Fact Check

Visa Fraud Investigation Scam

Scam: Callers pretend to be fraud investigation agents for Visa and MasterCard in order to obtain credit card security codes.

Published Dec. 23, 2003

Claim:

Scam:   Callers pretend to be fraud investigation agents for Visa and MasterCard in order to obtain credit card security codes.

Example:   [Collected on the Internet, 2003]


We all receive emails all the time regarding one scam or another; but last week I REALLY DID get scammed! Both VISA and MasterCard told me that this scam is currently being worked throughout the Midwest, with some variance as to the product or amount, and if you are called, just hang up.

My husband was called on Wednesday from "VISA" and I was called in Thursday from "MasterCard". It worked like this: Person calling says, "This is Carl Patterson (any name) and I'm calling from the Security and Fraud department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card issued by 5/3 bank. Did you purchase an Anti-Telemarketing Device for $497.99 from a marketing company based in Arizona?"

When you say "No". The caller continues with, "Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?"

You say, "Yes". The caller continues ... "I will be starting a fraud investigation. If you have any questions, you should call the 800 number listed on your card 1-800-VISA and ask for Security. you will need to refer to this Control #". Then gives you a 6 digit number. "Do you need me to read it again?" Caller then says he "needs to verify you are in possession of your card. Turn the card over. There are 7 numbers; first 4 are 1234 (whatever) the next 3 are the security numbers that verify you are in possession of the card. These are the numbers you use to make internet purchases to prove you have the card. Read me the 3 numbers." Then he says "That is correct. I just needed to
verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions? Don't hesitate to call back if you do."

You actually say very little, and they never ask for or tell you the card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA security dept. told us it was a scam and in the last 15 minutes a new purchase of $497.99 WAS put on our card.

Long story made short ... we made a real fraud report and closed the VISA card and they are reissuing as a new number. What the scam wants is the 3 digit number and that once the charge goes through, they keep charging every few days. By the time you get your statement, you think the credit is coming, and then its harder to actually file a fraud report. The real VISA reinforced that they will never ask for anything on the card (they already know).

What makes this more remarkable is that on Thursday, I got a call from "Jason Richardson of MasterCard" with a word for word repeat of the VISA Scam. This time I didn't let him finish. I hung up.

We filed a police report (as instructed by VISA), and they said they are taking several of these reports daily and to tell friends, relatives and coworkers.


 

Origins:   There are five points we generally try to apply in evaluating warnings about possible criminal schemes or activities:

1) Is the phenomenon outlined in the warning technically possible as described?

2) Is the phenomenon outlined in the warning plausible? (That is, some criminal schemes are technically possible, but they're too difficult, cumbersome, or expensive to plausibly enact on anything more than a very limited basis.)

3) Are there any verifiable instances of people having been victimized in the manner described by the warning?

4) Is there evidence that the criminal activity described in the warning is widespread?

5) Is the criminal activity described in the warning something the average person might fall victim to?

The scheme outlined in the message quoted above might be categorized as a "social engineering" scam — a technique which preys upon people's unquestioning acceptance of authority and willingness to cooperate

CVC2

in order to extract from them sensitive information (such as computer passwords or credit card numbers). In this case the scammers' target data are the three-digit security codes found on the back of MasterCard and Visa cards.

Just as the Internet and other technologies have greatly expanded the possibilities for making credit card purchases without the need to physically present a card to the seller, so have they created additional opportunities for identity thieves to make profitable use of purloined credit card numbers. After getting their hands on credit card numbers (often through such simple expedients as rummaging through trash to find discarded receipts or statements), crooks can then employ a variety of means (e.g., mail order, phone order, Internet purchases, posing as merchants) in order to obtain money and merchandise by charging against the cardholder's account — even though the credit card itself remains snugly inside the cardholder's wallet. The victim may not even know anything is amiss until he receives his next statement in the mail several weeks later.

Although safeguards have been enacted to catch most of these types of fraud, they're often defeated by a combination of lax security and clever crooks who know how to work around them.

CVV2

One of the those safeguards is the addition of three-digit security codes (known as CVC2 or CVV2 codes) to every MasterCard and Visa card, codes which are indent-printed in the signature panels on the backs of the cards but are not encoded in the magnetic stripes and do not print on sales receipts. Many vendors cannot process credit card transactions without obtaining these security codes from their customers, thereby ensuring that persons placing orders have physical possession of the cards being used (and haven't simply scammed the sixteen-digit account numbers imprinted on the front of cards somehow). Thus the scheme described above might be used by identity thieves who have managed to collect credit card numbers but need to obtain the associated security codes in order to process charges against the accounts.

So, back to our five points:

1) Is this possible? — Yes, it's possible that scammers might get hold of credit card numbers and then use the technique described above to obtain security codes and process phony transactions against the accounts.

2) Is this plausible? — The scam as described above is not extraordinarily difficult or expensive to pull off; all it requires is access to a telephone and the establishment of a merchant account for processing credit card transactions. It also assumes the scammer already has the names, addresses, phone numbers, and credit card numbers (plus expiration dates) of his victims, but that information might be obtained in a variety of ways (such as breaking into and stealing customer data from merchant web sites). Whether the same scammer could process more than a handful of phony charges before complaints caused his merchant account to be shut down is problematic, though, and most credit card issuers now have checks in place to prevent the shipping of merchandise to anywhere other than the card's registered billing address and other "card not present" (CNP scams).

3) Are there known instances of this occurring? — We talked with a representative of MasterCard, who told us that although she couldn't verify the specific details of the message reproduced above, this type of scam does occur and isn't new; it's been going on ever since MasterCard started putting CVC2 security codes on all its cards back in 1997. (Visa did not add CVV2 codes on all their credit cards until 2001.) She also reiterated that MasterCard would not ask a cardholder to disclose security codes or provide any information verifying physical possession of a card; any such inquiries regarding security matters would come from the financial institution that issued the credit card, not from MasterCard itself.

4) Is this a widespread phenomenon? — Unfortunately, neither MasterCard nor VISA would provide us with any statistics regarding the specific scam described here or confirm any actual instances of its occurrence (other than to note that using the telephone to trick cardholders into divulging their security codes is a type of fraud that has been occurring for several years and is ongoing). However, numerous readers have informed us they've received calls from persons identifying themselves as fraud investigation agents and asking for sensitive personal data, so (even allowing for the possibility that some of those calls were actually legitimate) we'd have to say anecdotal evidence indicates this scam is still being perpetrated, if only infrequently.

5) Is this something that might affect the average person? — Yes, anyone who holds a credit card is a potential victim of this type of fraud.

The best protection against these types of telephone schemes for obtaining sensitive credit card information is to always verify the identities of the people with whom you speak. If you have security questions or concerns about your credit card, call the financial institution who issued your card directly. If someone contacts you by phone about your credit card, ask the caller to provide his name, department, and extension, then hang up and call him back through the phone number listed on your credit card or billing statement.

Additional information:

    Recognizing Credit Card Fraud   Recognizing Credit Card Fraud   (Consumer @ction)

Last updated:   1 April 2015

David Mikkelson founded the site now known as snopes.com back in 1994.

Article Tags