Risk Alert: Vishing Scam Posted by Association of Vermont Credit Unions on 12:30 PM

CUNA Mutual issued an alert explaining how cardholdsers are subjects of a vishing (phone-based phishing) scam in which fraudsters spoof phone numbers making the calls appear to originate from the card issuing institution.  Cardholders are duped into providing CVV2/CVC2 codes and expiration dates from their debit cards. The perpetrators already possess the counterfeit mag stripe debit cards, and use the vishing information to change PINs through voice response units. Then, they use the counterfeit cards to make ATM withdrawals, as well as purchases at Wal-Mart in Florida and Georgia. Credit unions in Indiana, Kentucky, Ohio, and Virginia have been impacted by the scam.

Fraudsters targeting members through a vishing scam (phone-based phishing) are spoofing credit union phone numbers and posing as an employee in the credit union’s fraud or security department. The fraudsters tell the members they are calling to verify suspicious debit card transactions and, to verify the member’s identity, the member’s are asked to provide the CVV2/CVC2 code and the card’s expiration date.

In most cases, the fraudulent debit card transactions process as fallback transactions. Fallback transactions occur when an EMV-enabled terminal (POS or ATM) cannot read the chip and the transaction is completed using the magnetic stripe. There are a variety of legitimate reasons for fallback transactions, such as dirty chip reader or damaged card. Fallback transactions can also occur through a deliberate attempt by fraudsters to force magnetic stripe transactions. For example, a fraudster could damage the chip on a counterfeit card or cover the chip with tape so it cannot be read by the EMV-enabled POS or ATM terminal.

The liability for fraudulent fallback transactions is on the issuer for allowing the fallback transaction to occur. You can manage the risk by working with your card processor to develop rules for fallback transactions that fit your credit union’s risk appetite at POS terminals and ATMs based on data points such as transaction amount, geo-location, merchant category code, etc.

Risk Prevention Resources - Access CUNA Mutual Group’s Protection Resource Center for exclusive risk and compliance resources to assist with your loss control. The Protection Resource Center requires a User ID and password.