Odd Western Union hack/ID theft - how worried should I be?


#1

I occasionally use Western Union to send money to my daughter and last week I used it to send money (as I have in the past) to a mission we help out in Mexico.

This morning I got an email from Western Union. It passed all of the checks to ensure it was not phishing. It said that I had made a transaction to send $400 to someone in the Ukraine, and they were holding up the transaction to ensure it was legitimate. I’m not sure what made it appear suspicious, but it absolute was not legit. The transaction date was today.

The form they sent me had my correct name, address, and phone number. The credit card they used was not mine - it just showed the last 4 digits, and that it was Visa, but I do not have a Visa card of any type with those last 4 digits. (I have a debit and a cc, neither’s last 4 digits nor exp date matched the card used.) It also showed up as a “purchase.”

Before I could call WU, they called me this morning. The person on the phone did not ask for any personal information, he just asked if I had made a WU transaction today. I told him I’d just seen the email, no I had not, and that was fraudulent. He asked if I’d made one last week, and I told him truthfully yes (thank goodness when I use WU I only give them cash and not a CC number of any kind) that one was legit. He didn’t ask for any details. Also, the number he called from is the phone number on the legit Western Union web site.

So - first, how worried should I be? Secondly - what kind of scam is this - not my credit card.

But the other part of this: How did Western Union accept this credit card #? I’m worried that someone has somehow gotten a credit card in my name. How do I check that?

EDIT: I just looked at my Western Union profile - there are two credit cards saved in payment info that are not mine.

Changing password of course, removing any CC info at all (fortunately it will not show your CC number) and basically closing the account and calling WU again.

Thanks


#2

On the phone with WU, but I also noted that the two credit cards they added to my account on Western Union did not have my home address.


#3

You might want to check your credit score to see if anyone has opened a new credit card account. I use credit karma and when I applied for a home loan I received a message that someone was making an inquiry about my credit before the loan officer received any information on me. The loan officer and I had a good laugh about that.


#4

Yeah, it’s a weird and unsettling event. First, that they got my Western Union login and password. Then, that they would use that to enter a fraudulent card and send money to someone (in this case, in the Ukraine.)

A google search showed a lot of illicit sites that advertise fraudulent western union money transfers, here’s the text from one:

Money Transfer Hack & Western Union Send Money Online
Earn $3000 just by paying $250
We have high limit Western Union/Money Gram Hack available for you everywhere and at any time. We transfer money to all countries / territories in world that have Western Union/ Money Gram outlets or those with Bitcoin, Netteler or Perfect Money accounts. To facilitate long-term cooperation to work for you, with transfer orders that have a higher value, we will charge lower. We process our transfers using WU agent logins or fullz (Full Info Cards) to our available online currency exchangers or agents around the world who then relay the funds to you. Once the transfer has been processed you receive clean funds. This makes it very safe and the service is very fast. The transfer process will take 30 minutes to 1 hour once we confirm your payment.

After talking to the WU fraud department (I deleted one of the two CCs that someone had entered into my profile, one with a South Dakota address and one with a Palmyra, NY address - I thought a moment and kept the other one on my profile until i finished talking with them so they could get the number etc., then deleted it) they connected me with the FTC identity theft people who took my info, gave me their web site, and the number for the Exprian (sp?) credit reporting site to check and make sure no one is trying to get a card, etc, in my name and set a fraud alert so any attempts at all to get a card or anything else will be double checked. But it appears they just wanted my account to send money to someone with another credit card (i.e. not my own.)

I am going through and checking all of my passwords and using Lastpass to generate totally random strong ones.


#5

That is pretty scary though. Can you delete your Western Union account and make a new one instead of just changing password? Did WU say how their services are being compromised? Sounds like maybe someone on the end (an insider) is maybe enabling accounts to have linkages added if they haven’t had an unsalted user list published online?


#6

Yeah, I changed my pw and got rid of my one credit card listed on there and then for good measure went to change my email address, but typed it in wrong so they sent the verification code to what I typed - of course I didn’t get it - so I couldn’t get back into my account. Had to get back to work, tomorrow I’ll call and ask them to just completely delete my account, not worried about losing my “points” (what do you do with 100 WU points, LOL!) and tell them I’ll create a new one when I need to send online again.

