The Credit Card I Never Asked For

A scam from Netspend.

Today, I received a credit card in the mail. Trouble is, I never asked for the credit card. I have enough credit cards and I certainly don’t want another one.

NetspendIt was a Small Business prepaid MasterCard from Netspend, a company I had never heard of. The accompanying paperwork told me about the related fees for use but not much else.

I called the number on the card to ask what it was all about. I was prompted for a card number, my social security number — which I, of course, did not enter — and my date of birth — which I purposely entered incorrectly. I was then prompted to agree with terms of service by pressing 1. There was no person. Just a machine taking down whatever I entered.

I tried pressing 0 and various keys. The system eventually hung up on me.

I tried calling another number on the Netspend website. It threw me into the same automated queue.

I tried again, this time using the option that the card had been lost or stolen. A prompt warned me that that option was only for lost or stolen cards. I stuck with it. When prompted for my social security number again, I entered all zeros.

Eventually I got a real person on the phone. I asked her what the card was all about and she told me I’d accepted a mail offer. I told her I hadn’t and that I wouldn’t have. I told her I didn’t want the card and that I wanted it all record of it removed from my name, including from my credit report. She apologized for the “inconvenience.” I told her that it wasn’t an inconvenience. It was an invasion of my privacy. I told her that if I saw the card on my credit report when I checked it next month, Netspend would hear from my lawyer.

And then I hung up on her before she could do any more explaining or apologizing.

Is this a scam? Sure seems like it to me. Hand out a credit card, use a toll-free number to gather social security number and date of birth information. Even if it is legit, it’s an unwanted hit to a person’s credit report, possibly damaging to a credit score. And what if someone had intercepted it on its way to my mailbox? Would I be on the hook for someone else’s transactions?

Is this an indication that I’m an identity theft victim? Should I be calling the credit services now? Are there other cards with my name on them in the hands of other people?

Or am I just being paranoid?

These days, you never know — until it’s too late.

Fraud Alert: East Coast Mobile Style

Check your credit card bills!

Just a quick note to alert readers to a scam that’s evidently been around for a while.

In reviewing my credit card charges for the week I was gone, I found a charge for $2.56 from “#eastcoastmobilestyle.” The name was not familiar to me, so I called the phone number on the charge record, which appeared in the memo field of Quicken’s register when I downloaded my transactions: 912-289-0124. I got a recording with a female voice that sounded Asian. She said they could not provide support and that I should e-mail a support address. I left a message and kept digging, trying to find out what I’d supposedly bought from this company.

I wound up on a Web site called 800Notes where people evidently log the phone numbers of suspicious calls. There was a page dedicated to this number that mentioned East Coast Mobile. There were three pages of comments. In each case, the commenter had received a phone call from this company and a charge for $2.56, $4.56, or $6.56 had appeared on their credit card bill. I checked my new phone’s call log and did not see any calls from that number. However, I’d purchased my phone just the day before and had used the same credit card to make the purchase.

This certainly appears to be a scam. They get your credit card info and process a tiny charge. Most people would ignore a charge like that — after all, it could be for a ring tone or some other minor cellphone related service. But other people — like me, I guess — know who they buy from. I did not buy anything from this company.

I called the fraud department at my credit card company. They reversed the charge and cancelled that credit card account. I’ll get a new credit card later this week.

My advice to everyone reading this: always check your credit card bills for unknown charges. Follow up on the ones you don’t recognize — no matter how large or small they are. If this company places tiny charges like this on 100,000 cards, they can make a quarter of a million dollars in no time. They can also repeat the process for other charges — including larger ones — or sell your credit card information to scammers.

Please spread the word about this to the folks you know.

June 2, 2009 Update: In just a month, this has become one of the most popular posts on this blog. It consistently gets more than 50 hits per day. This is telling me that the fraud is extremely widespread.

Imagine that only 1% of the people who are fraudulently charged by East Coast Mobile Style find their way to this blog post. That means 5000 or more people per day are being charged. Even if the fee is the low number of $2.56, that’s well over $10,000 of fraudulent charges per day!

PLEASE spread the word about this fraud to the people you know. We need to stop credit card fraud any way we can. Always check every item on your credit card bill, no matter how small. I know it’s a pain in the butt to cancel a credit card, but if your has been compromised, that’s the only solution.

Good luck!

How Not to Get Caught in a Phishing Net

Don’t get fooled.

