Thread: Credit card phising scam

This article was taken from my blog about a credit card phising scam. What do you think? I think its good to highlight to everyone.

A question posted by a forummer in HardwareZone triggered my attention. Therefore I think it is good that I bring up this issue and share with everyone. I am surprised to the responses of many forummers who can’t immediately decide that it is indeed a phising scam! Now it is up to you to decide if it is a scam or not.

Someone made an online purchase from dELiAS store with a credit card. Two weeks later, the purchaser received an email from their customer service as below:

"Thank you for shopping with Delia's. Your order ******* has been received and is being held for additional verification purposes.

We can verify your order via fax if it is easier for you. However, we are unable to verify via e-mail. We will need for you to fax us a copy of the front and back of your credit card along with a copy of your photo id. We also need a written statement from the credit card holder verifying the amount of the purchase and the signature of the credit card holder.

Please make sure that everything in the fax is clear and easy to read. You can fax this information to 001-614-818-2730 or call us at 001-614-891-8354. Please contact us or your order may be canceled."

So what clues can you gather from the above information. Photocopy your front and back of your credit card? Isn’t that sounds suspicious?

Firstly you are not supposed to give out your credit card details. By photocopying the front and back, you are indeed as good as giving out credit card information. Secondly this is the first time I heard a purchaser is contacted this way through email to confirm a transaction. Thirdly the site really looks crappy.

To me this is an obvious and classical case of phising scam. So you need to be aware with this kind of online transaction in future. Do not take any chance. When in doubt, it is better to give a pass.

Thank you for the advice, now I will have my eyes open while I make purchases via credit card on other websites.

I need to talk with any person that actually followed those instructions, as I have some "Ocean Front" property here in Kansas, that I am trying to get rid off for pretty cheap!!

im not sure why many still fail to see that this is a phising scam!

maybe someone else can advice.

MikeDirnt added 1 Minutes and 35 Seconds later...

Originally Posted by LeenkzMike

I need to talk with any person that actually followed those instructions, as I have some "Ocean Front" property here in Kansas, that I am trying to get rid off for pretty cheap!!

the sub prime must have hit you hard ah? isnt it time to shop for cheap properties? of course not to sell or you lose your value

thank for sharing... how the adsense rev sharing doing for you ? By the way is adverlets a another way of good source of online income ?

I honestly do not get it.

The person bought from a store, the store claimed they were not able to verify the information so needed further manual verification that the person is indeed the card holder.

My store asks for this information on occasion, it is recommended by the processing companies. In all reality every online store should ask for this information on every transaction, it simply is not possible.

Originally Posted by GRIM

I honestly do not get it.

The person bought from a store, the store claimed they were not able to verify the information so needed further manual verification that the person is indeed the card holder.

My store asks for this information on occasion, it is recommended by the processing companies. In all reality every online store should ask for this information on every transaction, it simply is not possible.

just a question, is it true that all the credit card details you entered will be shown to the owner of the store once you transact? just curious

MikeDirnt added 4 Minutes and 39 Seconds later...

Originally Posted by worldir

thank for sharing... how the adsense rev sharing doing for you ? By the way is adverlets a another way of good source of online income ?

my adsense so far $15 to $25 a month. avertlets is not that good as adsense but i like the cost per impression. it is good because you wont be earning 0 in a day unlike adsense. you will earn at least few cents a day. anyway my page views per day is not that big also

Originally Posted by MikeDirnt

just a question, is it true that all the credit card details you entered will be shown to the owner of the store once you transact? just curious

Well put it this way, at a store does the person not see your entire credit card?

If you have an actual merchant account, yes in most cases the store will see every digit of your card, your expiration and other numbers and info entered into the system.

Originally Posted by GRIM

Well put it this way, at a store does the person not see your entire credit card?

If you have an actual merchant account, yes in most cases the store will see every digit of your card, your expiration and other numbers and info entered into the system.

There is a lot to be said about people who don't check into these things.

Sure I can see the company wanting to make sure the order information is correct and I've see before where a company wanted to ensure that my credit card information was correct but I have to disagree with the practice of scanning the _back_ of the card.

This is typically where the security number is placed - and when I worked for a call center for a major telephone company in Canada you would not believe the horror stories I would hear about credit card misuse from customers who called.

(first) I would call the customer support line of the merchant I made the purchase from to have them investigate the email message.

