It’s a well-told story, but one that never loses its sense of dread and capacity for causing concern — a message from your bank that you’ve carried out a transaction you never actually made. Indian expat Sam Varghese, 45, learnt the hard way after his card was used for dubious transactions worth more than Dh4,000 in just under two days in April.
“The scamsters started with a small test amount of $1 (Dh3.67) just to ensure the credit-card details are accurate,” says Varghese, who works in Dubai.
“I got a message about the transaction, but didn’t pay much attention because it was a small amount. Two days later, another transaction worth about Dh4,000 was made at a store in South Korea.” Varghese then alerted the bank to block his card.
Thousands of people fall victim to credit-card fraud every year in the UAE, with fraudsters’ crimes coming to light once they have done their underhand work and disappeared into the cyber wilderness.
UAE-based Prashanth Thyagarajan’s family faced a similar ordeal. Last July, he was touring the Netherlands, Germany and Switzerland when his wife received a text from her bank to say her credit card had been used to pay for Dh4,500 worth of goods in a supermarket without her knowledge. The couple had taken precautions to avoid being targeted by fraudsters, says the Indian expatriate. “We had booked the hotel stay through the most renowned booking website and had hired a car, again through a renowned website using my wife’s credit card,” says Thyagarajan. “We thought these websites were safe enough.
“The transaction happened in a branch of a famous chain of supermarkets in France. Luckily we had never travelled to Europe before that incident, so we filed a complaint with the bank that afternoon, stating all our reasons and proof.”
The 29-year-old says that after about six weeks of discussions with his bank, the amount was finally refunded to the couple’s bank account. “It was a lesson well learnt for us. We will no longer be making any more unsecured online purchases.”
According to The Nilson Report newsletter, annual losses from worldwide fraud on credit, debit and prepaid cards hit $16.3 billion in 2014 on a total card sales volume of $28.8 trillion.
About 20 years after the start of the internet age, cybercrime continues to flourish, and many experts believe it is actually increasing — in terms of actual occurrences and potential threat.
Amir Kolahzadeh, Managing Director of cybersecurity firm ITSEC, is among them.
“Most credit-card frauds that are initiated by random spam and other tactics are short-lived as financial institutions, law enforcement agencies and public vigilance put an end to it,” he says.
“However, identity theft is evolving and crooks are becoming more intelligent and target their victims much more specifically using social engineering tactics.
“These criminals impersonate legitimate companies you might do business with online and offline and using this information create targeted emails asking the victim to update their profile with information that are used for verification purposes such as name, date of birth, national ID number, address and credit-card number.
“These phishing emails are now sent to targeted individuals and once clicked on, the crooks have everything needed to use the credit info as they now have the verification information.”
Kolahzadeh says financial institutions are constantly looking at new technology to protect consumers and themselves.
“Fraud has a cost for everyone involved,” he says. “We are seeing a trend of incorporating the smart chip on all credit cards and expect 85 per cent of credit cards worldwide to have a secure smart chip by the end of 2016.”
The move is a big step to prevent fraudulent use of card when physically present, but it will do next to nothing when it comes to online transactions, says Kolahzadeh. Consumers must be aware and question their financial institution as to the type of protection offered on their cards, he adds.
“However, it all starts when consumers become cautious about with whom and why they are sharing their credit-card numbers. Most banks now offer SMS services or double authentication for online purchases that is tied to mobile numbers.”
Most cards also offer some type of insurance, says Kolahzadeh. “But the coverage and price must be double-checked with the institution as it differs from bank to bank.
“From personal experience, you must report your card being missing or stolen or for any transaction that is not recognised immediately. The more time elapses, the harder it will be to convince your bank.
“Once reported, banks will start an investigation, cancel your card immediately and replace it with new ones. This process itself prevents further misuse. Once the investigation is completed, 95 per cent of the times charges are reversed and consumers are not affected.”
Waleed Barhaji, Business Head, Consumer Finance, Noor Bank, says chip-and-PIN technology, also known as EMV, which has been introduced in the UAE, has made it more difficult for fraudsters. “A few years ago, most banks replaced magnetic strips with the technology. The latter has made it much more difficult for fraudsters to extract and misuse data. Industry numbers suggest that despite growing card transaction volumes, fraud has dropped significantly. The chip-and-PIN concept has also enhanced consumer protection. In most cases fraud liability rests with the card issuer.
“Of course, there are exceptions such as the customer’s actual card as well as PIN being compromised, where the cardholder would also be liable.”
The law is clear when it comes to dispute resolution after a fraud is reported, says Barhaji. “The law allows card issuers to conform to standards set by the industry in terms of dispute processes, chargeback as well as fraud liability management. EMV compliance is also a regulatory requirement in the UAE to protect consumers. The UAE Banks Federation has a fraud prevention committee, which brings card issuers together to manage fraud risk effectively.”
The dispute processes are fairly standardised across banks, he adds.
“Banks would typically ask you to fill a form to capture the relevant details,” explains Barhaji. “The bank would then liaise directly with all the parties involved to investigate and resolve.”