My Western Union account was hacked today and money sent to the Philippines

I will pass this on as it was an unnerving experience for Kay and I, although neither of us lost money and we are both safe.

I woke up at six and glanced at my Blackberry and found a string of messages from Western Union all sent in the early hours of this morning:

My password had been changed

I had remitted a sum of money which was stated in pounds and in Pesos in the MTCN advice email but which was idenifiably US$ 500 to Kay in the Philippines and she had picked it up.

I had done so again, a few minutes later, for a total of US$1K .

Panic.

1. Check bank account on line - all normal

2. Phone Kay - is she OK and has she got all her ID? - yes she is and yes she has.

3. Phone Western Union - transactions completed and they can do nothing. Yes the money had been paid to "someone with Kay's name".... in Pasay - at around 2 am UK time - say 0900 Phils time. But she doesn't live in Pasay - she lives in La Mesa, near the Ecopark, on the outskirts of Quezon City, a good two hours from Pasay even on a Sunday morning. The last time I had sent her money the pick up had been in QC of course. Western Unionthen block all credit cards stored with them and block the email address that I have been using. Asked them if either of the cards that i normally use had been used - no, neither of them had been used. The chap in the call centre said that the crooks had probably used someone else's credit card over my WU account - they have accounts of this happening in India, China, Indonesia and the Philippines.

4. Phone Bank fraud dept - check account transactions cleared and pending - all normal.

5. Phone Corina to re-assure her. Understandably she is not too happy at the thought of a criminal impersonating her in a fraud - but she's a grown up. She has witnesses to her whereabouts at 0900 Phils time this morning - her mother, who is staying with her for a visit, and the neighbours, can confirm she was in La Mesa and not in Pasay.

Phew.

Yes, I run antivirus software - Norton 360 - and it had alerted me to a suspicious website but that had been days ago.

So, my guess is - my AOL password and my WU password had been "harvested" along with Corina's name and country of residence, and my AOL account has been used to access my WU account and make a couple of plausible looking transactions, for believeable sums of money, to someone imitating a person whose name was stored on my WU account.

(WU told me that they will only pay in the Philippines to someone producing Government issued photo ID - so either the WU Agent in Pasay was in on the scam or someone faked an ID)

We must conclude that the hackers were either stealing from an account using a stolen credit card or simply laundering money.

If I didn't know Kay as well as I do, I might have suspected her - the Western Union chap, who I think was in India, obviously did, as he told me to report her to the police! But he didn't have a sense of how big Metro Manila is, and how unlikely she was to have been in Pasay at nine in the morning. One does wonder how many innocent people might be victims of such an acusation, following idenity theft.

"Educational!"

Alls well that ends well. I haven't had this happen to me, thankfully. But I have had my debit card stolen in two completely seperate instances. Both people that I knew, ironically. In both cases I was reimbursed by the bank. Both were prosecuted, not by me but by the police.

As Kay remarked, the amount of planning that must have gone into this scam is astonishing. It must surely be a gang, working on a big scale.

I suspect that I must now at least change ALL my passwords.

Is there a practical alternative to Western Union?

I use(d) Moneygram at my nearest post office. I continue to use it out of habit more than anything else. But it has never let me down.

A bank.. Highly recommended.

https://www.bpieuropeplc.com/remittances

Sorry to hear about this and its a real pain having to change all your passwords (and trying to remember them). I use PNB europe to transfer money, I think its nearly instant between PNB accounts but about 3-4 days for other accounts. About £6 up to £1000 but check the website first.

Thanks.

Indeed, my cards were not used (I am usually careful about using a card with a low balance on the Internet, but, unusually, I had been careless and left plenty, overnight, on the card that I normally use for Internet transactions including WU remittances)

According to the WU helpdesk chap, this is something that they are aware of, having had similar cases in India and China and of course Nigeria.

Thus they helped themselves to my identity and to Kay's in order to transfer a thousand US$ from, presumably, a stolen card or cards, to someone in Quezon City. Doing it US$500 at a time looks like an automated programme, doesn't it?

WU were curiously unconcerned about the identity fraud at the Philippines end. Kay does not have a very unusual name but nor is it that common. If WU require a Government issued photo ID to pay out, why did they pay out this time, given that Kay and her ID documents were all on the other side of Manila? Did someone run off a fake photo ID in Kay's name, or did the WU Agent act improperly (indeed, was the Pasay Agent involved in the scam?)

I also noticed the timing - broad daylight in Manila and a plausible time to drop into a WU Agent and pick up a remittance, but the middle of the night here so I would not read the WU confirmation emails until I woke up.

I think you have put your finger on precisely what happened.

I wish the Philippines Congress would do something about Dollar account secrecy, because it just encourages crooks to use the Philippines.

I would be amazed if a Western Union agent in the Philippines insisted the payee produce a government-issued ID. Also WU would have a record of the card used to make the transaction which would, of course, include the card holder's name. As the card was obviously honoured, but not one of those you registered with WU and yet your WU account was used, why didn't their fraud/money laundering checks pick this up?

Kay always uses her voter's ID, but she may be more of a stickler for protcol than some.

Like you I was very surprised that WU's system did not pick up the difference in the card used. Thinking back, the chap said that tere were five cards registered to my account - I was too flustered to pick that up at the time, thinking that perhaps there were some time expired cards still listed, but whilst two were current I doubt if I had registered as many as five cards. I suspect that having hacked my aol.account and trawled it to find my WU account they registered their cards in my name. All now deleted so cannot check.

I suspect that the amounts were set to fly below the radar of a money laundering check programme.

How does that work? Because as soon as they attempt to use one of their cards - which they have now registered in your name - it most definitely should fail the card name-card number check which VISA and Mastercard both do.

When using WU's online service, I have found, quite regularly, that the Verified by Visa system has informed me that my transaction has failed, only to find that in fact it has gone through. Either this system is nowhere near as secure as it ought to be, or WU's system gets round it in some way.

Does Western Union still require you to phone them when placing a transfer order via its website?

My mother-in-law regularly receives money from her OFW sons sent via Western Union and she is able to get the cash simply by giving her name and the MCTN.

No, WU do not require a telephone call. They do require a phone number, which they verify when an account is opened. I am surprised that your mother outlaw can do that, but no doubt she is personally known to the local WU Agent?

Oh really, then their security procedures are somewhat lacking because such transactions would then have required the telephonic security checks and would have failed.

No she's not. She can go into any WU agency here in Davao or Dumajug (Cebu) and collect her cash without showing a thing.