How Scammers Stole $10M from the Credit Cards of 1.3M Americans

The Federal Trade Commission has filed charges in relation to the $10 million credit card scam that we first learned about a month and a half ago, we learn from the New York Times. The NYT article tells us that the charges against the bogus companies set up to facilitate the fraudulent transactions were filed back in March, three months before the FTC announced the scam in a press release.

It was a very elaborate scheme, involving more than 16 dummy corporations the scammers had set up in various Eastern European and Central Asian countries, including Lithuania, Estonia, Latvia, Bulgaria, Cyprus and Kyrgyzstan. The criminals then opened up more than 100 merchant accounts in the U.S. to process the payments. In order to do so, however, they had to convince the processing banks that their business was legitimate. Here is how they did that, according to the NYT:

[F]alse storefronts were set up on the Web, pretending to sell electronics or office supplies, in case a bank investigated.

The perpetrators also rented a street address from a company that provided that service and had their mail forwarded to another company that scanned and forwarded it a second time as e-mail, the suit says.

Once the merchant accounts were operational, the criminals started to charge small amounts to credit and debit card accounts whose information they had stolen. Most of the charges were for $9, although the amounts could be as low as $0.20 and as high as $10, according to Steven M. Wernikoff from FTC’s Midwest Region Office.

The criminals succeeded in stealing so much money mostly because the small individual charges either went unnoticed by many of their victims or they simply didn’t bother to dispute them.

Yet, with so many fraudulent transactions, complaints were bound to pile up and eventually the FTC received more than 1,000 of them. Interestingly, there “were more complaints about the 20-cent charges because they looked really odd,” according to Wernikoff.

The FTC’s investigation lasted for nine months, however the identities of the individuals who masterminded the scam are still unknown. No one is defending the companies in this law suit either. Less than $100,000 has been recovered so far from the U.S. assets of the false companies. The FTC hopes to recover some of the money transferred abroad, but it is unlikely that it will meet with much success there.

Apart from its sheer scale, the most striking thing about this scam is the discipline and patience with which it was executed. The criminals had detailed understanding of how the credit card processing system operated, had identified its vulnerabilities and knew how to exploit them. It must have taken them months just to lay down the groundwork of setting up U.S. corporations and opening up e-commerce websites and merchant accounts for them. They must have known that eventually the whole thing would be found out, but that it would take months for it to happen. In the mean time they managed to steal money from 1.3 million people. This must be some kind of a record, but I’m also wondering if we have learned the full extent of the scam. Take a look at your January statement. Maybe you’ll see a $0.20 transaction from Link Services or Site Management.