Help me understand small recurring fraudulent credit card charges
February 22, 2021 11:35 AM   Subscribe

I've already called my credit card company and the card is cancelled, but I'm trying to understand the motivation for these small recurring fraudulent credit card charges.

Someone used my credit card to sign up for a monthly Amazon Prime membership. This came out to two $14 charges before I noticed and reported it to my credit card company.

I guess I see why this works, it's a small charge at a merchant most people probably use regularly that will go undetected for a while. But the reward for this seems so low (free prime shipping and prime video) that I don't really understand the motivation. Last year something similar happened with 3 months of Netflix charges before I noticed.

What's the point of stealing less than $50 of digital services? Are credit card thieves not buying expensive laptops at Best Buy anymore? I feel there must be a bigger scheme here, but Google hasn't been much help. Do you know?

(If it's relevant, there seems to be a pattern with this particular card getting compromised. Other, more traditional fraud, has also occurred in the past and I barely use the card because updating online bill pay is a pain. The issuing bank had a very public scandal several years ago where employees were signing customers up for the bank's services without consent. That doesn't seem to be the case here, when I called they cancelled the card, they didn't say "Oh, didn't you know Amazon Prime/Netflix is a 'benefit' we signed you up for!" On the other hand maybe they just have really bad security?)
posted by Is It Over Yet? to Work & Money (13 answers total)
My brother has a Wells Fargo card that he does not use, ever, and it keeps getting stolen (3x in 2020, I'm not sure if he's still dealing with it) for small recurring Amazon purchases and Netflix. Like he will get an entirely new card with unique card details issued to him, lock it in his gun safe without even activating it, and it gets stolen.

Wells Fargo has some kind of agreement with Amazon (and maybe Netflix as well) where they automatically update and share their mutual customers card details if/when they change. So once it's compromised it'll keep getting compromised.

If Wells Fargo is the bank you're obliquely referencing...well...good luck.
posted by phunniemee at 11:46 AM on February 22 [6 favorites]

This may be a trial balloon to see if someone's watching the card activity enough to notice or if it's just mindlessly auto-paying, before floating a much larger charge.
posted by Lyn Never at 11:49 AM on February 22 [11 favorites]

It used to be that there would be one small charge to validate the card info before a big charge. That way they can sell the accounts as "verified". In this case, I wonder if the small recurring charge is to be able to verify the card is still working and allow the scammer to sell the account (or bundle of accounts) at a higher rate, like "verified monthly".
posted by soelo at 11:52 AM on February 22 [2 favorites]

Pirate streaming sites sell access to Netflix and other digital streaming services, so my guess is those accounts are being used to give people access to Netflix or Prime Video and the scammers are recovering the cash that their customers pay them.
posted by jacquilynne at 11:55 AM on February 22 [4 favorites]

Not every ID-thief is part of a big-time, mobbed-up, Russian oligarch-funded high-tech globe-spanning operation. Sometimes they're just a waiter or a gas station attendant who doesn't make crap at work and wants to watch Marvelous Mrs. Maisel by lifting a credit card from work.

Other people are right, of course; could be verification, it could be a matter of slowly easing you into warmer and warmer waters of theft-by-installments so you won't notice how much they're taking until they boil your credit to death.

Crime is usually banal, though.

> What's the point of stealing less than $50 of digital services?

When they started stealing, the potential for theft was much higher than $50; it was limited to less than $50 because you caught them, which has nothing to do with their motivations. It's possible they just didn't know how to do more without getting caught. Presuming expertise on the part of the criminal is unwarranted here.
posted by Sunburnt at 12:05 PM on February 22

I've always been under the impression that the stolen card methodology is to buy small stuff first to make sure the card works. The recurring charge thing would seem to be an outgrowth of that. As others have said, the point is that you're less likely to notice.
posted by kevinbelt at 12:35 PM on February 22 [2 favorites]

A couple of years back I checked my bill and found that I was being charged $3 a month for a service I'd never signed up for. I dug back and found that I'd given someone a credit card number online to prove I was a potential customer or a real person. I was tempted to forget it, but I eventually convinced my bank to claw my money back. They told me I had to do it myself and cancel the payments, but reluctantly relented when there was no way to do so in any information from the billing company.
I don't think anyone was going to bill me for a million dollars and have me call the police and try to hunt them down. They just casually billed a few thousand people a few bucks a month, knew nobody would do more than cancel the bill, and slowly accumulated a huge pile of cash.
I think more people have small fraudulent charges than you'd think. People search their bills for hundreds of dollars, not two or three.
If I had problems with a card more than once I'd cancel it forever. Someone is helping someone else to do this, and it's not going to stop.
posted by AugustusCrunch at 12:49 PM on February 22 [2 favorites]

What's the point of stealing less than $50 of digital services?

