If crooks find it too difficult to penetrate fraud-prevention layers protecting online merchants, corporations or bank accounts, they revert to “old-fashioned” fraud methods aimed at easier targets.
One of those “tried-and-true” scams involves simply calling the target, pretending to be someone else and coming up with a reason for the victim to send money, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
And that’s exactly what has happened to merchants in Ireland recently and what prompted the Irish Payment Services Organization to release a July 10 statement to the country’s shop owners warning them of fraudulent calls, especially from someone who calls himself “Mark.”
“Mark” claims to be an engineer from the shop owner’s acquiring bank or card processor, naming the acquirer in the process “and sounding very professional” in his presentation, the payments organization stated. “Mark” speaks with an English accent and shows familiarity with the merchant’s terminals and payments gateway, the statement noted.
The caller advises the employee answering the call that he needs to check something on the store’s terminal and asks the worker to put through refunds to a 'dummy' card. He assures the employee the refunds won't go through as a normal transaction because he is using a 'dummy' card engineers use for testing.
After the employee, assuming it is just a test, sends the transactions through, “Mark” tells him to shred or dispose of the receipts because they no longer are needed.
Some shops have lost up to 14,000 euros (US$17,200), but most of the bogus refunds have been between 2,000 to 3,000 euros each, the payments organization reported.
Shops already affected by the scam include gas stations, jewelers, restaurants, chemists and florists, making it difficult to determine which particular industry the criminal is targeting, the statement noted.
More than 50 merchants have suffered losses from the scam, but the organization suspects many more may have become victims and not yet reported losses, says Una Dillon, head of card services and communications for the payment organization.
The organization advises shop staff to hang up if they receive a call from someone claiming to be from the store’s acquiring bank and to then call their card processor at a number they know to be correct from their bank statement or phone book.
“This merchant scam in Ireland is a variation of fraud through a call center, which is on the rise,” McNelley says.
Merchants and banks alike have been stepping up efforts to uncover every vulnerable aspect of their operations, McNelley adds.
Dealing with fraudulent calls or fake identities represents an area in need of security diligence, McNelley notes.
In relaying a scenario to emphasize that point, McNelley says she knows of a bank that hired a security company to locate vulnerable spots in the bank’s data systems. The company sent someone to the bank pretending to be an employee locked out after hours. The cleaning crew let him in, and he proceeded to upload a keystroke-logging Trojan virus on every computer in the bank to prove it could be done before he removed it and restored the computers.
To say the least, the bank executives were not too happy to find out how easy it was for someone potentially to know every password to every computer in the bank, McNelley says.
