Credit Card Scams Getting Clever
May 5, 2005
I just got the following e-mail in my inbox that you might want to read:
My husband was called on Wednesday from "VISA", and I was called on
Thursday from "MasterCard". The scam works like this:
Person calling says, "this is John, and I'm calling from the Security and Fraud Department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by bank. Did you purchase an Anti-Telemarketing Device for $497.99 from a marketing company based in Arizona?"
When you say "No", the caller continues with, "Then we will be issuing a
credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?"
You say "yes". The caller continues... "I will be starting a fraud investigation. If you have any questions, you should call the 1-800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this Control #" The caller then gives you a 6 digit number. "Do you need me to read it again?"
Here's the IMPORTANT part on how the scam works. The caller then says, "he needs to verify you are in possession of your card". He'll ask you to "turn your card over and look for some numbers. There are 7 numbers; the first 4 are your card number, the next 3 are the 'Security Numbers' that verify you are in possession of the card. These are the numbers you use to make Internet purchases to prove you have the card. Read me the 3 numbers". After you tell the caller the 3 numbers, he'll say ,"That is correct. I just needed to verify that the card has not been lost or stolen, and that you still have your card, Do you have any other questions?" After you say No, the caller then Thanks you and states, "Don't hesitate to call back if you do", and hangs up.
You actually say very little, and they never ask for or tell you the card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of $497.99 was charge on on our card.
Long story made short, we made a real fraud report and closed the VISA card, and they are reissuing us a new number. What the scammers wants is the 3-digit PIN number on the back of the card. Don't give it to them. Instead, tell them you'll call VISA or Master card direct. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you're receiving a credit. However, by the time you get your statement, you'll see charges for purchases you didn't make, and by then it's almost to late and/or harder to actually file a fraud report.
What makes this more remarkable is that on Thursday, I got a call from a
"Jason Richardson of MasterCard" with a word-for-word repeat of the VISA scam. This time I didn't let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening.
Now, as I am accustomed to doing whenever I get something like this, I immediately went to Snopes.com to check this one out. Here's what I found:
are five points we generally try to apply in evaluating warnings about possible criminal schemes or activities:
1) Is the phenomenon outlined in the warning technically possible as described?
2) Is the phenomenon outlined in the warning plausible? (That is, some criminal schemes are technically possible, but they're too difficult, cumbersome, or expensive to plausibly enact on anything more than a very limited basis.)
3) Are there any verifiable instances of people having been victimized in the manner described by the warning?
4) Is there evidence that the criminal activity described in the warning is widespread?
5) Is the criminal activity described in the warning something the average person might fall victim to?
The scheme outlined in the message quoted above might be categorized as a "social engineering" scam — a technique which preys upon people's unquestioning acceptance of authority and willingness to cooperate in order to extract from them sensitive information (such as computer passwords or credit card numbers). In this case the scammers' target data are the three-digit security codes found on the back of MasterCard and Visa cards.
Just as the Internet and other technologies have greatly expanded the possibilities for making credit card purchases without the need to physically present a card to the seller, so have they created additional opportunities for identity thieves to make profitable use of purloined credit card numbers. After getting their hands on credit card numbers (often through such simple expedients as rummaging through trash to find discarded receipts or statements), crooks can then employ a variety of means (e.g., mail order, phone order, Internet purchases, posing as merchants) in order to obtain money and merchandise by charging against the cardholder's account — even though the credit card itself remains snugly inside the cardholder's wallet. The victim may not even know anything is amiss until he receives his next statement in the mail several weeks later.
Although safeguards have been enacted to catch most of these types of fraud, they're often defeated by a combination of lax security and clever crooks who know how to work around them. One of the more recent safeguards is the addition of three-digit security codes (known as CVC2 or CVV2 codes) to every MasterCard and Visa card, codes which are indent-printed in the signature panels on the backs of the cards but are not encoded in the magnetic stripes and do not print on sales receipts. Many vendors cannot process credit card transactions without obtaining these security codes from their customers, thereby ensuring that persons placing orders have physical possession of the cards being used (and haven't simply scammed the sixteen-digit account numbers imprinted on the front of cards somehow). Thus the scheme described above might be used by identity thieves who have managed to collect credit card numbers but need to obtain the associated security codes in order to process charges against the accounts.
So, back to our five points:
1) Is this possible? — Yes, it's possible that scammers might get ahold of credit card numbers and then use the technique described above to obtain security codes and process phony transactions against the accounts.
2) Is this plausible? — The scam as described above is not extraordinarily difficult or expensive to pull off; all it requires is access to a telephone and the establishment of a merchant account for processing credit card transactions. It also assumes the scammer already has the names, addresses, phone numbers, and credit card numbers (plus expiration dates) of his victims, but that information might be obtained in a variety of ways (such as breaking into and stealing customer data from merchant web sites). Whether the same scammer could process more than a handful of phony charges before complaints caused his merchant account to be shut down is problematic, though.
3) Are there known instances of this occurring? — We talked with a representative of MasterCard, who told us that although she couldn't verify the specific details of the message reproduced above, this type of scam does occur and isn't new; it's been going on ever since MasterCard started putting CVC2 security codes on all its cards back in 1997. (Visa put CVV2 codes on all its credit cards until 2001.) She also reiterated that MasterCard would not ask a cardholder to disclose security codes or provide any information verifying physical possession of a card; any such inquiries regarding security matters would come from the financial institution that issued the credit card, not from MasterCard itself.
4) Is this a widespread phenomenon? — Unfortunately, MasterCard was unable to provide us with any statistics regarding the specific scam described here, other than to note that using the telephone to trick cardholders into divulging their security codes is a type of fraud that has been occurring for several years and is ongoing.
5) Is this something that might affect the average person? — Yes, anyone who holds a credit card is a potential victim of this type of fraud.
The best protection against these types of telephone schemes for obtaining sensitive credit card information is to always verify the identities of the people with whom you speak. If you have security questions or concerns about your credit card, call the financial institution who issued your card directly. If someone contacts you by phone about your credit card, ask the caller to provide his name, department, and extension, then hang up and call him back through the phone number listed on your credit card or billing statement.
Help stop this "scam" before it becomes an epidemic!