I used to sign up on web sites with a slight variation in my name, such that I would know when I got junk email, etc. where it came from. So, for example, I might be Joe Smith, but I would sign up on Western Union as Joe W Smith. Haven’t done that in a while.


#7

The credit bureau you reference is called Experian. They also run the site freecreditreport.com if you want to check your credit report to see if there are any shenanigans. TransUnion, which is another of the big three agencies, runs a site called quizzle.com which is a legitimate credit checking site also. They will both bug you for a credit card to upgrade their services but you don’t have to enter one, you can use the basic websites to check your credit report without any fees or credit card number entry.

If you’re worried about your credit or your identity being stolen you can put a so called freeze on your credit. You have to do that with each of the three big credit agencies (Equifax is the third one). With a freeze in place no one can open an account or pull a credit report or do anything really with your credit unless you explicitly unfreeze it first. If you need to use your credit, say you’re applying for a loan, you can unfreeze it for a day or a number of hours or whatever so that agency you’re dealing with can pull a credit report and then it will refreeze afterwards. You can unfreeze your credit whenever you want.

That might seem like overkill given what you just went through but there are not a lot of downsides to freezing your credit as long as you remember to unfreeze it whenever someone needs to access it for a legitimate purpose.

Food for thought.


#8

Just to clarify, while the three big credit companies do offer credit check sites, you can always get one report free from each of them yearly at https://www.annualcreditreport.com which is essentially run by these companies due to a federal law.


#9

At least until Trump gets his tiny hands on it!


#10

I think WU was recently hit with a huge fine for turning a blind eye to wire fraud, money laundering, etc… to the tune of ~$580 million…


#11

Yeah, when I do a google search and find a lot of sites blatantly advertising WU wire fraud where they help you make money with WU and they take a cut, and then I see that WU allowed someone to simply add a credit card that did not have my home address on it and perhaps not even my name on it, with no checking, and allowed someone to use it, it’s pretty clear they aren’t as secure as they should be.

To give them credit, they did hold the transaction and not let it grow through until checking with me. But from here forward, I’ll just keep taking cash to a WU agent and using it that way and cancel my online account.


#12

So I was changing my PW and decided to change my email also just in case on the account. But in my state of mind at the time, I mistyped the new email address. So they send a 4 digit verification code to the wrong email address. Which means i can’t in at all.

I tried to do an online chat and the person was worse than the Dell online support (“Your computer is on fire? Please to reinstall Windows,”) so I just shut that down. Called their Fraud number again. Told her what was going on. She asked my email address, and she said that account has been shut down. I said, yes, it has, because I tried to change the email address. She asked what email I changed it to, and she found that. I said can you also shut that one down. She said it already is closed and because you had a fraudulent use of your account you can no longer use your online account or phone to send money, you have to do it at an agent. I said that would be perfect, but please make sure the one with the new email address is shut down. She said it is.

I am not sure I believe her - I suppose I do - but I find it interesting at no point did I get an email or did the person on the phone with me during the initial fraud call mention that I’d no longer be able to use it to send money.


#13

I know through working with WU as a partner, do not cancel an account and expect to use the same email address on your new account. They only allow one account per email, and even when you cancel your account your email will remain in their system.


#14

Yeah, I don’t want to have an online account. I just want to use WU with cash at an agent - that is 99% of how I occasionally use it.


#15

Interestingly I got an e-mail claiming to be Western Union, they were letting me know my account had been hacked. I don’t have an account with them.


#16

At least you didn’t think you did! My research showed hackers have been using WU as way to carry out a lot of fraud - you can find ads for people who advertise online that they can help you make a lot of cash this way, it’s pretty blatant.

My suggestion is that you see if the email is actually WU (it is probably more likely a phishing scheme to get your WU login info.) It may well be someone has set up a WU account in your name with your email. If so, call WU’s fraud line and find out info on the hack and see if there’s anything you need to check on (e.g. identity theft.)


#17

I am sure it was phishing. The e-mail of the sender pretty much gave that away. I get stuff from banks I have never dealt with weekly, from department stores I don’t have credit with and from Nigerian Princes. I am waiting for that money from the Nigerian Prince though.