(second) I would inform the company that I will not be sending photocopies of my credit card details to anyone for any orders. The risk of those documents finding their way to someone else is way too high.

I would be willing to replace the order with another card, or speak to a sale rep over the phone to confirm my details of the card _only_ knowing that I am of course speaking with a customer rep from the merchant and not someone who had emailed me.

Scanning / faxing the back of the card makes absolutely no sense. All the information that a merchant needs is on the front of the card. The back is strictly for the card owner's security.

Originally Posted by classact

There is a lot to be said about people who don't check into these things.

Sure I can see the company wanting to make sure the order information is correct and I've see before where a company wanted to ensure that my credit card information was correct but I have to disagree with the practice of scanning the _back_ of the card.

This is typically where the security number is placed - and when I worked for a call center for a major telephone company in Canada you would not believe the horror stories I would hear about credit card misuse from customers who called.

(first) I would call the customer support line of the merchant I made the purchase from to have them investigate the email message.

(second) I would inform the company that I will not be sending photocopies of my credit card details to anyone for any orders. The risk of those documents finding their way to someone else is way too high.

I would be willing to replace the order with another card, or speak to a sale rep over the phone to confirm my details of the card _only_ knowing that I am of course speaking with a customer rep from the merchant and not someone who had emailed me.

Originally Posted by joseph

Scanning / faxing the back of the card makes absolutely no sense. All the information that a merchant needs is on the front of the card. The back is strictly for the card owner's security.

TOTALLY INCORRECT.

Many merchant accounts enforce that you in fact get the card holders security number, what other point do you think that number has?

The security number is to ensure the card holder actually has the card and is not someone who is using a random set of numbers from a generation program which does exist.

All of that information is available to any clerk who you hand your card over to in any physical location at any other time, the information is needed in many cases to ensure the person using the card is in fact the card holder and not a thief.

I didn't see what the big deal was about the first post in this thread either, I thought it's perfectly legit, but then everyone was saying it's a scam so I felt pretty stupid cause I'd have fallen for it myself, but after seeing Grim's posts I see I was not wrong in thinking it was normal practice.

Not to forget the back also has the 'signature' which a merchant needs to dispute fraud.

All measures in this thread are recommended by processing companies, I have been a merchant for years and do know how the system works.

Someone simply 'calling to confirm' is absolutely meaningless, people who steal cards have no problem calling in and claiming they are the card holder, a call also does not hold up in a credit card dispute, but guess what does? The information requested in the first post which is being misread as 'phishing'

Here's one example of a reason why I'm not comfortable giving out all my details:
I need to pay for something online using a card.
I enter my card number and CVV via a secure gateway, and the transaction is verified by Visa.
The vendor still wants a copy of my card (both sides) for verification, even though there's been no contest from my bank.
Now, gullible that I am, I send these details over.
Now they have all my details on file, scanned for posterity.
A slacker employee, who happens to have a gambling habit, joins the firm...
He needs to buy stuff online, he has access to all my details.
I go broke within two days.

Now tell me why it's imperative that the merchant has to have my CVV number... If he wants proof that I actually have the card, a fax of the front should be proof enough. If I have the front, I sure as hell have the back as well.

About calling to confirm: what's stopping the merchant from getting the bank to call the card user for verification? Domainsite does this on every transaction via credit-card. I've never faxed them a thing.

And, a while back, there was a case about a BPO in India selling card details by the thousand... at around 5 GBP per account.

Don't get phished

Originally Posted by joseph

Here's one example of a reason why I'm not comfortable giving out all my details:
I need to pay for something online using a card.
I enter my card number and CVV via a secure gateway, and the transaction is verified by Visa.
The vendor still wants a copy of my card (both sides) for verification, even though there's been no contest from my bank.
Now, gullible that I am, I send these details over.
Now they have all my details on file, scanned for posterity.
A slacker employee, who happens to have a gambling habit, joins the firm...
He needs to buy stuff online, he has access to all my details.
I go broke within two days.

Now tell me why it's imperative that the merchant has to have my CVV number... If he wants proof that I actually have the card, a fax of the front should be proof enough. If I have the front, I sure as hell have the back as well.

Umm you do realize the merchant has the CVV details because you entered it in from the beginning do you not? That kind of makes the 'oh but I don't want them to see it null and void' plus the only way for the merchant to see the signature is on the back of your card.

