:quality(70):focal(607x422:617x432)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/ZFT6FAXWIN2U4RQLFFMCL3NOLE.jpg)
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/2693e910-3117-4a22-aacf-74cecf13edc4.png)
Last October a reader called David received a troubling call from a colleague to say they had noticed some “very unusual activity” on their company’s Revolut account.
It was Saturday, October 15th and there were “multiple transactions to AliExpress”, a China-based ecommerce platform that David says his company has never used.
The transactions were “showing as ‘pending’ and therefore she contacted me immediately,” he writes. David is the managing director of the company.
“It is worth noting that she happened to be looking at the account and spotted this – neither she nor I received any notification whatsoever that these transactions were taking place or any request to authorise them, which we would, of course, have declined immediately,” he says. “We are very conscious of these things and act immediately on anything suspicious.”
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/5MVQAXK4EBBULPSULBPETLCIGY.jpg)
:quality(70):focal(4070x1470:4080x1480)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/U3WS47K32W3BXYU6JG4J3HVDHQ.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/FEGPJGIYTAMHIOBA25Z7WWBW6Q.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/7JFVZS6QU6JHVOP22TM5UQXFHE.jpg)
As soon as David saw the transactions, he knew they were fraudulent “as we never purchase (or have purchased) anything from AliExpress”.
He immediately contacted Revolut to freeze the card and cancel the transactions which, as he repeats, were still showing as “pending”.
“The only way to contact them was via their chat system,” he writes. “There was no way to get directly in touch by phone or otherwise. I waited and eventually got to someone. They refused to cancel the transactions and insisted that I had to wait until they were processed and then process a chargeback.”
David says he did not want to do that, “but they insisted and gave me no other option”.
[ What are the top seven current online scams and how should you deal with them? ]
He encloses transcripts of the online chat he had with a Revolut employee who told him: “If the merchant claims the funds within this time frame, you can proceed with the chargeback claim with our help. When you submit the form, our chargeback team aims to review the case within 14 days; however, the time frame may be longer depending on the number of requests we’re receiving.
“But it can happen that your case is checked much faster. As soon as the case is reviewed and the chargeback is raised on your behalf, you should receive an email with a confirmation. The entire process from you submitting the form to the final decision can take around 50 days or more.
“This time frame differs from case to case and is influenced by Visa/MasterCard rules that play a pivotal role in the decision process and that will need to review the case as well. I really hope that you will receive the final answer much faster. Please terminate the card with the procedure which I have told you.”
David then expressed dismay that he would have to wait as long as 50 days for a resolution of the case.
“I fully understand that and I know that this a hassle for you. I personally apologise to you for this hassle, but unfortunately, managers aren’t available on weekends. I truly appreciate your understanding and patience in this regard. If you still have any other questions regarding this or If there is anything else I can help you with, let me know, as I am here for you,” he was told.
David was less than pleased, as you might imagine, and he asked how the transactions were allowed to happen without any request for authorisation from him. He was told if previous transactions had happened on AliExpress then subsequent ones would get the green light without a requirement for authorisation. David explained that his company had never bought anything on the platform.
He was then told that “sometimes, cards information gets compromised when it is being used on internet. I am afraid that I won’t be able to provide the exact reason why their card was compromised. But this is the best we can do from our side in order to protect your account to terminate your card and then you can order a new one.”
David says he “cancelled the card immediately to ensure no further issues and on Monday, as soon as the charges showed as completed, I contacted Revolut to process the chargeback as agreed. On requesting that the funds be charged back and on inquiring how they could have been processed without our knowledge, I was told that the merchant did not initiate 3DS (an authentication system). This would usually be grounds for immediate chargeback, so I was confident at this point that the charges would be returned. I began the chargeback process.”
It wasn’t to be. He then received a response from Revolut which said it “would not be charging back the transactions”.
In the email he received from the fintech company he was warned that “disputes are reviewed according to Visa/MasterCard regulations, and, even though we will always try everything in our power for a positive outcome, the decision from the team might not always be positive”.
The letter went on to say that the company “do a very in-depth investigation about the payment and, based on that information and Visa/Mastercard rules, they come to a decision. Once this decision is made, the customer is informed immediately of the outcome.”
He was then told that “the outcome of our decision was not the one you were expecting from us. The team was unable to find any traces of fraudulent activity associated with these charges. Regrettably, after carefully reviewing the case, along with all the information provided, the team decided to reject your claims.”
