Tag Archives: social engineering

Square scammed out of millions by woman selling bogus travel vouchers

Square has fared pretty well in the mobile payments business, and now the company, founded by Jack Dorsey, is preparing to go public. As part of that process, Square has given potential investors a deeper look at the risks and uncertainties that it regularly contends with. And while Square hasn’t dealt with too many unforeseen crises, one case mentioned in the company’s S1 filing stands out. A scammer who posed as a seller of travel vouchers on Square has cost the company millions. $5.7 million, to be specific — though that number may be Square citing the worst-case outcome. BuzzFeed News did some digging and discovered that the person responsible is 30-year-old Patricia Urbanovsky, who used Square under the name of Creative Creations, her events planning company based in Nebraska.

This wasn’t exactly what you’d call a genius criminal scheme. Urbanovsky sold “bogus discounted travel vouchers,” according to the report, and when buyers demanded refunds, Creative Creations ignored the requests and never paid anything back. That left Square on the hook, since the company admits that it’s often ultimately responsible for chargebacks and making things right with buyers who are targets of fraud. Square told Omaha police that it processed over $7 million in card payments from Creative Creations between last October and March, according to BuzzFeed News, and so far it’s had to eat $2.8 million in chargeback fees. At least 1,500 customers allegedly fell for the ploy, and both the FBI and IRS are now investigating the case.

It’s very unlikely that Urbanovsky will come up with the money necessary to cover millions in refunds, her frustrated lawyer admitted to BuzzFeed News. “This is a case that I didn’t charge enough money for,” he said. Square has already said it’ll “take the loss” brought on by the scheme. Square’s loss rate for transactions is typically lower than rivals like PayPal, so it’s not like the company gets suckered to this extent very often. But it’s still an embarrassing black eye for Square as it heads for an IPO and a new era in the company’s history.

Tagged , , , , ,

Apple customers targeted by fake iTunes email scam

A phishing scam asking users to click refund links in a legitimate-appearing email purporting to be from Apple is doing the rounds

Apple customers are being targeted by a phishing iTunes invoice scam designed to trick them into clicking a link to claim a refund for a purchase they did not make.

An email purporting to be sent from Apple is currently in circulation, appearing to bill the recipient for £34.99. The invoice contains the line: ‘If you did not authorize this purchase, please: Click here for Refund’ [sic] in an effort to trick users into entering their Apple ID into a fake login page, according to internet security blog Malwarebytes.

After entering their Apple ID and password, victims are then prompted to enter credit or debit card information, including their card number, address and full name.

The scam emerges in the wake of the news that TalkTalk’s website was subjected to a “significant and sustained” DDoS attack which may have compromised millions of users’ personal information, including names, email addresses, financial information and telephone numbers.

The attack, which took place on Wednesday October 21, is the third time TalkTalk has been targed this year alone. In August, its mobile sales site was targeted and personal data breached and in February, hackers were able to steal account numbers and names of TalkTalk customers.

The Metropolitan Police Cyber Crime unit said it was currently investigating the attack.

Earlier this week, it was reported that fraudsters were imitating Apple’s remote help site in an effort to gain access to victim’s computers.

Scammers typically try to trick users into landing on such falsified support sites by targeting them with false warnings and pop ups warning of something wrong with their computer.

When legitimate sites ask for sensitive information such as financial or personal details, a padlock icon is displayed in front of the url to indicate the presence of a Secure Sockets Layer (SSL) certificate.

Fraudulent sites impersonating Apple’s iTunes pages and banks including Natwest and Halifax have been wrongly issued with the authentication certificates recently, which can instill users with false confidence when inputting their details.

Tagged , , , , ,