In our weekly newsletters, we often give our merchants information on fraud, scams, and how to protect from being stung by them. When merchants call in, we were directing them to dozens of different newsletters, in order to help them "catch up" on this most important information. In order to make this easier, we have created our "Fraud Watch" page, for a single, complete resource on the latest fraud and fraud avoidance information.
Our info in action: "Thank you for the info today. We learned the card belonged to someone else and was flagged. The TTY scam info in the newsletter gave us the knowledge to recognize the fraud before it could happen. The info keeps us on our toes. Again thank you for your hard work." -- Glen Draper TECH USA http://www.techusa.biz
By understanding how the VISA & MasterCard Telephone Credit Card Scam works, you'll be better prepared to protect yourself. Those con artists get more creative every day. The scam works like this: Person calling says, "this is (name) and I'm calling from the Security and Fraud Department at VISA. My Badge number is 12345. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card which was issued by bank XYZ. Did you purchase an Anti-Telemarketing Device for $497.99 from a marketing company based in Arizona?" When you say "No", the caller continues with, "Then we will be issuing a credit to your account. Before your next statement, "the credit will be sent to (gives you your address), is that correct?" You say "yes." Here's the IMPORTANT part on how the scam works. The caller then says, "we need to verify you are in possession of your card." He'll ask you to "turn your card over and look for some numbers. There are 7 numbers; the first 4 are your card prefix, the next 3 are the 'Security Numbers' that verify you are in possession of the card. Read me the 3 numbers." After you tell the caller the 3 numbers, he'll say, "That is correct. I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?" You actually say very little, and they never ask for or tell you the card number. What the scammer wants is the 3-digit PIN number on the back of the card. Don't give it to them. Instead, tell them you'll call VISA or MasterCard direct. If you give the scammers your 3 Digit PIN Number, you think you're receiving a credit. However, by the time you get your statement, you'll see charges for purchases you didn't make, and by then it's almost to late and/or harder to actually file a fraud report.
New browser spoofing exploit! If you think that because you use Firefox, Safari, Opera, or Navigator, you are safe, FORGET IT. There is a new browser spoofing trick that allows a spoofed website to look like the real thing in both the hyperlink AND in the address bar of the browser. The ONLY browser that is immune to this one is Microsoft's Internet Explorer! (It was just a matter of time until the hackers took advantage of those browsers with documented source code online... and such an easy target.) See the full article here. With this exploit, and a Non-Microsoft browser, they can even spoof the security certificate! The next time you log into PayPal, you could be typing your info on a server in Nigeria! The problem is that Mozilla, Firefox, Opera and others don’t restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to “hijack” most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees…. Taking Checks? One of our merchants who sells at the swap meets, takes a picture of anyone using a personal check. Another merchant takes a photo of the customer's driver's license for large dollar amount purchases. You may want to check and see if there are any ordinances or regulations in your state, county, or city against doing this, but according to the reports, it REALLY cuts down on fraud and chargebacks. If a customer knows you have a picture of them holding the merchandise, it's pretty hard for them to call Visa, and claim he did not make the purchase. Likewise, a bad check passer will walk away knowing you will have his picture to give to the police! Most states have laws against passing bad checks, and here a picture speaks more than a thousand words! Built into Transaction Central is a feature called AVS (Address Verification System). This compares the billing address (that the customer gives you) to the billing address that the credit card company has on file. If they match, great! If they do not, beware! Can you imagine NOT knowing where the bill for YOUR credit card shows up? If the customer really does not know where the bill for the card is delivered, you are looking at FRAUD, or an really bad case of amnesia. AVS IS NOT FOOLPROOF!! We have been alerted that there is a new scam we should all be aware of, as it can fool the AVS (Address Verification System), and allow a shipment to a fraudulent address! It works on 3 facts: 1) The cardholder name is not verified by the processors. 2) AVS checks only the Numeric portion of the address (Street misspellings are too common), and the ZIP. 3) Web site order pages have an "Address 2" line for suite or apartment numbers.
Here is how it works:
Assume that the VALID (Stolen) cardholder data is:
Name Jim Shoes Address 1234 Main Street CSZ Irvine, CA 92301
The Fraudster enters the order this way:
Name Fred Fraudster Address 1234 Purchase Order Address2 4534 West Carlisle Way CSZ Irvine, CA 92301
Wow, AVS says the numeric portion of the address matches, as does the Zip code. The delivery company will assume the first line is just a purchase order number, and will deliver to the address on line 2! The fraudster could even enter a city and state in a different zip code, knowing most delivery services will "correct" the zip code if the delivery address is in the specified city and state! What can I do to protect myself? First, be glad you know about it, and then make sure you look at the "Address2" line of each and every order! If it appears to be a deliverable address, beware!
