Digital channels are a huge help in thwarting fraudulent charges.

In the old days, as recently as 5 or 6 years ago) the best you could hope when your card number was compromised was a cryptic voice message left on your landline phone. And that introduced a reporting delay since cardholders wouldn’t hear that message for many hours or even days if traveling. Even now, many issuers still rely on email (see Bank of America example above), which is better than a voicemail, but it is still unlikely to be read immediately. In our UX work we highly recommend instant or text message suspicious activity messages whenever possible.

But no matter which digital communications method you choose, you need to provide as much info about the suspect charges as possible. Clearly, BofA has some work to do along those lines.

Here’s what happened.

On Saturday morning our BofA card became non-responsive, first at the parking meter, then the coffee shop. As a customer, you know you have a problem when small-value authorizations are declined. We knew the card was either severely over limit (because the holidays of course) or that we had a suspicious-activity hold. We used another card at that point, but later that morning my wife saw the above email from BofA raising concerns  about three charges.

Here’s where things went south. The issues:

  1. No clarity on which charge was suspect: While the bank failed to say so, clearly the issue was the $200 at RESCO (the other $3 charges at Whole Foods and AMC Theatres in Seattle would clearly not be cause for alarm since they are frequently used merchants in my neighborhood).
  2. No info on the merchant: The bank only listed the merchant name, RESCO. We had no idea where it was located or what products/services it sold. A quick search on our mobile directed us to an electronics store in Kansas or a cloud-services provider in Eastern Europe.
  3. No info on past charges to the merchant: The bank didn’t disclose whether we’d ever used the merchant before (although we assumed we hadn’t or the trans wouldn’t have been flagged). And BofA does not support search by merchant name so you can’t find it even if you tried.
  4. No way to temporarily hold the card: At that point, we figure it’s likely fraud, but the choices on the email are either “YES we recognize the charges” or “NO, we do not recognize them all.” There is no “I’m not sure” choice which is what we wanted to use. Since we were heading home, we delayed answering so that we could open up the full online banking site and research the merchant.

Unfortunately it turns out the the bank’s online banking also contained just the cryptic merchant name RESCO. So as we cursed the thief for making us once again go through the tedious exercise of replacing the card number all over the web, we ticked the “fraud” box the the transaction and logged out.

However, my wife, not one to let a mystery stay unsolved, searched RESCO in her email. It turns out that she had a receipt from earlier in the year with that merchant name. It was the processing company for a hotel we’d booked earlier in the year and just recently extended the stay by a night, hence the $200 charge. It was legit after all.

She immediately called BofA back to correct the record. It was no more than 10 minutes after saying the charge was fraudulent. After speaking with 3 people and spending about 30 minutes on the phone, she had corrected the record, and the merchant received their money. However, the bank was unable to reverse the cancellation of our card.

We now get to spend an hour or two resetting payment instructions across the web. And the bank, when you count the cost of the customer service, card reissuing, 2-day FedEX and the lost business until we get the card back (not to mention any recurring charges we establish with another card), is out $50 to $100. Multiply this times millions of cardholders, and it’s real money, even for a massive bank.

And it was all so avoidable.

The fix:

  1. Identify specifically which charge was suspicious and why
  2. Include merchant location on the suspicious activity notice
  3. Include merchant type and description on the notice
  4. Include previous charges to the same merchant
  5. Provide contact info for the merchant, especially web address
  6. Offer an “I’m not sure” option on the response, which freezes the account while the cardholder researches the charge
  7. Explain the consequences of each choice
  8. Before cancelling and replacing the card, give your customer time to reconsider whether it was really fraud. You can block it, but don’t reissue immediately. This happened on a Saturday morning, so there was no reason to rush through a new card reissue that won’t go out until Monday at the earliest.

Bottom line: Even implementing just a few of the above suggestions could save $10 to $20 per cardholder per year.

Whether you have 10,000 or 10 million customers, the ROI for better security UX in this area is significant.