Use some caution if you get an email asking you to join Verified by Visa over the next few weeks. Taking advantage of the holiday rush to shop online, the public awareness of the Verified by Visa brand, and the security it offers, criminals are pushing a Phishing scam that offers very little in the way of true protection.
Phishing: Verified by Visa scam targets holiday shoppers. (IMG: Visa)
Verified by Visa is a solid layer of security for your Visa card. It works alongside the fraud detection and purchase protection offered by the issuing bank. What happens is you register for it online during the checkout process for a participating Verified by Visa retailer. You enter the required information, create a password, and activate the Verified by Visa service. Once activated, you cannot use the Visa card online without the password. If you want to know more, the official FAQ for Verified by Visa related information is here.
According to Webroot, a new Phishing campaign is circulating that is targeting holiday shoppers online using the Verified by Visa service name to lend creditability to the scam. This fake offer starts with an email inviting you to join the Verified by Visa program.
From there you are linked to a Phishing site that is “clearly more professional, slick, and clean than most Phishing pages,” noted Andrew Brandt, who researched the scam for Webroot. “The form’s businesslike appearance serves to reassure the victim that the page really belongs to Visa.”
If you see this invitation, two things will stand out that are sure to ring warning bells. The first thing is the address used. While the email text will list one address, as Brandt’s research points out, the actual address used in one example is vbvactivation-visa.com. This is not a legit Visa address, far from it.
Also, when registering for the Verified by Visa service, as mentioned, you do so during the check out process at a participating retailer. Visa would never send you random emails asking you to join. Another issue with the domain is that it uses HTTP and not HTTPS in the address. If you are dealing with Visa, and they need any type of information, they will always use HTTPS in the address field.
The second thing to scream fake and keep those warning bells ringing is that you are being asked for all kinds of personal information.
“In a real sign-up form for Verified by Visa, you won’t be asked to provide your mother’s maiden name, social security number, birthdates', or any other sensitive details that you wouldn’t otherwise enter into a Web-based order form while shopping online,” wrote Brandt.
He also did a little digging and discovered that the domain used in the Phishing attack was registered to a GMail account.
“Do you suppose a company as large as Visa International would register a domain name using a Gmail account, a Canadian mailing address, and (Thanksgiving-related puns aside) a telephone number that uses the international dialing code for Turkey?”
If you see emails that ask you to join the Verified by Visa program, forward them to phishing@visa.com and delete them. Under no circumstances should you follow links or open any attachments with them.
If by chance you get an email that claims to come from the bank that issued your Visa card, pick up the phone and call the bank, and give them nothing over email. The odds are this too is a scam, and the bank will know immediately.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story