Credit card fraud, an unauthorized and illegal use of your credit card to obtain goods or services or to withdraw cash from your account, is on the rise. According to the Federal Trade Commission, more than 32 percent of Americans complained about credit card fraud in 2016, double the rate from 2015. Overall, in 2017, consumers reported losing a total of $905 million to fraud, a $63 million increase since 2016, with $429 being the median loss.
“Hackers nowadays are getting smarter and more sophisticated in the ways they can defraud consumers,” says JoAnna Guzon, senior banking operations analyst at East West Bank. “And it’s imperative for consumers to know how to stay safe and protect themselves and their credit from different types of fraud.”
While credit card fraud typically occurs when somebody steals your wallet or copies your credit card information during a retail transaction, sometimes credit card fraud happens due to large-scale cybersecurity hacks or data breaches. Data breaches are incidents in which individuals’ names, Social Security numbers, driver’s license numbers, medical or financial records (credit and debit cards included) are potentially put at risk because of a cybersecurity mishap, either intentional or unintentional. More often than not, credit card owners—and even the owners of breached systems—may not always know immediately when the breach occurred.
In the last few years, the number of data breaches has gone up. According to the 2017 Data Breach Year-End Review by the Identity Theft Resource Center, the number of tracked U.S. data breaches last year hit a new record high, constituting 1,579 data breach incidents and exposing nearly 179 million records, a drastic 44.7 percent increase over the figures reported the year before. Nearly 20 percent of breaches included credit and debit card information, with 14.2 million credit card numbers and nearly 158 million Social Security numbers being exposed.
Data breaches of such well-known companies as Yahoo, Equifax, Target, and eBay, among others, have made headline news. The breaches revealed sensitive information of millions of Americans and made it easier for cyber criminals to use it to their advantage and commit identity theft. The Equifax breach alone compromised the personal information of 143 million consumers.
“We are seeing a huge increase in card-not-present or e-commerce fraud.”
When it comes to credit card fraud, it takes many shapes and forms, and hackers are becoming more proficient at stealing consumers’ information, both online and offline. The most common types of credit card theft are:
“Card-present fraud, meaning the individual has the card in their possession and is using this card at the merchant, is one of the basic types of credit card fraud,” says Janet Pickering, vice president of credit card risk and compliance at East West Bank. “In general, we’ve seen that card-present fraud has decreased significantly since the introduction of the EMV chip, the technology that came about a couple of years ago to increase credit card security.”
“The second basic type of credit card fraud,” Pickering continues, “is the card-not-present fraud, where the physical card isn’t at the merchant when a fraudulent transaction occurs—think online orders. We are seeing a huge increase in card-not-present or e-commerce fraud.” Pickering adds, “With card-not-present fraud, fraudulent transactions often remain undetected until the victim is charged for purchases they didn’t make.”
Credit card skimming can happen during legitimate transactions. For example, when at a restaurant: a dishonest employee takes the card out of the cardholder’s immediate view and takes the cardholder’s information by using a skimmer (a small electronic device), which is then used for making counterfeit cards. The fraudsters can also attach tiny skimming devices to ATM machines to capture your card information and then re-create your card with their name on it. Just like with card-not-present fraud, the victims usually don’t notice the fraudulent charges right away and only do so when they receive their bank or credit card statements.
Since some credit cards are now embedded with radio frequency identification (RFID) chips that transmit certain types of information wirelessly and enable you to make purchases without actually swiping your card, RFID skimming has become yet another type of electronic pickpocketing crime. Fraudsters, armed with an RFID reader, can steal personal information from your RFID-enabled credit card at a distance of several feet away.
This type of credit card fraud happens when a criminal obtains your information fraudulently, from stolen or discarded documents such as bank statements, utility bills, or pre-approved credit card applications, and uses it to open a new credit card in your name. This type of fraud generally happens together with identity theft. Many banks will have safeguard measures to stop application fraud from happening (e.g. require only original documents to be submitted as proof or call employers to confirm a person’s identity). But, unfortunately, criminals can create fake documents, provide fake phone numbers and get around certain security measures. It can take a long time before a person knows that they fell victim to credit card fraud.
