Think your company's parcel shipping account numbers are private? Think again. Crooks are having a field day at your expense.
As through this world I've wandered, I've seen lots of funny men. Some will rob you with a six-gun and some with a fountain pen." Famous words from that Oklahoma entrepreneur, Charles "Pretty Boy" Floyd (1904-1934).
Today, substitute the words "fountain pen" for "computer" or "cell phone." Different tools, same commitment on the part of the bad guys.
Bill Knasinski, vice president, parcel and logistics solutions, Genco (Pittsburgh), has done a bit of investigative-reporter work. His findings are eye-opening. Users of any of the major parcel shippers, UPS, FedEx or DHL—that is, pretty much everyone—need to pay attention. His findings estimate about $400 billion in losses to U.S. companies, per year, due to employee theft and parcel fraud.
"In doing this research," says Knasinski, "I went to one shipper's Web site, created an account under an alias, and could have successfully shipped anything I wanted on someone else's tab." This aligns with recent report from Ernst & Young that said retailers have more to fear from dishonest employees than they do from shoplifters. We're going to hide some of the names in this article to protect the guilty.
It began innocently enough. While doing a Web search, Knasinski came upon Company X that explained how to create a UPS account under its name. "The step-by-step process was written so precisely," says Knasinski, "even a person with little Internet competence could create an account for which Company X would pay the invoice."
Interested, he dug deeper and discovered a memo from Company Y directing its suppliers to an online routing matrix. "I was astonished to find more than 50 UPS account numbers listed there," says Knasinski. "This memo was virtually inviting the general public to use these accounts to ship things for free. Company Y would be billed for the charges even though it was not the sender nor receiver."
Knasinski's examples refer to UPS, however it's apparent that all of the major shippers have similar procedures. He says he found a state university Web site that explains exactly how to locate a FedEx account number on an outbound package. "Another Web site [Company Z] gave its account number and also directed its employees to print their personal credit card numbers on the FedEx air bill for personal packages."
You can easily guess the disasters that would befall you if you put your personal credit card number on the outside of a carton. So, have you ever thought of the consequences of a company account number being displayed on every outbound package? This tracking number tells the shipper what's inside the box, how large it is and where it's going. "Unfortunately," says Knasinski, "this number also provides criminals with access to the company's account, most likely under an alias so they can't be traced." Once the account number has been snatched, all the bad guy has to do is go online, create an account, print a label and ship the stuff.
Here's why your company is vulnerable. These thieves are smart enough not to use a personal account that is reviewed closely and frequently. They choose corporations because they know you're too busy and too under staffed.
Does your company waive shipping charges if your customer provides a valid shipper account number? Remember, no good deed goes unpunished. Your (good) intention might be to allow your customer to pick the shipper of his choice, however it allows criminals (by entering a bogus number) to pass on the expense to some unsuspecting company.
Companies, possibly yours, spend millions of dollars shipping products every week. It's tough to spot a missing thousand dollars here or there. It does, however, eventually add up to real money. And if you do spot an irregularity, what can you do about it? These thieves are a subspecies of e-mail spammers. They use fake names and addresses. Catching them is as easy as shoveling smoke.
So what can you do? Here's what Knasinski recommends for protecting your account number and your company:
- Don't post your account numbers on the public Internet.
- Be careful to whom you give shipping account numbers.
- Perform an unannounced audit of your parcel carriers' invoices to look for personal shipments.
- Request electronic copies of your parceltrailer manifest to compare with orders shown as shipped.
- Test the measures in place to safeguard trailers.
- Establish an anonymous tip line.
- Employee screening is essential to know who you hire.
- When someone is caught, be severe.
- Audit line-item charges on your invoices by checking origin validation, destination validation, and miscellaneous fields. This last piece of advice is because eBay item numbers are often put in the reference fields by the fraudulent shippers.
Someday these thieves will apply their brainpower to doing some good in the world. Until then, protect your company account numbers with the same vigor that you protect your personal credit card numbers.