Working the Night Shift
I work the night shift as a receptionist at a hotel in Norway, and most nights are spent watching Netflix and playing games. Last summer was really slow and I also worked a lot extra, so I ran out of stuff to watch and games to play.
One night, I got an email from “Scooter.” He wanted to book a room for almost 20 days. I just had to send him the price and confirmation that we had rooms available, and he would then send me his credit card info for me to pre-charge.
Normally we just delete these kinds of mail, but I was bored out of my mind, so I responded with an offer for around $2k for the entire stay. I also made sure to inform him that he could cancel for free up until the day of arrival.
For your information, this is probably the most common fraud attempt in the Hotel/travel industry. Unlike most businesses, we are able to charge credit and debit cards with only the card number and expiry date. No need for a pin code or other authorization methods.
Our software also allows us to deposit money directly to local and international bank accounts by using the card number. Because of this, people like Scooter will try to prepay with stolen cards, but then cancel the booking and ask us to refund the amount to a different card.
A couple of hours after sending him the offer, he responded with a Visa number and told me to charge him as soon as possible. I checked the card with our validation software, and to my big surprise, it did not belong to Scooter. If validation succeeds, it will return with the card owner’s name 90% of the time.
I sent him a new mail stating that the card was declined because of insufficient funds. He quickly replied and gave me a new card to try. Guess what, this one didn’t belong to Scooter either. It wasn’t even the same person as the first card.
By checking the Bin codes, (6 first digits) I found which banks had issued the cards. Not even issued in the same country…My plan was to just call the banks and inform them of the attempted scam, but there were still several hours before I could go home, so I decided to screw with Scooter a bit more.
I sent him a reply that the second card went through, and also the “reference number” for his stay at our hotel.
As expected, a couple of hours later, Scooter sent an email canceling the order and asked if we could refund the money to a different card, as he had lost his wallet and deactivated the card he paid with.
This card was issued from a Polish bank. Not sure why, but Polish bank accounts are often used by people who want to launder money from bitcoins and dealing. You can buy a legit card for around $500 that is registered to some guy or girl in Poland from darknet.
At this point, Scooter was probably pretty happy about the $2k he soon would receive. I replied that it was no problem for me to transfer the money to a different card, as long as it was valid.
How fun would it be to also cancel his “own” card, so that he had to spend $500 for a new one? Not. Fun. Enough. In the last mail I wrote that he could send me the card number, but that our e-mail server would go down for maintenance in a few minutes, so my boss would do it on Monday.
It was now Saturday morning, so enough time for the “charged” bank to call us and reverse the transfer. If he needed the money right away, I told him to call the hotel before I ended my shift at 7 am. He called almost immediately, and I wrote down the card number and his phone number.
I told him I transferred the money, and that it would be in his account by noon. My shift ended, and I went home with all the information Scooter had provided. I wanted to see if I could find out who he was, and of course, this idiot had an open Facebook profile that I found using his phone number.
He even listed his address and employer. He lived somewhere outside of London, in an area I would describe as a British trailer park. Houses that were nice at some point, but where the owners had spent no money on maintenance since it was built.
Trash everywhere, and broken windows that were boarded up or “fixed” by sealing holes with garbage. Now to the fun part. According to his FB profile, Scooter worked at a hotel! This meant that he would have access to card information from guests that booked through sites like Booking.com.
I called the manager of the hotel and told him there was reason to believe that one of his employees was trying to commit credit card fraud, and that the card numbers could belong to their guests.
I gave him the name of the people who owned the cards Scooter tried to pay with, and to no surprise, both had stayed at the hotel. I told him it was Scooter, and the manager just exploded in anger. Not 100% sure what he said because he was screaming so loud, but I think Scooter wasn’t a normal employee.
He worked there through some kind of government training program or something. After talking to the manager, I called both Visa and MasterCard international and told them about Scooter’s little business venture. Apparently, it’s pretty easy to check if there are more cards that have been involved.
The authorities also called me later to get a statement regarding the whole situation, so I know that the manager reported it. Not sure what happened to Scooter, but according to his Facebook profile, he no longer works at the hotel.