How Chinese Criminals Steal Your Credit Card With Just One Text | WSJ

Key Concepts

• Toll Scam Messages: Text messages falsely claiming an unpaid toll and threatening vehicle impoundment.
• Phishing Page: A fake website designed to trick users into revealing personal and financial information.
• Authorization Code: A security code sent by banks to verify transactions, which scammers exploit.
• Remote Tap-to-Pay: A technique where scammers use software to remotely transmit stolen credit card information for purchases.
• Organized Crime Groups: Criminal organizations, specifically identified as being from China in this context, profiting from these scams.
• Phishing Kits: Pre-made tools that facilitate the creation of phishing scams.

Toll Road Scams: A Sophisticated Financial Fraud

This video details a widespread and highly profitable scam originating from organized crime groups in China, primarily targeting individuals with fraudulent "unpaid toll" text messages. The scam has reached an all-time high, with Americans receiving over 330,000 such messages in a single day in September. Federal investigators estimate these crime groups have generated over $1 billion in the past three years through this scheme.

The Mechanics of the Scam

The scam begins with a seemingly urgent text message stating, "Urgent message. You have an unpaid toll. It's important that you take care of this fine over the next 12 hours, or your vehicle will be impounded." This message is designed to create immediate fear and pressure, prompting recipients to act without critical thinking.

1. The Phishing Page: The text message directs the recipient to a link that leads to a fake phishing page. This page is meticulously designed to mimic legitimate toll road websites. In the demonstration, the fake page presented a fine of $6.69.

2. Data Harvesting: Upon proceeding, the phishing page requests personal contact details, including name and address. The ultimate goal is to obtain credit card details.

3. Credit Card Information Acquisition: The scammer obtains the victim's credit card details. The process then involves obtaining an authorization code, which is crucial for validating the card for transactions.

4. Exploiting Authorization Codes: The victim's bank, employing standard security measures, sends an authorization code to the victim's email or phone to verify the transaction. The scammers, aware of this, prompt the victim to enter this code on the phishing page, often under the guise of completing the "Google Pay" payment. The message might read, "Please follow these last steps for Google Pay."

5. Transaction Completion and Card Loading: Once the victim enters the authorization code, the scammers gain full control. The code authenticates the card, effectively loading it onto the scammer's smartphone wallet. As stated by the researcher, "Once the scammers put your code in, you are cooked. Your card is on their smartphone wallet."

Remote Transactions and Global Reach

A critical and alarming aspect of this scam is the ability of criminals to conduct transactions remotely from China.

1. Remote Tap-to-Pay Technology: To avoid raising red flags with credit card companies, criminals do not make purchases directly from China. Instead, they utilize specialized software that allows them to tap their phone in China and transmit the authenticated credit card information to a second phone.

2. Recruited Shoppers: This second phone is then used by a recruited shopper in the victim's geographical area to make purchases.

3. Real-World Demonstration: A researcher in Amsterdam recreated this remote tap-to-pay trick. In a demonstration, credit card information from San Francisco was transmitted to a phone in Amsterdam. This phone was then used to make a payment at a point-of-sale device in a cafe, proving the concept.

4. Types of Purchases: While the demo involved purchasing apple juice as proof of concept, criminals are known to buy a wide range of items, including iPhones, luxury handbags, and gift cards.

5. Resale and Distribution: These purchased items are then resold on platforms like Alibaba or eBay at a discounted rate, or simply shipped overseas.

Legal Action and Prevention

Google has taken legal action against one of the creators of the phishing kits used in these scams. On November 12th, Google sued a company, alleging that these kits had duped over a million people in at least 121 countries.

Key Argument for Prevention: The primary advice for avoiding these scams is to "stay alert." The video emphasizes that a message threatening vehicle impoundment for a small fine like $6.69 is illogical. The key takeaway is to "Slow down and think it through, and you'll save yourself from a lot of losses."

Conclusion

The toll road scam is a sophisticated operation leveraging social engineering, phishing technology, and advanced remote transaction methods. Organized crime groups in China are exploiting a high volume of text messages to steal credit card information, leading to significant financial losses for victims and substantial profits for the perpetrators. Vigilance, critical thinking, and skepticism towards urgent, unsolicited messages are crucial defenses against this pervasive threat.