With the summer comes peak season for scammers coming up with new ways to empty tourists’ wallets — increasingly, by getting their hands on travelers’ personal financial information. Here are five tricks to be on the lookout for, especially if you’re planning a getaway.
The fake front desk call. It’s the middle of the night, and the phone rings in your room. Waking up from a sound sleep in a strange bed, you’re disoriented anyway, so you might not question the caller when he says he’s calling from the front desk. There’s been some kind of computer glitch, and they need to verify the credit card information you have on file.
But it’s not the front desk. That was a scam artist calling you, and if you give him your credit card information, he’ll run up all kinds of crazy charges on your card before you get up in the morning.
Ed Mierzwinski, consumer program director for advocacy group U.S. PIRG, says he’s heard “a lot of recent stories“ about this scam. It’s gotten so bad in touristy Jekyll Island, Ga., that local hoteliers have started putting up signs warning guests that the “front desk clerk” asking politely for their credit card number is really a fraud.
Or not so politely, in some cases. Local authorities discovered that some of the calls were made by inmates at Georgia state prisons using cell phones smuggled in by visitors. These guys aren’t as nice as your average hospitality-industry employee: One played hardball when a guest (sensibly) balked at giving out his credit card information, threatening to come up and throw the guest out of the hotel.
The spoofed wi-fi hot spot. Frozen drink poolside? That’s fine — but you might want to avoid the pineapple. In hacker-speak, a “pineapple” is device used to create a fake wi-fi hotspot that looks like a legitimate one. Crooks will give it a similar or identical name to a hotel or coffee shop’s actual hotspot and wait for people to log on. From there, anything the unsuspecting users do — access a bank account, check a credit-card balance — is easily spied upon.
The rise in pineapples along with the so-called “evil twin” hotspots they create has proliferated as people use more wireless and mobile devices. Our vulnerability has risen, too: We conduct more of our financial transactions over the web, and capped wireless data plans lead many of us to set up our devices to switch to wi-fi transmission whenever an open network is available. If you’re on the road and looking for free Internet access, you could be at risk.
Computerworld blogger Michael Horowitz points out that some cybercrooks can even set up a hotspot with a fake name and fake login prompts, so a criminal would have their victim’s name and password right off the bat. (And given how many of us recycle our passwords, that could be the key to accessing a lot more information.)
The disappearing MoneyPak deposit. Earlier this month, the Better Business Bureau issued a warning about MoneyPak. An electronic service used to load funds onto a prepaid debit card, MoneyPak has become a favorite of scam artists because, like its predecessor the wire transfer, it’s quick, anonymous, and untraceable. The BBB suggest that people should treat MoneyPaks just like cash, but since MoneyPaks are associated with prepaid debit cards it’s understandable that people think they offer the same kind of protection as a credit card.
That’s bad news for travelers who think they’re paying a hotel, travel agent, or other kind of travel broker for a reservation. One user writing into the complaint website Scambook last month says she was fleeced out of $250, thinking she was getting a plane ticket to Jacksonville. Like so many victims of scammers, she saw plenty of red flags. “I found them on Craigslist offering discount plane tickets,” she writes at the outset. “Jesse,” the fake travel agent, “knew how desperate I was” to get a last-minute flight out of Indianapolis.
After initially telling the victim that her payment would go through PayPal, “Jesse” changed course and asked for the 14-digit MoneyPak security code. This gave her pause, but the flight was about to leave and she was already standing in the airport terminal. Her ticket had already been printed; she had it in her hand, so she figured she was good to go.
Wrong. The instant she called “Jesse” and gave him the security code, the crook canceled the ticket. By the time she got to the gate, she was without both a ticket and her $250.
The hijacked ATM. Crooks using “skimmers” that can read card data on ATMs, gas pumps, and store payment terminals is nothing new, but the practice is booming lately. A new report from Verizon Enterprise Solutions says rigged machines are responsible for nearly a third of data breaches, even as other types of card fraud have dropped.
Tampered ATMs are “the number one threat action out of everything we looked at,” Verizon exec Wade Baker tells the blog KrebsOnSecurity. And this number doesn’t even count criminals who use handheld skimmers to extract card data, like the waitress at a Red Robin restaurant in Washington busted last month for running up a $16,000 tab on credit cards she skimmed while working.
If you’re traveling and visiting an unfamiliar ATM, you’re less likely to notice if something is awry. Unless, of course, you’re the guys featured in this video. Unbeknownst to them, a thief has installed a skimmer on the drive-up ATM — an act caught on security camera — shortly before they pull up. For these bank customers in Nashville, it’s their lucky day when the skimming device comes off in their hand when they try to make a withdrawal.
The nonexistent vacation rental. More than 3 million people used AirBnB in 2012, and its number of listings grew from 120,000 to 300,000 in about a year. Millions more travelers use sites such as VRBO.com and HomeAway.com for other cheap or unconventional places to stay. But this increasing popularity means scam artists use these sites to look for victims.
One traveler told consumer advocate Christopher Elliott last month how her search for a vacation home with a “million-dollar” view led to losing $645 to a fraudster.
“I received a contract. Everything looked correct on the contract. It even had the rental property address and logo,” she tells Elliott. “I signed the agreement, and wired the money through Western Union.” That last step was the one where she kissed her money good-bye. Crooks love money orders and wire transfers because they’re quick, anonymous, and untraceable.
After wiring the money, the victim found out that the person she’d been corresponding with didn’t actually own the property, and her “million-dollar” view was just another scam statistic.
These companies have security features designed to try to prevent fake owners from bilking travelers out of their vacation budgets, but it’s still a case of buyer beware. Carl Shepherd, co-founder of HomeAway, which owns VRBO.com, tells Elliott, “The unfortunate fact is that phishing continues to be a part of the landscape of the Internet.”