You also do realize a bank is not going to 'contest' the charges for quite some time, until the card holder does. In which case if the merchant does not have the info required they have no choice but to issue a refund. You further do realize I would hope that unless the package was shipped to the card holders name and address and has the card holders signature the card holder is not going to be held liable for it, hence you will not 'go broke'

About calling to confirm: what's stopping the merchant from getting the bank to call the card user for verification? Domainsite does this on every transaction via credit-card. I've never faxed them a thing.

Most banks will not do this, it's hard enough to get banks to verify the information, it also will not help the merchant in a charge back situation.

And, a while back, there was a case about a BPO in India selling card details by the thousand... at around 5 GBP per account.

Yet the merchant already has the details in electronic form that you are so desperate to protect, all they are is trying to get the manual information to protect themselves.

Tell me, do you have the CVV numbers of people who've bought stuff from you?

Originally Posted by joseph

Tell me, do you have the CVV numbers of people who've bought stuff from you?

When they order the items, yes it is required.
Otherwise there is absolutely no point to the CVV number. The point behind the number is to make sure the card is actually in the persons hand, if the merchant did not get this number when processing it would defeat the purpose of the number in the first place.

--
Every time you manually have your card swiped it is also there for anyone to see as well.

@Grim: I got the advice once (and I have followed it because it seemed like a good idea to me) to write "PHOTO I.D. REQUIRED" instead of my signature on the back of my cards.
How does that fit into all this? Protection of merchant? Protection of me?

(On a side note, you'd be surprised how few people actually ask me to see my I.D. Probably less than 10% of my face to face purchases.)

Originally Posted by Zap

@Grim: I got the advice once (and I have followed it because it seemed like a good idea to me) to write "PHOTO I.D. REQUIRED" instead of my signature on the back of my cards.
How does that fit into all this? Protection of merchant? Protection of me?

(On a side note, you'd be surprised how few people actually ask me to see my I.D. Probably less than 10% of my face to face purchases.)

Not 100% certain, the rules do vary from country to country.

I have been processing credit cards on and offline for various different businesses I have and I can attest to the fact that you are NEVER supposed to fax the front and back of the credit at any time. When you get a merchant account, 99% of the time your not even given the customers credit card information besides the last 4 digits of the credit card even when they do order from you.

There is many scams that happen this exact way. If you provide them with the front and back you are always supposed to black out the 3 digit CVV2 security code.

Not to mention that storing a CVV number is illegal, as confirmed by someone who works in PCI compliance certification. So I still don't get why a copy of the back of my card is required.

another side-note: I've never shown an ID proof at a face-to-face transaction. Never been asked. And I'd be in more trouble if I showed it... my beard and hair disguise me pretty well. My license pic is from when I was in school.

Originally Posted by HLJames

I have been processing credit cards on and offline for various different businesses I have and I can attest to the fact that you are NEVER supposed to fax the front and back of the credit at any time. When you get a merchant account, 99% of the time your not even given the customers credit card information besides the last 4 digits of the credit card even when they do order from you.

There is many scams that happen this exact way. If you provide them with the front and back you are always supposed to black out the 3 digit CVV2 security code.

How do you process cards without the full information?
Many automated carts are setup that way, or not true merchant accounts. Without the full information you can not manually process or much less verify the information.

Originally Posted by joseph

Not to mention that storing a CVV number is illegal, as confirmed by someone who works in PCI compliance certification. So I still don't get why a copy of the back of my card is required.

another side-note: I've never shown an ID proof at a face-to-face transaction. Never been asked. And I'd be in more trouble if I showed it... my beard and hair disguise me pretty well. My license pic is from when I was in school.

Storing is a bit different than getting for the original order.
You continue to leave out the fact that the signature is on the back of the card..........

----
Plus many cards require the cvv2 info to even go through, what is the difference from a security aspect as a card holder from giving it to them on paper or showing proof on the card via fax?

Originally Posted by GRIM

How do you process cards without the full information?
Many automated carts are setup that way, or not true merchant accounts. Without the full information you can not manually process or much less verify the information.

Storing is a bit different than getting for the original order.
You continue to leave out the fact that the signature is on the back of the card..........

----
Plus many cards require the cvv2 info to even go through, what is the difference from a security aspect as a card holder from giving it to them on paper or showing proof on the card via fax?

Although this seems to be very common practice these days - I would highly discourage any person from sending any copies of your credit card back to any merchant. And if you _must_ send a copy of the back of your credit card to verify that you are in fact the credit card hold black out the Security number.

