accepting prepaid credit cards should be produced monthly and distributed to area general managers to review for fraudulent activity. Internal audit should be notified of any apparent fraudulent activity and engaged to conduct an investigation.
  • As a result of this investigation, and several other observations, the company began conducting enhanced customer screenings in the form of credit checks on all prospective customers. Customers who have low credit scores are now required to make several months of recurring payments before system installation can occur. Requiring several months of recurring payments up front helps reduce fraudulent use of prepaid credit cards.  
Grant Wahlstrom
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Grant WahlstromGrant Wahlstrom<p><span><span>Grant Wahlstrom, CIA, CPA, CFE, is the forensic audit manager at a privately held company in Hollywood, Fla. </span></span>​</p>


Comment on this article

comments powered by Disqus
  • AuditBoard-May-2021-Premium-1
  • Awareness-Month-May-2021-Premium-2
  • Virtual-IC-May-2021-Premium-3



Thanks, We Already Know That, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020 Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19 Servants Are Vital to Defeating COVID-19