Hotels.com Didn't Verify Security Codes on Stolen Credit Card Account, Alleged Complaint
Hotels.com allowed unknown third parties to charge $1.5 million in hotel reservations to Shervin Pishevar’s credit card between December 2018 and March 2022, alleged an April 25 complaint (docket 1:24-cv-22081) in the 11th Circuit Court for Miami Dade County, Florida, removed Thursday to U.S. District Court for Southern Florida.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Hotels.com allowed unknown third parties to make “thousands” of reservations using the Florida resident’s American Express Centurion card -- reaching five or more daily in mid-2021 -- without the “suspicious activity” ever detected, identified, questioned, investigated or blocked by the online reservation service, alleged the complaint. The charges were all made using a card that had been canceled by early 2019, soon after the fraudulent charges began, it said. The plaintiff doesn’t have a Hotels.com account, it added.
Despite claims that it verifies credit card security codes for each online credit card transaction to protect against unauthorized use of credit cards on its website, Hotels.com “accepted and processed these fraudulent charges without question through at least March of 2022,” even though they were all made using a card number that had been canceled, alleged the complaint. The charges wouldn’t have been processed if the defendant had verified the card’s security code because the card had been canceled, it said.
Upon information and belief, Hotels.com “was informed at some point by American Express that the charges had been contested by the cardholder as fraudulent,” alleged the complaint. But Hotels.com "failed to adequately investigate the charges, declined to reverse the charges as fraudulent, and continued to allow charges to be made to the card thereafter,” it said.
The defendant has “flatly denied all responsibility and has “refused to provide any explanation as to: (1) how thousands of highly suspicious charges made on Mr. Pishevar’s card were not flagged by Hotels.com’s fraud prevention systems or (2) how the vast majority of the charges were processed using a cancelled card number,” the complaint said. The defendant made “hundreds of thousands of dollars in commissions from the illegal use” of Pishevar’s credit card and “has retained the profits it earned from this illegal activity without authority,” it said.
The plaintiff, a Florida resident, alleges that before Dec. 8, 2018, “through unknown means,” the stolen card number “was misappropriated by an unknown person or persons,” who then schemed to defraud Pishevar by “surreptitiously using” the stolen card number to make Hotels.com reservations, it said. The reservations were made mostly for hotels in the Miami area under the same four names, often with multiple reservations made at different hotels “simultaneously under the same names,” it said.
Despite the “suspicious nature of the voluminous, often overlapping, reservations made under the same names from the same Hotels.com accounts, Hotels.com failed to adequately investigate this ongoing fraud, even after being informed that the charges were being challenged as fraudulent,” alleged the complaint. The charges were made to Pishevar’s personal card from a Hotels.com account not associated with him, under the name of unknown third parties, it said.
A “massive number of reservations” were being reserved to a personal card that didn’t match the name on the Hotels.com account being used for the reservations, or for the names on any of the reservations, but “Hotels.com took no steps to verify the authenticity of the transactions,” the complaint said.
Pishevar doesn’t know who made the charges, nor does he know any of the third parties whose names appear on the reservations associated with the fraudulent charges, said the complaint. He was first notified of the fraud in January 2022 and immediately took steps to “challenge the charges and notify American Express,” the complaint said. Upon information and belief, American Express then contacted Hotels.com to dispute the charges, it said.
In April 2023, more than 15 months after Pishevar first reported the fraudulent charges to American Express, Pishevar received word from the credit card company that it was refusing to reverse the fraudulent charges and “his fraud claim would be closed,” alleged the complaint. American Express contacted Hotels.com and requested chargebacks for 48 fraudulent charges dating to March 2022, but the defendant failed to conduct a reasonable investigation “despite being put on notice of the facially suspicious volume and nature of the reservations at issue and declined the requested “chargebacks,” it said.
Hotels.com makes a commission of approximately 30% of the value of each hotel reservation through its website, which would result in at least $450,000 from the fraudulent charges made to Pishevar’s card, alleged the complaint. The defendant “continues to hold the monies it obtained from this illegal activity without legal basis and despite demand for return,” it said. Mr. Pishevar and Hotels.com entered a tolling agreement dated Aug. 23, 2023, which tolled the statutes of limitations on the claims applicable to this matter through April 24 of this year, it said.
The plaintiff asserts claims of unjust enrichment, money had and received, breach of contract, negligence and conversion. He demands judgment against Hotels.com in the amount of fraudulent charges -- about $1.5 million -- plus legal costs and interest. Alternatively, Pishevar demands a judgment requiring Hotels.com to convey to him “any rewards, points, or other valuable benefits” that accrued from the fraudulent charges, it said.