So, you have a big-ticket order! Congratulations, or maybe not… This is a follow-up of an article from our March 1, 2004 newsletter where we warned our merchants that there were a bunch of high-ticket, fraudulent orders coming our of Indonesia, and that we had helped our prospective merchants determine that they really were FRAUD, and saved them a lot of grief, and financial loss.
How did we do that? It takes a little effort, but for a large transaction that you have doubt about, or is originating outside the US, but it’s worth it. First call one of the following phone numbers:
You will press ‘2’ for either number, to obtain access to the phone number for the card issuing bank. The system will prompt you for the card number, and then give you the bank name and phone number. This is the phone number of the bank that ISSUED the card to the cardholder (Card Issuing Bank).
Next, you call that number, and tell them that you are a merchant, and need to verify cardholder provided information with “YES or NO” questions. This is important, as there are privacy issues, but they CAN confirm or deny information YOU provide. You give them the card account number, and you can ask them (again YES or NO), if the cardholder name is (give cardholder name), verify the address, phone number, and CVV2 number. If you tell them you suspect fraud they MAY (at their option) call the cardholder to verify that they actually performed the transaction. Remember, the issuing banks have a responsibility to provide privacy to their cardholders, but they are also interested in preventing fraud, so they can only confirm or deny that information you give them is correct. Recently, we helped a merchant discover that their $1600 order from Indonesia was actually being performed on a card from an elderly lady in the Midwest. The cardholder, the operator from the issuing bank, and especially the merchant were all very glad that we helped them prevent this potential fraud event. A special THANK YOU to Carol of Payment Resource International for her expertise and guidance on this issue. Like everything else, if you want it done right, do it yourself: READ THE FOLLOWING FOR A WARNING ABOUT THIS.
Merchants calling the card issuer take note! We have merchants that call (for high ticket or high risk sales) the card issuer to verify the cardholder information and address. This is a great idea, but MAKE THE CALL YOURSELF. Merchants have been defrauded by customers who offer to "call their bank for you", and then put you on the phone. The "nice bank person" on the other end of the line, is actually a another fraudster giving you a phony authorization. Your best bet: authorize ONLY by swipe, and if you MUST call in for a voice auth, CALL YOURSELF directly to these numbers:
1-800-347-1111Also, if you call an issuing bank to verify the cardholder information ALWAYS get the persons name and I.D. badge number, and also ask if that person has a call back number besides the number the merchant dialed. Many card issuers have customer service departments all over the different states. The merchant needs to write this information on the back of the transaction slip, so if the transaction does become a chargeback, there will be a written note as to who did the verification
Chargebacks are just about the worst possible thing that can happen to a merchant. You lose the merchandise sold, the sales amount, and you have to pay a penalty to boot! This is the result of regulations intended to protect the cardholder, leaving the merchant (you) holding the bag.
Accept credit cards anywhere!
What the card associations don't want you to know (Visa, MasterCard), is there has been changes in card regulations due to some recent litigations. These changes can mean a great deal to you, the merchant! Basically, if you follow the proper steps, and get the required backup from each sale, you can prevent the loss of your funds if the sale is charged back due to fraud!
Accept credit cards anywhere!
How does this all work? Starting the first of this year, if a merchant swipes a transaction and receives an authorization, imprints the card, and the transaction comes back for fraud, the card issuer has to take the loss and not the merchant. The card issuer must do a chargeback so they can deduct the loss as a business loss, but the card issuer must refund the merchant the original charge. The chargeback fees are still absorbed by the merchant, but at least there are not out their merchandise and money. The imprinter is the key to this procedure. You must imprint the card, and fill out the sales slip with the amount, date (Very Important), and authorization code (which HAS to come from a swipe - voice or phone authorizations don't work for this).
Accept credit cards anywhere!
The imprinter has to have a merchant plate with your correct merchant name and number, so we have stocked up on desktop and portable imprinters that have a spot for a merchant plate. To order an imprinter, click here, and to order a merchant plate, click here. (a merchant plate is a little dog tag-like piece of metal with your name and merchant number stamped on it, so it gets embossed on the sales slip along with the credit card data.
Accept credit cards anywhere!
Things to remember-
1) Transaction must be swiped
2) You must have card imprint
3) Imprinter must have a plate
4) Sales draft must be signed
5) Sales draft must have date
Accept credit cards anywhere!
In addition, when you receive the chargeback notice, you must respond immediately with a copy of the imprint slip, and the authorization from Transaction Central. You will still have to pay the chargeback fee, but at least you will get back your funds from the sale!
