A sophisticated scam involving digital wallets has emerged, causing alarm among anti-fraud organizations. Criminals have devised a method to bypass security measures and load stolen credit card details onto digital wallets, such as those available on iPhones, Android phones, and Samsung Pay. Despite efforts by banks and security experts to combat the issue, the scam continues to proliferate, with fraudsters demonstrating a high level of organization and persistence.
The Scam Unveiled
The scam first surfaced last year and has since drawn significant attention due to its complexity and the substantial effort criminals have invested. The process begins when a victim unwittingly provides their bank with a verification code sent via SMS. This code is crucial for the fraudsters to authenticate a new digital wallet under the victim's account.
"The interesting part is that [the criminals] suggest they have sent you a verification code. What they are actually doing is they are applying to open a new digital wallet," explained Lilburn. "When [the criminals] are setting up that wallet, the bank will send a verification code – a lot of them by SMS – to the victim, who will send it to the fraudsters, and that allows the fraudster to get that number and then give it back to the bank to authenticate their digital wallet."
Once the verification code is acquired, fraudsters can seamlessly add the victim's card to various digital payment services. This enables them to use the card as they please, often going unnoticed due to a common lack of spending notifications on victims' phones.
The Mechanics Behind the Fraud
The scam's success relies heavily on the element of deception. Victims are misled into believing they are engaging in legitimate transactions. They are often directed to enter their personal information and card details on fraudulent websites designed to mimic authentic ones.
“You are asked to put your name and card details into the fake site they have been sent to. With these details, the fraudsters ask the victim’s bank to send a temporary one-time password or passcode (OTP) via a text. The victim is then asked to put this into the form they are filling in online,” Lilburn further elaborated.
This clever manipulation ensures that fraudsters receive all necessary information to access and use the digital wallet without immediate detection.
Growing Concerns Among Authorities
Anti-fraud bodies are increasingly concerned about this scam due to its scale and sophistication. Many victims remain unaware of unauthorized transactions until significant charges appear on their statements, often months after the initial breach.
“It is the sheer scale and effort that these people are going into,” remarked Garry Lilburn, highlighting the extensive resources fraudsters have at their disposal.
In many cases, fraudsters strategically delay spending on the victim's card for up to three months, reducing the likelihood of immediate detection. This delay tactic allows them to maximize gains before victims catch on.
The Path Forward
The scam's persistence and evolving nature continue to challenge financial institutions and security experts. Efforts to dismantle fraudulent websites are ongoing, yet criminals remain one step ahead by maintaining numerous backup domains ready for deployment.
“The domains and the websites that have been created are numerous. So numerous, there are many in reserve. So we get one taken down and they slot another one in,” Lilburn revealed.
Authorities urge users to exercise caution when receiving unexpected verification codes or messages requesting personal information. Enabling spending notifications can also help detect unauthorized activity promptly, providing an additional layer of security for users.