I mean, the obvious point is that you don't have $50? Or don't have access to credit or debit cards? You're working poor, or non-working poor, or a teenager? Or hell, we only have Netflix because I'm on my dad's account and we've never had Prime. And I'm a full-grown adult with a mortgage and shit.
posted by DarlingBri at 1:06 PM on February 22

Possibly relevant: The UK’s Response to Cyber Fraud A Strategic Vision. 'There’s a working hypothesis that criminals are going down market. Yes, trying to steal £10 million from a bank is an option, but stealing £10 a hundred thousand times is going to give you a good return and probably go below the radar. Are you going to call Action Fraud or your bank in the case where you lose £10?'

VIA Cyber criminals go 'below radar' and steal as little as £10, as victims are less likely to report it.
posted by StephenB at 1:15 PM on February 22 [1 favorite]

$50 can be a month's salary. We had someone apparently from Argentina steal our Disney+ streaming membership. Even with full access to the account, the only thing they could possibly get was to watch movies. I found this really weird but if you don't have the $10 and you really want to watch your Marvel movies, it makes sense.
posted by wnissen at 1:18 PM on February 22

Nthing a bunch of the stuff above.

Serious online financial crime has become specialized - while there are people that will steal people's credit card information and use it themselves to get goods, it's more common with serious criminals that an individual or group will specialize in getting CC numbers through illicit means and then sell them to a different person or group who specializes in the cashing them out (sometimes there's also middlepersons between them). A credit card that's been validated to still work with small transactions and not have the owner (or bank's fraud department) pick up on the issue is worth more on the market than one that's not been tested.

If you want to go down the rabbit hole of how online CC theft works, this talk is a few years out of date but goes into some of the validation processes and card trading techniques work.

Are credit card thieves not buying expensive laptops at Best Buy anymore?

A lot of the organized crime attacking financial services is overseas. First, the cost of living is lower, so what doesn't make sense to someone in the US or other high cost of living areas can make sense to them. Second, if they're in the former Soviet Union, China, Africa, etc., they can't just walk into a Best Buy and buy a TV - even if there was a neighborhood Best Buy where they are, making a high value purchase thousands of miles from where it's normally used would immediately get rejected as fraudulent. So to cash out on them, you need to set up a network of mules and fences in the US, which is a pain. Better to make a few extra bucks off of the validation process and let someone else assume the risk and tricky aspects of turning a stolen card into money.

And as StephenB noted, doing a lot of small crimes (particularly when the victims are scattered all over the country) is less likely to get you noticed by law enforcement than a few really big ones. And with physical objects, every layer of redirection skims a heft percentage of the profits - with a purchased computer, the mule that makes the purchase gets a cut, they may hand it off to a different mule who'll also take a cut, who hands it off to a fence, who takes a cut. Whereas with digital purchases, you can be direct to consumer (and automate most of the stuff, saving time). So the profit margin on recurring small transactions can be higher than big ticket items.

On the other hand maybe they just have really bad security?

It is unlikely that the bank is the one getting regularly breached in this case. Among other things, some of the fraud detection algorithms are pretty clever these days and if the bank was getting breached on a regular basis and CC numbers stolen, that commonality would be surfaced and incident response would have eventually caught onto what was going on at the bank. If it's the most infamous bank that engaged in signing people up for stuff without consent, I also know people on the security team there and while the corporation as a whole may have issues, they have some top tier security talent, a huge security team, and a budget to match.
posted by Candleman at 1:39 PM on February 22 [2 favorites]

I receive my unemployment payment on a debit card. That card NEVER gets used. The only people who know the number were the bank that issued it, the unemployment bureau (to put the money in), and me.

Yet one day I noticed someone put a Doordash charge on it. I don't even have a Doordash account. So I disputed it. I got a new card and the money was credited back to me after an investigation which took two weeks.

I know I didn't leak my own debit card number. So the leak must be from the other two sources...
posted by kschang at 5:34 AM on February 24

There are a lot of online retailers that still will process a card only with card# and expiration date, no address or postal code verification, no CVV requirement. It is quite easy to "guess" a CC number, there are online tools to facilitate this. You've got a fairly narrow range of available expiration dates to work with.

The number may not have been "stolen", no one (but the thief) may be at fault here. It's just someone brute-forcing CC# + expiration combos until they hit paydirt.
posted by xedrik at 8:11 AM on February 25

« Older Help me find a super soft foam pillow   |   Purple Lighting for Banquets - Regional? Newer »

You are not logged in, either login or create an account to post comments