PayPal, or PRAYpal? On a regular basis, we do market research. An easy technique to see how a company is liked (or hated) by it's customers, is to go to GOOGLE and search for:
Which generally returns problems and complaints people have had with a particular company on forums, boards, and the internet in general. PayPal seems to have about 2.8 million of these, with entire web sites DEDICATED to "PayPal bashing". These sites have some absolute horror stories and incredible merchant complaints. Some of these sites are PayPalSucks.com, PayPal Warning, Yahoo! PayPal Forum, SuePayPal.org, and AboutPayPal.com, along with entries and complaints on countless forums. If you are using PayPal, you might want to check these out.
At last, a Real-time shield against "Pfishing" scams! We have come across a FREE toolbar plugin for Internet Explorer that can help protect you against the increasing threat of "Pfishing" scams. Here is how it works: The toolbar resolves the actual name of the site you are on, so if you click on an email from your Bank, PayPal, or vendor, it will let you know if you are REALLY there, or on a "spoof" site. We tried this with an email we received last week:
Display when on a "Pfishing" site.
Display when on the real PayPal site.
As you can see, the toolbar correctly identified the REAL PayPal site, as well as the phony one, which was operating with just an IP address. You can download this toolbar free at: www.corestreet.com/spoofstick/ . Of course, if you are using PayPal, you have other things to worry about (see article above)
Bogus Relay Calls. We delayed publishing this one, as people with disabilities need every break they can get. To this end, the US Government subsidize the TDD and IP (Internet) based "Relay Calls" program. These text-based (Internet or TDD) "calls" are made to an operator, who completes the call to a vendor, and talks to the merchant in their behalf. Unfortunately, scammers are using this technology to hide behind the operator (often masking giveaway accents), and get the phone call free to boot! We have received an email from one of our merchants, informing us that this was just attempted on him (fortunately not successfully), and we made the tough decision that protecting our merchants was more important than defending users of the TDD/IP Relay system from discrimination.
Here is how the scam works: A person from West Africa, usually Ghana, Nigeria, or Accra, calls a U.S. business via one of the online Relay Services and requests to place an order. They provide credit card number(s) and usually the name and address of the credit card holder, but usually request that the merchandise be shipped to Africa or an alternate U.S. address. They often claim to be a reverend of a church, a business owner, or other respected community member. The credit card information is always stolen and often doesn't go through. When this happens they often have an alternate credit card to use or even give you multiple credit cards to use with the purchase. If you ask for the CVV number on the back of the card they either can't provide it or they provide a made up one because they don't have the card. They often ask that it be shipped immediately, as it is urgently needed, and they sometimes provide a stolen UPS shipping account number.
As small business owners smarten up to this one, the criminals wise up and try new methods. They befriend people in the U.S. usually over chat and claim they will pay them to forward items shipped to them. This gives them a U.S. address to have the item shipped to, dimming any suspicion business owners may have. It also involves this person in Credit Card fraud. They often get your phone number and call you incessantly about the orders they have placed with stolen credit card information and hurry you to ship items to them as soon as they arrive. When the police come knocking on your door, you face criminal charges for receiving stolen property and possibly credit card fraud and the merchandise is long gone.
Relay operators are actually beginning to report these incidents to the credit card companies- valiantly, I might add, as recording the numbers, and breaking confidentiality risk their immediate termination and possible criminal prosecution! Some of them report spending over 90% of their time relaying fraudulent overseas purchases (see their forum here).
Fortunately, our merchant was savvy enough to catch this as it was happening: "I received a phone call from Sprint Relay service explaining to me that someone was on the line and that they would read to me what the person typed in on the other end... When I did the math, this brought the total to over $2,400. Of course as a merchant, I would love to make a sale of that amount, but realizing that something was wrong, I didn't. Red flag two came when the scam artist insisted that I run the card immediately. I first asked for a phone number, and he refused to give me one (red flag number three). I also asked for the bank name that provided the card and he refused to give that to me (red flag number four). I then called Mastercard, got the bank's phone number through the use of the credit card number. Next I called the bank and informed them of what just happened. They took care of everything from there, closing out the account and getting the customer a new card." Congratulations and many thanks to Charles M. for his permission to reprint this excerpt of his experience.
Copyright © 2001 Advanced Merchant Solutions, Inc. All Rights Reserved. Merchant Accounts offered with our software products are provided by TransFirst, a registered Independent Sales Organization. All artwork, logos, Pocket Verifier, PC Verifier, MACPayment.com, nSwipe.com, Card Collector, WapVerify, PCDebit.com and MerchantAnywhere.com are trademarks of Advanced Merchant Solutions, Inc. All information, personal and otherwise is kept completely confidential. See our Privacy Statement .