Tired mom caught in phishing scam, esun carefully wording that she’s responsible to pay. I call BS for several reasons.
Long version:
We have a small baby and my wife is 24/7 tired - she got a phishing text saying her credit card for blocked and need to confirm info to unblock.
She thought it was weird at first, but had a memory of a legit block/unblock action similar and, of course, they asked for her card info in a website that looked EXACTLY like esun (the site is down now, I reported it to Cloudflare for what I could trace. I’m an IT guy, and my wife is really embarrassed she fell for this; she was dangling baby and life events at the same time with limited sleep).
Scammed
The scammer swiped 150k ntd worth of purchases at a PHYSICAL DEPARTMENT STORE (cameras??). Which means he’s probably a patsy hired by the mastermind, but this could easily be proven it wasn’t her with timestamps and cameras, surely.
Note that she normally gets texts to approve big purchases, but she was also not sent any this time for some reason.
ESUN Shenanigans
She called the bank ASAP and went to the police (she got a police report).
Police said to bring police report to bank to file a form that declares she got scammed.
Bank didn’t even take the police report, carefully wording but implying that technically she gave authorization to the people to sign, even if it was a trick. Then more or less sent her away.
Bank eventually said “they’d” make a decision in 45 to 60d that can’t be reversed if they’ll pay or not, ESUN being both judge and jury that didn’t seem to take any of the evidence my wife was offering. Seems just like a tactic to buy time and shoo her off.
They really brainwashed/intimidated her into believing she will probably have to pay it herself. She did get their name and employee ids, though. If they were full of crap, I hope they get fired for such shameless tactics.
Mastercard
She called MC, which has global fraud protection meta to the bank, and told her that they can’t do anything because their protection is for the bank and not the customer.
I’m fairly confident this is false: I had bank giving me trouble with a fraud issue before and jumped above them to MC and they took care of it. Is there some different terms of service for Taiwan users?
The Situation
No one is taking blame, everyone shrugs her off, no one seems to be taking this seriously, ESUN is just hoping she’d go away. There’s 0 direction and ESUN just gives wild goose chases, like to call a general phone number for customer service where they suggest she go to the police, where the police suggest she go to the bank. Paradoxical BS of indirection.
Options
Lawyer, obviously. Trying to find one near Xinzhuang due to limited time and baby stress.
Apparently there’s a committee to call to pressure the bank into following through with fraud issues, but apparently causes blacklisting to the bank.
Mastercard answer was weird - I need to know more about Taiwan specific card deals. I can possibly urge her to speak to a supervisor and mention the word laywer a few times while asking for their info.
…anyone else have suggestions? What a dumb situation.
Unfortunately if you got phished, you have to pay, seems that’s the rule here. Basically if you authorized it you must pay.
I mean those 3D authorization and such.
Essentially if you gave your pin number to someone else, and they used it to clear out your card, you have to pay.
The bank would work with you and give you a zero interest payment for it, however the only recourse is you file a police report, as this is now considered a scam, and not unauthorized transaction…
But as far as I know those 3D authorization thing uses a one time password sent to your phone number via a text, so if the scammer is outside the country they wouldn’t be able to do it at all.
Even if it was a phishing scam? That’s wild, so it’s pretty much legal to do this? Seems like I’m in the wrong business, apparently. With American MasterCard, I just swear it wasn’t intentional, sign an affadavit and carry on the life. Does Taiwan MC really have no fraud protection benefits?
Yea, I tried to google this up, but I’ve had credit card dispute denied in the US as well once they can prove that I authorized it. Be it a signature, or some kind of 3D authorization thingie.
The problem is if someone stole your 3D authorization password? It seems it’s treated like if someone stole your ATM card and your pin number, and cleaned out your account. It would be considered fraud, and not “disputable”, meaning you go to the police and hopefully try to sue the person responsible in civil court for the damage.
But the credit card companies are not liable it seems.
If this is the rule, it was made by Visa or MasterCard. It’s their name, they made the rule.
How did someone create an actual card from a phishing exploit? I didn’t know that was possible.
That and the cancellation of notifications sounds like the entire account was taken over, maybe the bank got updated phone info?
Wouldn’t the police have to take a report from the bank and wouldn’t the bank be required to disclose everything that happened such as if the scammers switched phone numbers for notifications or requested a new card?
Wouldn’t 3DS show the actual amount before you approved it?
Or is this a case of someone having your CC number, security code, expiry date, etc.? In that case they might be able to manually charge it similar to swiping your card which wouldn’t send a verification message.
It’s illegal to do this but if your wife provided the 3ds authentication details to the scammer the liability is shifted from the merchant to the cardholder. Your recourse is now perusing the fraudster for the damages.
If it’s proven that the merchant as also fraudulent maybe that would change the situation.
This system is in place given the extreme cost of chargebacks to merchants associated with card payments. The amounts are wild!
not to be the asshile, but just an unbias opinion.
no matter what the excuse/reason one might have (eg. have baby, tired, over worked etc etc). if she actually gave it out and did it herself, she is partly to blame. this stands to reason most of the time.
On an ethical and sympathetic mode, ya, that sucks.
on a legal mode, it would be best to either go to a lawyer if you cna.afford it. if not, go into the bank in person (after many hours of brainstorms and think tanks with vastly different types of people) witha proper strategy. forums are good for getting ideas to pursue, but not for following absolutely.
personally I have had many issues specifically with E.sun bank. I have up even answering their calls because their systems fucked things up so severely t could not be my fault. they send me SMS messages on the regular saying I owe xxx amount, that amount even has gotten smaller somehow. but they cant pursue it because it was their fault.
not saying.yiu should do the same, as it seems it was your wife’s fault for giving the info out. truth be told. but be clear on the issues, then read the laws, then seek opinions. and repeat.
my end result is dont deposit money in Esun after, theyvwill take it away. change banks, see if they cause legal action. keep all documents proving you tried to resolve it.
Also if a merchant wants to swipe/insert your CC, it’s better to refuse and not take the risk. They can copy your CC details that way. I’m not sure if that qualifies as fraud in Taiwan and bank would refuse to refund your money?
You should only allow them to use NFC / contactless / apple wallet / google wallet, which keeps CC info secure. Typically scammers don’t scam this way because you know where the merchant is and they’d get caught quickly.
Hearing stories like this makes me want to cancel my unused TW credit cards. I can’t figure out how to lock most of them.
I would agree with the rest here. Once you give up data to a phisher, the bank can literally walk away from liability. Any secondary security the bank has is just that, secondary.
I got my U.S. credit card number stolen before (I think at a gym) and someone used to it buy ski gear in a nearby city, my CC promptly reversed the charge and issued a new card
The difference is, card was stolen and used without your authorization. As long as you reported it within 24 hours you are not liable for it.
But if say a 3D authorization was requested and somehow through a phishing site they stole your credential, then that’s different. The 3D authorization is basically like signing the credit card receipt.
If the option exist I would disallow 3D authorization altogether.
+1 cash and alike. it is silly to assume digital payments are impenetrable to hacking, fraud and the like just like it is silly to assume that creating more inconvenience and loss of privacy is an acceptable way to prevent such obvious flaws in the system. crime is rampant, as is policy over reach. all in the name of “convenience”? at some.point we need to stop, think and redo some popicy/standards/habits/etc…
