Bank of America, Chase, Wells Fargo and other big name banks are frequent targets of this scam. Make sure you understand how it works!
If you’re not familiar with Verified by Visa, it is a free service that allows you to add an extra layer of security for online shopping. Here’s how it works:
1. Activate the feature
This can be done either through your bank’s website or on a participating merchant’s website, below is a screenshot of the latter.
2. Use the extra password when shopping
This password adds an additional level of authentication when you use your Visa credit card online at participating merchants. You will be required to enter it in addition to the all the information you normally provide (account number, expiration and security code).
What’s the scam?
The Verified by Visa scam has been sweeping the net for a few years now and just doesn’t seem to go away. It’s phishing scam that usually goes something like this:
You receive an official-looking bank email
It starts by receiving an email which claims to be from your bank. Even if the email address is from a @bankofamerica.com, @chase.com, etc. that does not mean it’s legit. Scammers can forge the address field to have it say whatever they want.
This is an example of an actual scam email:
“Your Bank of America card has been automatically enrolled in the Verified by Visa programme. To ensure your Visa card’s security, it is important that you protect your Visa card online with a personal password. Please take a moment, and activate for Verified by Visa now.”
You are sent off to the fake website
Upon clicking on the link in the email to activate/setup the service, you are re-directed to a dummy website which is designed to look like it’s authentic Visa or bank website.
Once there, the fake site will ask for your account information and possibly other private data like your Social Security, address, and more in order to setup Verified by Visa. Of course what they’re really doing is just tricking you into entering this information so they can exploit it.
It’s highly unlikely the scammer knows your bank! One of the reasons people fall for this scheme is because the bank or credit card company listed in the fake email might be identical to the one they’re using, which makes it seem even more authentic. However the truth is this is nothing but a numbers game for the scam artists – they send out thousands or millions of emails using the names of big banks, because they know at least X% of those recipients will indeed be customers of the given bank. This is why the Chase and Bank of America Verified by Visa scams seem to be the most common… they are the two largest banks in the U.S. so the crooks frequently target their names.
How to protect yourself?
Visa nor your bank will ever send you emails like this, so if you receive one with a link asking you to setup the service, it is a scam for sure.
In order to avoid falling victim, you should only access your bank by typing in their official address in the URL bar (i.e. type in bankofamerica.com). Once on the site, make sure there is an “s” after the http – that means the site is using Secure Sockets Layer (SSL) technology (and all banks are required to use that by law).
Whether it’s setting up the Verified by Visa service or just general account management, you need to always make sure you access the credit card company’s website directly through the address bar and NOT through a link in an email.
Written April 2011