Thursday, April 25, 2013

No, I Am Not Stuck in Mexico and I Do Not Need Money to Get Me Back Home

While I was in New Jersey, I got a heads-up voicemail from my Grandfather --
"Yo Chris. Granddad. I had a telephone call this morning from somebody who identified himself as Chris. He called me by the name 'Granddad' To make a long story short, the g*#damn thing was a scam. And I recognized it before it was done and he hung up". . . (continues) . . ."But it was a little startling this morning because it sounded like you were in trouble in Mexico. Needed help. Wanted money to get out of there. That was the gist of it". . . (and so on)

My Grandfather lives in an over-55 retirement community, and his basic info can be just as easily found in the public records as everybody else. So I'm assuming somebody out there has compiled a big 'ol database of available info for likely targets and was using it for a "Grandparent Scam" spear phishing attack. Ultimate goal being to play on his fears and family compassion so he'll feel compelled to wire whatever money to wherever the bad guy actually is. All too common attack these days. Gold star to Granddad for quickly seeing it as the scam it was and shutting it down.

No caller id was available for the scammer. It probably would have been spoofed anyway. I do wonder though, how many of the other scammer targets saw through the BS so easily.

Also wondering if my Grandfather had tried to wire money somewhere, would the Western Union (or whatever wire service he decided to use) would have had the fraud checking controls in place to catch it before the money was lost to the shadows. Seems like they would. This scam being so prevalent these days, it would seem like it would be in their best interest to put something in place which would protect their customers from those who would misuse the service to commit this crime.

Talking about fraud detection controls such as:

1) Training for the employees to be able to identify suspicious transfers

2) Automated controls looking for first time transactions (as opposed to repeating transactions for bill payments or inter-family transfers)

3) Automated controls looking for suspicious transaction amounts

4) Automated controls enforcing a reputation scoring system which would detect suspicious transfers destined to those who infrequently use the system or have a odd transaction behavior

5) Automated controls enforcing transaction limits for low/no reputation customers or for international transactions

6) Validation/logging of government issued ID on both sides of the transfer.

Or some layered combination of all six and whatever others equally as important.


But I'm not seeing any specific protections on the Western Union defined website. They do, however, post a Fraud Hotline number to call (1-800-448-1492) for those who believe they have been a victim. And a search for the keyword 'fraud' does pop up info about the scam:
Screenshot from the Western Union website "Ask a Question" search
Screenshot from the Western Union website Ask a Question search
What is the "grandparent scam?"

Fraudsters are calling grandparents and impersonating either their grandchildren or a person of authority, such as law enforcement officers or attorneys. They describe an emergency situation such as bail, fines, fees, etc., that requires money to be sent immediately through a money transfer service.

It's important to verify any emergency situation before sending money. If you receive any emails like these, call a mutual friend or family and ask if they're aware of the situation.

Was this answer helpful?
Yes | No

They do have a "Consumer Protection" section listed. However, most of the information posted is more "consumer educational" on how to spot a scam rather than "Here's what we're doing to protect you with our expertise".

That said, even if the scam is predominately listed on the website, I would doubt the majority of the target audience would be on the Western Union site to see it. So that's why I'm wondering what steps Western Union has taken to address the problem behind the scenes.

And this concern is obviously NOT ONLY directed towards Western Union just because they are the ones I think of first. Many many MANY services are on the market these days for sending money quickly to anywhere. All of which could easily be exploited for this badness if there's nothing in place catch it. And clearly just because the security control is not listed for public consumption, does not mean it's not there. Could easily just not be advertised for legal liability or confidential reasons.

But still this scam persists. And not as just a random one-off. It's been out there for a long time and it's still way all too common. So much so that Google search for "Grandparent Scam" pulls up a whopping 248,000+/- results. The first hit being from the US State Department:
Screenshot from the US State Department website
Screenshot from the US State Department website
"Grandparent Scams"

In these types of scams, the perpetrator often calls a grandparent or other relative pretending to be his/her grandchild/niece/nephew, etc. The caller sounds upset and typically states there are only a few moments to talk. Callers may say that they have a cold if you don't quite recognize their voice, or cue-in on feedback from the call to sound even more convincing (scam victims often report being sure they were talking to their actual relative, but it's a clever trick!). Their story generally follows a familiar line: they were traveling in another country with a friend, and after a car accident or legal infraction, they are in jail and need bail money wired to a Western Union account as soon as possible for their quick release. . . (continues on their website here)

I have heard of some unique situations recently where an "on the ball" cashier saw the weirdness and asked the right questions to stop it before it was too late. But as infrequent as those exceptions are, and as often as this scam seems to be attempted, it seems like the wire money vendors aren't doing what they need to do to protect their customers.

Maybe it's because they're not required to?

If it was a credit card transaction, there would be a certain amount of accountability required by law. The customer has the right to dispute a fraudulent transaction. The credit card issuer then reverses the charge through the Visa/Mastercard/whatever transaction network to protect the customer (and probably in part because they don't want to eat the money). Whatever bank is being used on the other end can identify and go after the fraudster. And if they can't, they strengthen their fraud detection controls as so their bank can't be exploited next time. At least they should, but that's a different conversation. Whatever the case, the customer victim has their money back and (most) all is good.

Of what I listed above -- I know that at least controls 2 through 5 are in place with my credit card issuer based on the fraud alert calls I occasionally get. An ATM withdrawal once triggered a call to my cel within 3 minutes of me pulling the cash out while on vacation in Kauai. So I'm gathering my bank also has taken the necessary steps.

As those rights don't exist on wire transfer transactions, I'm guess I'm left to surmise there's just no real incentive to have fully robust fraud prevention controls in place to protect against this sort of way too common scam. Or at the very least, extend what controls they are required by law to detect money laundering to also detect this type of transaction.

I imagine if the same laws enforcing a $50 customer liability cap on fraudulent credit card transactions were extended to also cover fraudulent wire transfers -- then this would be a whole different ballgame. The credit card issuers and the Visa/Mastercard/whatever transaction networks have this type of detection/prevention well perfected. Largely because they are required to minimize their own risk, but it doesn't change in the slightest the controls work. It's a shame that the wire transfer networks can't (or won't) exercise the same due care for their customers.

Regardless -- I'm not in Mexico. And I'm not in trouble. (Though you can still send me money via my home address if you really want)

Good times.