This story was first published in 2006
This long-circulated message warns that scammers are attempting to obtain CVV2/CVC2 security numbers by phoning credit card holders and posing as Security and Fraud Department staff from Visa or MasterCard.
The scenario described is plausible, but the warning may significantly exaggerate the actual frequency of such scam incidents.
CREDIT CARD FRAUD: IMPORTANT – PLEASE READNew Credit Card Scam!!The following was given to me by a colleague, whose husband works for Barclays and has dealings with Barclaycard.
Quote: This information is worth reading. By understanding how the VISA & MasterCard Telephone Credit Card Scam works, you’ll be better prepared to protect yourself.
One of our employees was called on Wednesday from “VISA”, and I was called on Thursday from “MasterCard”. Note, the callers do not ask for your card number; they already have it.
The scam works like this: Person calling says, “This is (name), and I’m calling from the Security and Fraud Department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I’m calling to verify. This would be on your VISA card that was issued by (name of bank). Did you purchase an Anti-Telemarketing Device for £249.99 from a Marketing company based in (name of any town or city)?”
When you say “No” the caller continues with, “Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from £150 to £249, just under the £250 purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?”
You say “yes”. The caller continues – “I will be starting a Fraud investigation. If you have any questions, you should call the 0800 number listed on the back of your card and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6 digit number. “Do you need me to read it again?”
Here’s the IMPORTANT part on how the scam works. The caller then says, “I need to verify you are in possession of your card”. He’ll ask you to “turn your card over and look for some numbers”. There are 7 numbers; the first 4 are part of your card number, the next 3 are the security Numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him.
After you tell the caller the 3 numbers, he’ll say, “That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?” After you say No, the caller then thanks you and states, “Don’t hesitate to call back; if you do”, and hangs up. You actually say very little, and they never ask for or tell you the Card number. But after we were called on Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of £249.99 was charged to our card.
Long story made short – we made a real fraud report and closed the VISA account. VISA is reissuing us a new number. What the scammers want is the 3-digit PIN number on the back of the card. Don’t give it to them. Instead, tell them you’ll call VISA or Master card directly for verification of their conversation. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN you think you’re receiving a credit. However, by the time you get your statement you’ll see charges for purchases you didn’t make, and by then it’s almost to late and/or more difficult to actually file a fraud report.
What makes this more remarkable is that on Thursday, I got a call from a “Jason Richardson of MasterCard” with a word-for-word repeat of the VISA scam. This time I didn’t let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us t o tell everybody we know that this scam is happening.
Please pass this on to all your family and friends. By informing each other, we protect each other.
The three-digit security code included on the back of Visa and MasterCard credit cards is designed to enhance security by allowing merchants to verify the user’s card during “card-not-present” transactions. The security codes, known as CVV2 and CVC2, are intended to reduce the occurrences of fraud for transactions such as online purchases and phone orders in which the merchant does not physically process the card.
The CVV2/CVC2 is separate from the card account number and is printed on the back of the card in the signature panel. These security codes are not included in the information encoded on the card’s magnetic strip or on receipts. Therefore, even if scammers have managed to acquire a credit card number, they may not manage to fully utilize the information unless they also acquire the CVV2/CVC2.
Criminals obtain credit card numbers via card skimming devices, online and email fraud, stolen transaction records and other devious ways. However, while these methods certainly allow scammers to steal credit card information, this information will not always include the CVV2/CVC2 security codes.
Therefore the motive for the scheme outlined in the message is clear. If scammers have already acquired your credit card number, they might very well wish to enhance the usefulness of the stolen information by acquiring the credit card number’s corresponding security code. If the scammers have your personal contact details as well as your card number, then this “Security and Fraud Department” phone ruse could certainly be an effective method for them to procure the desired information.
Thus, the outlined scheme is certainly plausible. If they already had your credit card, scammers could certainly carry out the schemes described in the message and have most likely done so in the past.
That said, I do feel that the message may significantly exaggerate the actual frequency of such scam incidents. The message implies that this scam tactic is a common occurrence.
The individuals featured in the message apparently received two such scam calls within as many days and the message claims that police are taking several reports a day about the issue. However, while this warning message has been featured in many legitimate news reports and financial websites, there is little credible information about how often this scam actually occurs. In fact, an article about the email on washingtonpost.com notes that Visa and MasterCard officials “know of no specific person who’s been scammed according to the story outlined in the e-mail“.
The warning message has now been circulating in several countries for a number of years. In spite of this, at the time of writing, I can still find no reliable reports that described actual occurrences of this particular scam. Moreover, it should be noted that there are now several versions of the message, each with different details. Thus, the specific incidents described in these messages may well be anecdotal. As is common with email warnings of this nature, there is no way of confirming if the specific events outlined in the messages actually occurred or were simply made up as a way of embellishing the scam warning to emphasize its key points.
It also should be noted that phone-based credit card fraud is nothing new and does not only involve CVV2/CVC2 security codes. Phone-based credit card scams have been around for a long time. While the CVV2/CVC2 ruse may be a new twist, fraudsters have long tried to glean credit card details from victims by making unsolicited phone calls and misrepresenting themselves as company staff members or law enforcement officials.
Cardholders should be very wary of giving any information at all about their account in response to an unsolicited phone call. As with email-based phishing, scammers may call the potential victim and claim that the security of an account has been compromised and request credit card and banking details, ostensibly to “verify” the account. Alternatively, phone scammers may quote the partial credit card number often recorded on a sales docket and ask the victim to provide the missing digits as “verification”. And scammers may obtain credit card details by posing as telemarketers.
Although the specific CVV2/CVC2 scam described may not occur as often as implied, the advice in the message is nevertheless worth heeding.
If you do receive such an unsolicited call, the safest course of action is to:
- Ask for the caller’s name and department details and then terminate the call.
- Find a legitimate contact number for the company either in a bill or other official documentation or a telephone directory. (Don’t use a contact number provided by the caller).
- Call the company and ask to speak to the original caller by name.
This strategy should effectively derail any scam attempts and also allow you to deal with the issue in the event that the call was actually legitimate.
A key factor regarding this scheme is that it can only work if the scammer already has your credit card number and contact details. In other words, regardless of the success or failure of the scheme, your financial security has already been compromised.
Thus, if you do receive a security code scam call like the one described, recognizing it as a scam and terminating the call is only part of the solution. Naturally, you should also immediately inform your credit card issuer that the security of your card may have been compromised and take any other steps necessary to protect yourself from credit card fraud and identity theft.