Customers of Bank of America, Chase, Wells Fargo and other major Visa-issuing banks are frequent targets of this scam. Make sure you understand how it works so that you can avoid becoming a victim!
If you’re not familiar with Verified by Visa, it is a free feature that allows you to add an extra layer of security for online shopping with your credit card. Here’s how it works:
1. Activate the feature
This can be done either through your bank’s website or on a participating merchant’s website, below is a screenshot of the latter.
2. Use the extra password when shopping
This password adds an additional level of authentication when you use your Visa credit card online at participating merchants.You will be required to enter it in addition to the all the information you normally provide (account number, expiration and security code). The drawback, however, is that a significant number merchants don’t participate in the program. It’s mainly some of the big national retailers that are in the program. It’s really a great service but unfortunately, like anything on the internet, some bad actors have gotten involved and started to ruin things for everyone.
What’s the scam?
The Verified by Visa scam has been sweeping the net for a few years now and just doesn’t seem to go away. It’s phishing scam that usually goes something like this:
You receive an official-looking bank email
An urgent and very legitimate looking email shows up in your inbox from the bank that issues your Visa credit card stating that you need to enter your login credentials to verify your account. Even if the email address is from a @bankofamerica.com, @chase.com, etc. that does not mean it’s legit. Scammers can forge the address field to have it say whatever they want. If you hover your cursor over the official looking return address you’ll see a different masked address popup. That will verify that it’s from a fraudulent source.
This is an example of an actual scam email:
“Your Bank of America card has been automatically enrolled in the Verified by Visa programme. To ensure your Visa card’s security, it is important that you protect your Visa card online with a personal password. Please take a moment, and activate for Verified by Visa now.”
You are sent off to the fake website
Upon clicking on the link in the email to activate/setup the service, you are re-directed to a dummy website which is designed to look like it’s authentic Visa or bank website.
Once there, the fake site will ask for your account information and possibly other private data like your Social Security, address, and more in order to setup Verified by Visa. Of course what they’re really doing is just tricking you into entering this information so they can exploit it.
It’s highly unlikely the scammer knows your bank! One of the reasons people fall for this scheme is because the bank or credit card company listed in the fake email might be identical to the one they’re using, which makes it seem even more authentic. However the truth is this is nothing but a numbers game for the scam artists – they send out tens of millions of emails using the names of big banks, because they know at least X% of those recipients will indeed be customers of the given bank. Many large banks like BofA have tens of millions of customers, so there’s a very high probability for these scammers to find their marks without much effort. This is why the Chase and Bank of America Verified by Visa scams seem to be the most common… they are the two largest banks in the U.S. so the crooks frequently target their names.
How to protect yourself?
Neither Visa nor your bank will ever send you emails like this, so if you receive one with a link asking you to setup the service, it is a scam for sure.
In order to avoid falling victim, you should only access your bank by typing in their official address in the URL bar (i.e. type in bankofamerica.com). Once on the site, make sure there is an “s” after the http – that means the site is using Secure Sockets Layer (SSL) technology (and all banks are required to use that by law).
Whether it’s setting up the Verified by Visa service or just general account management, always access the credit card issuer’s website directly through the address bar and NOT through a link in an email (this advice really applies to all of your online accounts, not just your card issuer). You should never respond to an email by clicking an embedded link in order to address some issue that is claimed within the message. Always close the email and verify that the issue exists by going directly to the website in question or by calling the bank or company involved. So, if you do receive a suspicious-looking email purporting to be from your bank go directly to the bank’s secure website – they will have an address you can forward it to (like firstname.lastname@example.org) to in order for their fraud investigators to review.
Written or last updated November 2015