A simple web search on Google will result in many horror stories from cases like this - of people unaware and getting tons of charges.

I personally used a Prepaid CreditCard for all my verifications and online purchases.. <g>

Yet again, many merchant agreements and credit card companies themselves REQUIRE the security code to even use the card when not face to face.

Interesting thread. I never sign the back of my credit cards and haven't had an issue with it. I understand where Grim is coming from but I'd be a little hesitant to fax a full copy of the front & back of my CC. Only because what happens to that paper afterwards? How long is it held? Is it shredded before being thrown out? That varies from company to company, and some small business owners are just plain lazy they'll throw it out with a stack of junk mail and think nothing of your personal information.

Also it would send up a red flag in my head because out of all the transactions I've done online with both big and small companies none of them have yet to ask for a physical copy of the card. The furthest one company went, a hosting company is to call my phone number and give me a confirmation code to enter on their website. That's the only kind of additional verification I've ever been asked to do.

With a person to person transaction, I hand you the card you hand it back or as is becoming more and more prevalent I swipe my own card. There is no chance for the store clerk to copy the information, no physical copy of the card is left behind only a digital copy of the info on the magnetic strip in the payment processors database.

Slightly off topic, but related:

Personally, I regularly use my mother's credit card. Just the other day mom wanted to buy me a birthday dinner so she gave me her card to buy Chinese food. I ordered, handed the card over and funny thing the girl at the counter was staring at the card, I thought she was going to say something as it's obvious my name isn't AnnMarie but she didn't say a word. I hand my credit card to friends' to pick me up something at the store or for them to borrow money for gas. Different last names, nobody checks to see if the person with the card is actually named on the card.

In person no one verifies this information. Even when I was in FL, where none of the store clerks know me, I used my friend's wife's CC, different last name and female first name. That obviously is not me. No request ID or anything in fact I have never once been asked for ID for a CC or DB (debit card) transaction, no signature verification. Heck I don't even sign the receipts, I just scribble a line on them.

I had a conversation a few years back with my bank manager, I was disputing a debit card transaction. I asked about using other people's cards, he said it's perfectly legal, but if the card holder disputes the charge then it's a crime. I thought that was kind of odd.

Big Dan I understand where you are coming from, but again in a lot of cases this info is already given to the company so the defense of not wanting them to have it really makes no sense to me.

Plus the old method of face to face was the old knuckle busters that made an imprint of the card.

This is not needed in most cases, it is in rare cases where banks refuse to verify for the most part. Possibly a high fraud score, possibly another reason above the normal.

--
Companies are required to destroy the info, either digital or hard copy. IMO the digital is far more sensitive, yet nobody appears to have a problem sending the digital that is connected to a network that can be breached. I find that a bit funny to say the least.

I see your point Grim and know you're just trying to put the information out there. I guess it's more of a mind over matter thing. In reality it's a lot easier for the digital information to be breached than the off chance of someone getting their hands on my CC info via a fax to a vendor.

Heck, a major retailer had their databases breached over this past holiday season, thousands of peoples information was stolen. :eek: I forget was it Kohl's or Target?

ok here is my thought on this phising thing. whether scam or not i will let consumers exercise their own discretion. im sure many big online merchants dont require us to do this kind of verification. last night i ordered an item from creative, and the transaction process is smooth and fast.

but still merchant should do everything to protect consumers even if they insist to get a photocopy. they should advice consumers to send a photocopy but at least blanco a certain digits of the credit card numbers. why do they need the whole complete set of numbers? probably a few numbers and credit card statement should be enough i thought.

if the numbers are not blanco, what happens in the process of faxing the details and someone else happens to lay first hands on it? or the owner did not dispose the details properly and someone else finds out? agh there are so many possibilities of going into the wrong hands.

MikeDirnt added 4 Minutes and 49 Seconds later...

Originally Posted by GRIM

Big Dan I understand where you are coming from, but again in a lot of cases this info is already given to the company so the defense of not wanting them to have it really makes no sense to me.

Companies are required to destroy the info, either digital or hard copy. IMO the digital is far more sensitive, yet nobody appears to have a problem sending the digital that is connected to a network that can be breached. I find that a bit funny to say the least.

i think the hard copy is more sensitive than the digital copy. consumers order online having faith that they trust the digital information sent in the network. if they dont trust, they wouldnt be buying online at all. but now my concern is the fax thing.