Account takeover is one of the most common types of fraud. It happens when a criminal gathers enough personal information and relevant documents on the cardholder, deceives the credit card company or bank by pretending to be the owner of the card, and takes over the victim’s account. A criminal may call the credit card company to report the card lost or stolen, or ask them to issue a new card and redirect the mail to their address. The fraudster then receives a new card, and upon activation, starts using it, potentially destroying the cardholder’s credit.
Credit card phishing happens when the fraudsters pretend to represent legitimate companies, such as acting as bank personnel, and contacting consumers to try to extract their credit card information. This could be done through fake e-mails that look like they come from a trusted source, where consumers are asked to call the number or click on a link to verify personal information as a type of security check, and then are redirected to a fake website. Or, it could be done over the phone, such as when someone pretending to be from a consumer’s credit card company calls them to investigate potential identity theft and tries to get them to provide their Social Security or account number.
"Hackers nowadays are getting smarter and more sophisticated in the ways they can defraud consumers. "
Though no one can fully eliminate the risk of having their personal information stolen, there are steps that can be taken to reduce the risk of falling victim to credit card fraud and identity theft:
“You should regularly review your billing statements to scan for unfamiliar charges and fraudulent transactions. Don’t wait for the print statement to be mailed to you—if you have access to your credit card and bank accounts online, make it a routine to log in and look at your account activity on a regular basis,” says Guzon. “If you notice that something is off, don’t put it off, and immediately notify your bank or credit card provider,” she adds.
Many credit card companies have zero-liability policies, such as Visa’s Zero Liability, which means that the consumer won’t be held responsible for unauthorized charges made on their account, and they are protected if their debit or credit card is lost, stolen, or fraudulently used online or offline. However, there are certain cases where zero-liability protection does not apply. This happens when consumers wait too long to report a claim. According to the Fair Credit Billing Act and Electronic Funds Transfer Act, the federal legislation that establishes the liability and rights of consumers, if you report a lost or stolen card before it is used, you are not responsible for any unauthorized charges. If there is unauthorized use of your credit card before you report it missing, the most you would be liable for is $50. If you wait more than 60 days to report fraud on your debit card, you could be liable for all the money taken.
Make sure that you don’t use the same password for every account that you have and keep the personal details, especially the ones that allow access to your accounts, to yourself or to a limited group of people. “Customers open themselves up to online fraud by not taking proper steps to secure their account passwords,” says Guzon. “If you fail to adequately protect your privacy or login details, fraudsters have the ability to extract data from your transactions and profile, as well as make changes that may lead to identity theft.”
To avoid password reuse and to easily change existing passwords, especially if you suspect that they’ve been compromised, you might want to use a password manager. Password managers help you generate, retrieve, and keep track of complex passwords and a number of accounts that you might have, while protecting your PIN numbers, credit card numbers, three-digit CVV codes, and more. They store your login information for all the websites that you use and help you log in to them automatically. The only password you need to commit to memory is the master password that lets you unlock and access any information stored in the database.
There are some excellent password managers available on the market, which include 1Password, LastPass, Dashlane and others. Each option is a good security tool that will keep your login information secure, and offers different plans at different price points, depending on additional features and whether you want to store your information locally or in the cloud. Choosing the best password manager really comes down to personal preference.
Regularly monitor your credit report and keep a watchful eye on any unauthorized new accounts opened in your name to catch signs of identity theft early. Under federal law, you are entitled to a free copy of your credit report from the three major U.S. credit reporting agencies–Experian, TransUnion and Equifax–every 12 months, which you can request online, via annualcreditreport.com, over the phone, or through mail. If you find any information in the credit report to be inaccurate, you can contact the creditor or the lender. Additionally, you can file a dispute with the credit bureau that provided you the report that contains the error by sending them a letter with your contact information, an explanation of why you think they made a mistake, and any supporting documents you might have.
