Scammers are taking advantage of a product financing offer that presents identity thieves with the opportunity to fraudulently obtain instant credit approval to make online purchases.
IDentity Theft 911, a provider of identity theft resolution services, has received nearly two dozen complaints at its Fraud Resolution Center related to unauthorized purchases made through the online Apple Store by way of an offer to provide instant financing through Barclaycard.
The crime is relatively simple to carry out. All the scammers need are the basic types of information commonly exposed in consumer data breaches, such as a victim’s name, birth date, address, Social Security number, employer and email address.
With this information in hand, the perpetrators can go to the Apple Store online, select the items they wish to purchase, and choose an option to receive which redirects them to an application for a Barclaycard-branded Visa.
After filling in the victim’s personal information, they are notified if they qualify for instant credit approval. If the application is accepted, the perpetrator is returned to the Apple Store where the credit card information is automatically populated, and they are allowed to complete the transaction with the option to have the items shipped immediately.
The process raises several questions, the first of which is exactly how Barclaycard determines if an applicant is qualified for instant credit approval online. It is assumed that the information in the application is cross-checked for validity with credit reporting bureaus or some similar source, and that the address provided in the credit request would need to correspond to the supposed applicant, but representatives at Barclaycard declined the opportunity to comment on the process.
The next question is in regard to exactly how the criminals are able to have the items shipped to the address of their choosing, assuming that it is not the same as that which was provided in the credit card application. IDentity Theft 911 fraud investigator Vicki Volkert, who is looking further into the unauthorized purchase complaints, said it is most likely that the perpetrators are able to enter a shipping address that differs from the victim’s real address when they are completing the purchase order on the Apple Store website.
“We know that our victims are being billed for the items at their home address, and that the product is being shipped to an address controlled by the thief,” Volkert explained. “Online shopping outlets let you input a billing address and alternative shipping addresses, so the thieves could possibly have the product sent to an alternate address, or simply choose to pick it up at a brick-and-mortar Apple Store.”
Representatives at Apple were contacted and asked to provide details of the purchasing process, specifically if customers are allowed to enter a different shipping address than the one provided for billing in the Barclaycard application.
An Apple customer service specialist said that if the purchase was for an iPhone in conjunction with an upgrade offered at a discount for a customer under contract with a specific mobile carrier, the product is required to be sent to the billing address on file with the service provider. Aside from that, they said that they did not know if other products would be subject to similar stipulations. The media relations office at Apple’s corporate headquarters declined the opportunity to comment on the matter.
Thus far, it appears that the scammers are targeting high-dollar items in the operation, with the average cost of the fraudulent purchases ranging between $3,000 and $5,000. By the time victims become aware of the fraudulent purchases made in their name, it is already too late.
The (frequently asked questions) webpage for the Apple product financing option indicates that some applications for credit may be flagged prior to approval, and that the applicant will be required to go through a secondary verification process. The problem is that Barclaycard does not contact the applicant, but instead provides a phone number for the applicant to call.
Depending on the questions the applicant is required to answer, this secondary validation may prevent some scammers from successfully obtaining credit in the victim’s name. But given that Barclaycard does not directly contact the applicant with the information provided on the credit application form, it is still possible for the identity thieves to complete the process and receive approval.
If Barclaycard would implement a secondary validation by way of a direct call with the contact information provided in the application, it is likely that the potential for abuse of the instant financing offer could be diminished.
Alternatively, if Apple required that the shipping address be the same as the billing address provided in the Barclaycard credit application, and the information is, in fact, being cross-referenced by Barclaycard with a reliable source, the opportunity to commit these fraudulent transactions could similarly be lessened.