Payment accounts such as credit card and debit card accounts are sometimes used by criminals to perpetrate fraud. In one type of payment account fraud, commonly referred to as a “bust-out” scheme, a perpetrator obtains one or more payment card and/or merchant accounts with an intent to defraud. Such schemes typically occur in two variants: the “cardholder bust-out” and the “merchant bust-out”—although both variants may be present in a single criminal enterprise.
In a cardholder bust-out, one or more payment card accounts are obtained using fraudulent applications; the intent is to pay future bills with bad checks. The scheme begins when an individual obtains a portfolio of payment accounts. Typically the cardholder nurtures the accounts by conducting transactions and making genuine payments during a “warm-up” period, thus establishing a seemingly legitimate usage and payment profile. Then, after the warm-up period, the cardholder conducts further transactions, but pays the resulting credit card bill(s) with bad checks. The checks may be business checks or credit card balance transfer checks, and may be used in a round-robin kiting pattern. Financial institutions often increase an account's open-to-buy amount upon receipt of a check, without waiting for the check to clear. The cardholder can therefore conduct a second round of shopping transactions before the check is returned to the card issuer for insufficient funds. The shopping often involves purchases of valuable merchandise or services at legitimate merchants. These goods and services may include electronics, jewelry, furniture, airline tickets, auto repairs, and/or cash advances at banks or gaming establishments. Alternatively, or in addition, the perpetrator can conduct phony transactions in which no goods or services are provided. Such phony transactions can be conducted either with collusive real merchants—typically in exchange for a share of the transaction value—or with sham merchants. When phony transactions are performed, the acquiring bank's deposits to the merchant's account serve as the proceeds of the scheme.
In a merchant bust-out, the perpetrator obtains one or more merchant accounts and uses the accounts to perform transactions based on stolen account data or on card accounts obtained with fraudulent applications. The scheme begins either with the establishment of one or more sham merchant accounts or with a decision by a legitimate merchant to perform phony transactions in collusion with cardholders. The merchant and cardholder may, in fact, be the same human person. In some cases, merchant accounts are established solely for the purpose of conducting transactions on compromised payment accounts. For example, the merchant may conduct transactions using stolen cards or, more typically, stolen account data. Stolen account data are typically acquired by skimming (covertly copying a card's magnetic stripe data) or by hacking into an Internet merchant's website.
Cardholder bust-out schemes are often not identified as fraud by payment card issuers because in many cases the losses are handled by a financial institution's collections department. A bust-out merchant may not be identified as fraudulent by its acquiring bank unless and until chargebacks are posted. Chargebacks are not posted unless and until the payment card issuer determines that accounts were used fraudulently. Furthermore, even if individual schemes are detected, each victimized financial institution may never recognize that the individual schemes are part of a larger web of organized activity