While some banks and credit card companies now provide free credit report monitoring, there are special credit monitoring tools and identity protection services you might consider. Some may be free and cover reports from only one or two credit bureaus, like Credit Karma. Other companies, like PrivacyGuard, Identity Guard, and LifeLock, to name a few, may charge you a fee ranging anywhere between $9 to $30 a month, and cover all three reports.
Furthermore, if you’ve been a victim of identity theft, you can also consider putting a freeze on your credit file, which essentially cuts off access to your credit history and greatly reduces the chance of any new credit to be opened in your name. To do so, you will need to provide your Social Security number, birthdate and other information that confirms your identity, and contact each of the three major credit bureaus individually. Once the freeze is in place, the bureaus will provide you with the PIN number that you will need if you wish to lift the freeze one day. If you lose or misplace your PIN, you may not be able to undo the freeze easily, which could cause inconveniences and delays if you need to apply for a car loan, rent an apartment, set up utility bill service, get a new credit card, and more. Also, it’s important to remember that freezing you credit won’t affect your current accounts. So, if a fraudster steals the information on your existing account, your credit may be used without your permission.
To avoid RFID skimming, use an RFID-blocking wallet to prevent hackers from scanning your cards by standing close to you, or wrap your cards in a few sheets of thick aluminum foil. “Always be aware of your surroundings,” says Guzon. “Most gas stations nowadays have these stickers at the pump to say that they haven’t been tampered with. In the case that a machine does have a broken sticker, you should find another pump, or go pay inside so that there will be some sort of documentation. If you use an ATM, use the one at a crowded area and not somewhere that’s far off from the building or in the dark. Those hidden ATMs are more prone to people attaching skimming devices to them, which will capture your card information and allow fraudsters to recreate your card somewhere else with their name on it.”
Needless to say, credit card fraud is damaging not only to consumers but also to merchants, who, in many cases, pick up the tab for fraudulent credit card transactions. Businesses can have a tough time recovering merchandise purchased through illegitimate means, and credit card companies are not legally required to assist merchants in tracking down the criminals. However, there are ways for businesses to detect credit card fraud and prevent fraudulent transactions from happening:
As simple as it sounds, all businesses should ask for photo identification during a checkout. In the case of the card-present fraud, verifying the card information with the information found on a driver’s license and seeing if the photo looks legitimate could be the most effective and easiest way to spot credit card fraud. “If something looks suspicious, trust your gut instinct and inquire for more information,” says Pickering. Additionally, merchants could call credit card issuers and make a Code 10 authorization request to verify a card’s validity, while also alerting the card issuer about suspicious activity. The operator on the other line would ask simple “yes or no” questions, advise the merchant on how to proceed with the situation, and, if necessary, call law enforcement.
“All merchants should have an EMV chip machine. In the far majority of cases, people have chip cards, but it’s the merchant who doesn’t have a chip machine or has one that’s not functioning properly,“ says Pickering. “If a customer has a chip card, but they can’t complete a transaction due to a malfunctioning chip machine or the absence thereof, the card has to be swiped or manually keyed. That means that, by fallback, the liability for that transaction falls on the merchant.” To protect customers’ data, avoid liability, and keep the business safe, merchants should be able to accept EMV chip cards.
In cases where the card is present, in addition to inspecting a customer’s ID, merchants should carefully examine the card itself to see if the account number on the front matches the account number on the back, and check if the card has all the elements such as holograms and a magnetic strip that hasn’t been tampered with. Also, merchants should take note of customers’ behavior and look for any warning signs. During card-not-present transactions, the merchants should look for red flags and be wary if the shipping and billing address is different, if the order is coming from countries where this type of fraud is common, and if there are unusually large rush or overnight delivery orders.