The home improvement chain also said the malware responsible for the breach has been removed from all stores.
The Merchant Risk Council warns of an increase in the use of the “call tag” scheme, in which criminals use stolen credit card data to purchase and send a product to an unknowing consumer, then poses as the legitimate retailer to pick up the product.
The Merchant Risk Council is warning of an increase in the use of the “call tag” scheme, in which criminals use stolen credit card data to purchase and send a product to an unknowing consumer, then poses as the legitimate retailer to pick up the product.
The council, a group of more than 7,500 members including retailers, said the call tag scheme re-emerged during the 2005 holiday season. “Several of our large merchants saw an increase in this scam,” said Julie Fergerson, co-chair of the council.
Call tags are usually issued by legitimate shippers on behalf of a merchant when a consumer wants to return a package. Under the scam, criminals use stolen credit card data to purchase goods at an online retailer for shipment to the legitimate cardholder. The criminal calls the cardholder to say that the retailer mistakenly shipped her the product and will arrange to have it returned to the retailer at no cost, then calls a different shipping company to pick up the order.
The cardholder, who is asked to leave the package outside for pick-up, unwittingly cooperates in a scheme that will result in a fraudulent charge remaining on her credit card account, the MRC says.
“This scam is very difficult to prevent prior to the products being shipped, because the order is completed with 100% credible information,” Fergerson said. “It is traceable, however, because the fraudster puts their address in the call tag.”