Today I got an e-mail message from American Express. It said, in part:

During our regualry scheduled accounts maintenance and verification procedures,
we have detected a slight error regarding your American Express Account.

This might be due to one of the following reasons:

1. A recent change in your personal information (i.e. address changing)
2. Submitting invalid information during the initial sign up process.
4. Multiple failed logins in your personal account.
3. An inabillity to accurately verify your selected option of payment due to an internal error within our system.

Please update and verify your information by clicking the following link:

Continue To American Express Online Update Form

*If you account information is not updated within 48 hours then your ability to access your account will be restricted.

Thank you,
American Express , Billing Department.

The type was tiny, which is probably why I didn’t notice the typos and spelling/grammar mistakes. Or perhaps I didn’t notice them because I’ve become so accustomed to skimming incoming mail rather than reading it.

The message looked official. It had the Amex logo and used their normal color schemes. But what really made it look genuine was the note near the bottom:

E-mail intended for your account.

If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card. If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

Note: If you are concerned about clicking links in this e-mail, the American Express mentioned above can be accessed by typing https://www.americanexpress.com directly into your browser.

The hint that this wasn’t as legitimate as it seemed came when I pointed to the link to supposedly update my account information. The URL that appeared in a yellow box in my e-mail client consisted of an IP address followed by /home.americanexpress.com/.

Of course, the e-mail message wasn’t real. When I typed http://www.americanexpress.com/ into my Web browser and logged into my account, there was no indication of any problem.

Phishing, Defined

Wikipedia, everyone’s favorite online encyclopedia, defines phishing as:

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites (Youtube, Facebook, Myspace), auction sites (eBay), online banks (Wells Fargo, Bank of America, Chase), online payment processors (PayPal), or IT Administrators (Yahoo, ISPs, corporate) are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose URL and look and feel are almost identical to the legitimate one.

My spam protection software is very good at weeding out phishing attempt messages, so I rarely see them. This one almost fooled me. If I’d been suckered in like so many probably were today, I would have clicked the link and entered my American Express login information in the screen that appeared. That information would have been captured in the phishing net and used to access my American Express account online.

It Isn’t PayPal

One of the Web sites I maintain is for a friend of mine who makes and sells helicopter ground handling wheels: HelicopterWheels.com. He’s an older guy who’s only been using computers for a few years. When I set up the original site, he asked me to set up online ordering. I’ll be the first to admit that I know little about setting up ecommerce solutions. So I set him up with the easiest and most secure method of accepting payments that I knew: PayPal.

Now PayPal has a bad reputation with some folks and I’m really not interested in hearing reader complaints about it. I use PayPal for my online ordering needs and although it isn’t a perfect solution, it does work and it seems safe enough to me.

Unfortunately, my friend received an e-mail message telling him that he had to verify some PayPal settings. The message was a phishing scam and my friend fell for it. He got hit for a bunch of money — which I’m not sure if he recovered. He immediately blamed PayPal and had me take the Buy Now buttons off his site.

I felt bad for him. After all, I’d recommended PayPal. But I’m also not the kind of person who gets sucked in by phishing schemes. I assumed he wasn’t either. I was wrong.

Don’t Get Caught

So here’s the only rule you need to prevent yourself from becoming the victim of a phishing scam:

Never click a link in any e-mail message.

If you get a message from your bank or credit card company or PayPal or any other service that requires you to enter a user ID and password to access it, do not click any link in that message. Instead, go directly to the site by typing the URL into your browser’s Address bar or using a Bookmark/Favorite that you’ve already set up. If there is a legitimate problem with your account that requires your attention, you’ll find out after logging in the safe way.

Of course, there are plenty of clues that can help you identify phishing attempts:

  • Messages not addressed to your name. For example, Dear Cardholder instead of Dear Maria Langer.
  • Typographical, spelling, and grammar errors in the e-mail message. Do you think American Express would spell regularly wrong?
  • Messages sent to an e-mail address that you did not register with the organization supposedly sending the e-mail message to you. For example, the message I got today was sent to my Flying M Air e-mail account, which is not on file with American Express.
  • URLs that point to IP addresses rather than recognizable domain names. For example, http://35.32.185.43/account rather than http://www.americanexpress.com/account.

But you don’t have to worry about any of this. Just follow the golden rule listed above. Here it is again, in case you’ve forgotten: Never click a link in any e-mail message.

If you follow this rule, you should stay safe from phishing schemes.

Got a story to share? Use the Comments link or form for this post to speak your piece.