The writer of the letter told David that she “completely understand that your experience with Revolut on this occasion hasn’t been as smooth and positive as we aim to provide, and I am truly sorry about this inconvenience. In light of my findings above, and specifically mindful of the mentioned chargeback process, I have decided not to uphold your complaint. I appreciate that this might not be the outcome you would expect. However, in light of these circumstances, I hope that you find the explanation and the decision transparent.”
David did not find it at all transparent. Nor could he understand how the company had decided the transactions were not as a result of fraud.
He said he had to request more information as to why the company would not process the chargeback given that he had not made the purchases and had certainly not received the goods. “To this day I still have not had a proper reason. There were nine transactions in total, ranging from €160.24 to €1,062.51. In total, €5,958.65 was taken from our account in the space of five minutes. They continued to process transactions until there was no money left and the remainder were declined due to lack of funds. I find it incredible to believe that they can maintain that these were not fraudulent, since it would not even be possible for us to make those orders in that space of time. It had to be automated in some way. Even An Garda Síochána agreed that it was 100 per cent fraudulent and they agreed to follow it up with AliExpress also. Revolut did not even try to flag the transactions as suspicious, even though they clearly were!
“Even if they had stopped it after the second one, it would have been something, but no, they let every single one of them through and would have continued to do so if there was more money in the account. I still cannot understand, nor have I been given any explanation, as to how these transactions could have been processed against our card within a period of minutes with no authorisation request or notification. Anyone looking at these can see they are fraudulent – why would I want to process nine orders in the space of a couple of minutes to a Chinese vendor that I’ve never purchased from?”
[ Young woman’s bank account emptied because of an unfortunate coincidence ]
David also contacted the Irish Financial Services and Pensions Ombudsman over Revolut’s “lack of action and extremely poor handling of the situation – obviously in these cases, time is of the essence, but Revolut refused to act in time”.
At the time the ombudsman told him it had no authority over Revolut as it was regulated from its banking base in Lithuania. That has subsequently changed and Revolut is now regulated in this country.
But six months on “and we still have no progress and we are still at the loss of €6,000. I honestly don’t know what to do I am seriously concerned at how they handled this and how they have refused to even entertain the fact that this was fraudulent.”
First things first. It was fraudulent and that is no longer in dispute. We were able to ascertain that the fraud involved purchases made on AliExpress by the criminals using Apple Pay.
The exact nature of the fraud is unclear but what can happen in a case such as this is a victim’s credit card details are compromised by criminals. That can be done if a rogue link is followed or a third-party site is compromised with users’ credit card details stolen or through multiple other means. The criminals then add the compromised card details to a phone – also probably stolen – and, possibly, using social engineering techniques get the verification code details from the victim. They can then use Apple Pay or Google Pay to effectively empty that person’s account without them being aware of anything untoward happening or without them receiving an alert or a request for verification.
Exactly what happened in this instance is uncertain.
The difficulty when it comes to a chargeback then is that from the retailer’s perspective the transaction appears entirely legitimate.
Now, you might be wondering why Revolut did not simply stop the transaction when it was alerted to the issue, given that it was said to be “pending” when first contact was made. It appears that this word is somewhat misleading and that while to our reader it looked like the transactions could have been interrupted as they were still pending, the money had actually disappeared at that point. It was still making its way through the international banking system but – for him at least – it was gone.
We contacted Revolut to try to find out more and to see if more could have been done to assist our reader. “Revolut takes the protection and support of its customers extremely seriously and is fully aware of the industry-wide risk of customers being coerced by organised criminals,” it said in a statement. “We are very sorry to hear about any instance where our customers are targeted by ruthless and highly sophisticated criminals.”
It accepted that the level of customer care offered to our reader had been less than desirable. “Revolut would like to apologise to [David]. The support and communication he received fell below our usually high standards. As a gesture of goodwill we are covering the stolen funds in full.”
Pricewatch also understands that the company has in recent months implemented a range of new security measures to place more obstacles in the way of criminals who have been using Apple Pay and Google Pay to make purchases but we are also aware that the criminals are almost certainly working out new and increasingly nasty ways to work around banking systems to get at our cash.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/6BDEAESQEJH4BHNFRSVZH3W4TM.png)