Good article Mike. As you rightly say people should be immediately suspicious if a *merchant* makes contact to verify details subsequent to the transaction being made. Also a reputable merchant would never, ever, expect anyone to fax/mail/divulge over the phone their entire card details.

Card security is something we in the UK have been taking very seriously over the last 5 years or so with the introduction of chip and PIN and Verified by Visa. I don't believe chip and PIN is used in the States.

Let me just add actually that another scam that is quite widespread is when someone rings and pretends to be from the security section of your card provider. They say something along the lines of there have been unusual transactions on your account can you confirm your card number. They then promise to monitor the situation closely and the call ends. Nothing happens until several weeks later when they ring back, say they're from the card provider and convince you of their authenticity by quoting back your card number which they obtained first time around. The purpose of this second call is to elucidate the expiry date and CVV from you, which they subsequently use for malicious purposes.

It goes without saying that your card provider would never, ever, ring up and ask for details pertaining to your card. If you're uncertain of the authenticity of a caller simply end the call and dial them back on the number given on your card statement.

Originally Posted by GRIM

Well put it this way, at a store does the person not see your entire credit card?

If you have an actual merchant account, yes in most cases the store will see every digit of your card, your expiration and other numbers and info entered into the system.

at a store, i dont expect that fellow to memorise my card details in an instant. anyway i always keep a look out if he behaves suspiciously

The numbers are needed to fully process a card off line. I honestly can not believe someone would trust a fax machine transmission less than they would trust a transmission over a network that is then stored in a system/server somewhere online. This transmission is often printed into a hard copy on the other end, making your worry that much more unwarranted and backwards.

I simply am truly at a loss for words as it makes absolutely no sense, this is coming from years of experience.

Originally Posted by GRIM

The numbers are needed to fully process a card off line. I honestly can not believe someone would trust a fax machine transmission less than they would trust a transmission over a network that is then stored in a system/server somewhere online. This transmission is often printed into a hard copy on the other end, making your worry that much more unwarranted and backwards.

I simply am truly at a loss for words as it makes absolutely no sense, this is coming from years of experience.

i understand your argument. but you need to look from a consumer point of view.

i thought the fax over details is just to ascertain that you are indeed a real buyer? why do you need to fax over the full details? and why do the big stores dont require us to do this?

Originally Posted by MikeDirnt

i understand your argument. but you need to look from a consumer point of view.

i thought the fax over details is just to ascertain that you are indeed a real buyer? why do you need to fax over the full details? and why do the big stores dont require us to do this?

The big stores have insurance and the ability to take losses that smaller stores do not They also pay much lower processing fees as they get discounts from their bulk transactions.

We do tell people they can mark off X amount of their card numbers for security, the back of the card however is needed because of the signature, plus the security code has already been entered so I just don't see why it would be unsafe to send it through a much more secure medium than a non secure medium.

Originally Posted by GRIM

We do tell people they can mark off X amount of their card numbers for security, the back of the card however is needed because of the signature, plus the security code has already been entered so I just don't see why it would be unsafe to send it through a much more secure medium than a non secure medium.

thats fair enough if you dont need to send the complete details.

but can you fax the back and mask off the security code? you just need the signature and few numbers in front right?

Again why would the back security numbers need to be 'masked off' when the merchant already has them in digital form?

If anything the code needs to be there to match it up.

Originally Posted by GRIM

Again why would the back security numbers need to be 'masked off' when the merchant already has them in digital form?

If anything the code needs to be there to match it up.

lol i think you still dont understand from a customer point of view. in short, i will feel insecure if i let all my credit card details to be fax over.

thats what the people above are arguing for

I agree totally with Grim. this is not a phlishing scheme but a normal operating procedure recommended for merchanta to protect themselves. For a start, they have already got your CC details in the first place, and could use it to make fraudulent purchases if they want. I hate to say it, but Internet shopping is not completely safe. Therefore, I always use AMEX for online purchases.

It is unfortunate that it looks bad on the customer's end and quite often, this would result in a cancelled transaction. This is why we never asked customers to do this. For large transactions that we were not confident about, we asked them either to pay by T/T or by escrow.

Originally Posted by MikeDirnt

lol i think you still dont understand from a customer point of view. in short, i will feel insecure if i let all my credit card details to be fax over.

thats what the people above are arguing for

I understand that, but you've had someone who deals with it daily explain to you why it's needed, why there is no need to be 'insecure' and why it's safer than doing it over the net of which you have no problem.

alright thanks guys.