Example: [Collected on the Internet, 2003]
|
We all receive emails all the time regarding
one scam or another; but last week I REALLY DID get scammed! Both VISA
and MasterCard told me that this scam is currently being worked
throughout the Midwest, with some variance as to the product or amount,
and if you are called, just hang up.
My husband was called on Wednesday from "VISA" and I was called in Thursday from "MasterCard". It worked like this: Person calling says, "This is Carl Patterson (any name) and I'm calling from the Security and Fraud department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card issued by 5/3 bank. Did you purchase an Anti-Telemarketing Device for $497.99 from a marketing company based in Arizona?" When you say "No". The caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?" You say, "Yes". The caller You actually say very little, and they never ask for or tell you the card number. But after we were called on Wednesday, we called back within Long story made What makes this more remarkable is that on Thursday, I got a call from "Jason Richardson of MasterCard" with a word for word repeat of the VISA Scam. This time I didn't let him finish. I hung up. We filed a police report (as instructed by VISA), and they said they are taking several of these reports daily and to tell friends, relatives and coworkers. |
Origins: There are five points we generally try to apply in evaluating warnings about possible criminal schemes or activities:
1) Is the phenomenon outlined in the warning technically possible as described?
2) Is the phenomenon outlined in the warning plausible? (That is, some criminal schemes are technically possible, but they're too difficult, cumbersome, or expensive to plausibly enact on anything more than a very limited basis.)
3) Are there any verifiable instances of people having been victimized in the manner described by the warning?
4) Is there evidence that the criminal activity described in the warning is widespread?
5) Is the criminal activity described in the warning something the average person might fall victim to?
The scheme outlined in the message quoted above might be categorized as a "social engineering"
on the back of MasterCard and Visa cards. Just as the Internet and other technologies have greatly expanded the possibilities for making credit card purchases without the need to physically present a card to the seller, so have they created additional opportunities for identity thieves to make profitable use of purloined credit card numbers. After getting their hands on credit card numbers (often through such simple expedients as rummaging through trash to find discarded receipts or statements), crooks can then employ a variety of means (e.g., mail order, phone order, Internet purchases, posing as merchants) in order to obtain money and merchandise by charging against the cardholder's
Although safeguards have been enacted to catch most of these types of fraud, they're often defeated by a combination of lax security and clever
crooks who know how to work around them. One of the more recent safeguards is
the addition of three-digit security codes (known as CVC2 or CVV2 codes) to
every MasterCard and Visa card, codes which are indent-printed in the
signature panels on the backs of the cards but are not encoded in the magnetic
stripes and do not print on sales receipts. Many vendors cannot process credit
card transactions without obtaining these security codes from their customers,
thereby ensuring that persons placing orders have physical possession of the
cards being used (and haven't simply scammed the sixteen-digit account numbers
imprinted on the front of cards somehow). Thus the scheme described above
might be used by identity thieves who have managed to collect credit card
numbers but need to obtain the associated security codes in order to process
charges against the accounts. So, back to our five points:
1) Is this possible? — Yes, it's possible that scammers might get ahold of credit card numbers and then use the technique described above to obtain security codes and process phony transactions against the accounts.
2) Is this plausible? — The scam as described above is not extraordinarily difficult or expensive to pull off; all it requires is access to a telephone and the establishment of a merchant account for processing credit card transactions. It also assumes the scammer already has the names, addresses, phone numbers, and credit card numbers (plus expiration dates) of his victims, but that information might be obtained in a variety of ways (such as breaking into and stealing customer data from merchant web sites). Whether the same scammer could process more than a handful of phony charges before complaints caused his merchant account to be shut down is problematic, though.
3) Are there known instances of this occurring? — We talked with a representative of MasterCard, who told us that although she couldn't verify the specific details of the message reproduced above, this type of scam does occur and isn't new; it's been going on ever since MasterCard started putting CVC2 security codes on all its cards back in 1997. (Visa did not put CVV2 codes on all its credit cards until 2001.) She also reiterated that MasterCard would not ask a cardholder to disclose security codes or provide any information verifying physical possession of a card; any such inquiries regarding security matters would come from the financial institution that issued the credit card, not from MasterCard itself.
4) Is this a widespread phenomenon? — Unfortunately, MasterCard was unable to provide us with any statistics regarding the specific scam described here, other than to note that using the telephone to trick cardholders into divulging their security codes is a type of fraud that has been occurring for several years and is ongoing.
5) Is this something that might affect the average person? — Yes, anyone who holds a credit card is a potential victim of this type of fraud.
The best protection against these types of telephone schemes for obtaining sensitive credit card information is to always verify the identities of the people with whom you speak. If you have security questions or concerns about your credit card, call the financial institution who issued your card directly. If someone contacts you by phone about your credit card, ask the caller to provide his name, department, and extension, then hang up and call him back through the phone number listed on your credit card or billing statement.