When you open a bank account, you put your faith and trust in your financial institution.  Choosing a financial institution involves many moving parts, from rational issues such as the perks of a chequing account, interest rates, credit cards, mortgages, mobile banking apps, personal loans.  And then there are the more personal issues, such as convenience, or what we think of the fit. In my case, I also consider whether or not I can access my money via an ATM in another country, and whether or not my bank can process cheques in Canadian funds, as I live in the United States.

Our relationships with our financial institutions are, by their very nature, intimate.  We trust our financial institutions with the most sensitive of our financial and personal data, after all, in this digital age, all of our purchases are listed right there on the website when we log in.  My bank can see I spent $14.42 at Whole Foods last Friday.  This is perhaps our most intimate and delicate relationship outside of family and friends.

Financial institutions have, therefore, an obligation to their customers/clients to safeguard those financial details.  They have an obligation, and a legal one, to do their utmost to ensure our money is safe with them.  And we trust that our financial institution will recognize fraud when it happens and be proactive.  And we expect our financial institutions to respond when we, the customer/client, report fraud.

This is what happened to me on 30 September last year.  My debit card was cloned, apparently (my bank has never been clear on what happened), and two fraudulent transactions were made on my account.  The first, in the amount of $150, was at some merchant I’d never heard of.  The second one, carried out within seconds of the first, was at DSW.com (Designer Shoe Warehouse), in the amount of $184.92.  This was not the first time this had happened to me.  When I lived in Canada, my bank card was cloned at a Royal Bank ATM on the West Island of Montréal sometime in 2009.  And then it happened again three weeks later, at a Banque Nationale ATM this time.  In both instances back home in Canada, my bank, the Caisse Populaire Desjardins (the oldest credit union in the world) caught the cloning.

This time, it was not my bank that caught it, however, it was me.

And so, late afternoon on 30 September, I called my bank.  The agent I spoke to immediately cancelled my debit/credit card, issued a new one, and promised me that my money would be returned to my account immediately.  By the time I went to bed a few hours later, the $150 transaction had been reversed and was back in my account.

That $184.92 one, though, was not.  See, I was victim to a common scam, where fraudsters make a purchase with cloned card, and use your address to send the package there, with the hopes that they will intercept it before you get it, or pick it up posing as UPS/FedEx/USPS when you try to return it. This is apparently called a ‘card-not-present‘ scam, which involves cloned/copied cards.

But, my bank?  Nah, they didn’t catch this.  When the money was not back in my account within 10 days, I called back, and was referred to this outfit in Sioux City, Iowa, the Bankcard Services Prepaid Debit Disputes.  I was connected directly from my bank to the fine people in Sioux City (or wherever they had their call centre, the Deep South accents of the people I interacted with suggest they weren’t in Sioux City).  The woman took the details down and three days later, I had a letter from them with documentation I was to sign, stating that I had not made the purchase.  I signed it.  By signing it, I took it to mean that I was affixing my signature of a legal document, therefore, I was, by signing the form, indicating that the events were as I described them, to the best of my knowledge.  And, quite simply, I did not make the purchase at DSW.com.  At the same time, in this letter, Sioux City told me they were ‘provisionally’ refunding my money, pending an investigation.  But, as I did not make the purchase, obviously, and as a reasonably competent adult, I presumed that was the end of that.

It wasn’t.  Despite the fact it took me all of .44 seconds to return 162 million hits on a search on this kind of fraud just now (and about the same when I first searched it after a friend told me about this scam after it happened to me).  In November, I received another letter from Sioux City, which said they denied my claim because I made the purchase myself.  When I called to protest, the very bored, uninterested agent was not having it, and she hung up on me.  So I called my bank.  The agent I spoke to promised me he’d get to the bottom of this. But he didn’t.

By December, I hadn’t heard anything, so I contacted the Consumer Protection Branch of the Attorney General’s Office of Massachusetts to report the fraud and have them intervene.  Within about a week, by the end of December, around the holidays, the money was back in my account.  And so I thought this had ended well.

Until this week, when the money was taken out of my account, again, without warning.  No one at the bank informed me this was another provisional deposit.  The woman who, I suppose, was supposed, and I played phone tag, but she didn’t call me back after the last voice mail I left her on 3 January.  I also received nothing in the mail.

And so I called the Consumer Protection Branch again.  The woman I was dealing with there, Janice, called my bank and she, myself, and Gloria, from State Farm Bank, had a conference call.  Gloria informed us that an investigation by their fraud department determined that I had made the order myself as it was sent to my house.  Janice immediately cut in and told her that I was the victim of a scam that was clearly and easily searchable on Google.  Gloria was surprised, and immediately got defensive, stating that she could not know what the fraud department of the bank she works for does or does not know.

Now, surely, it is the job of the fraud detection people of your bank to know about the common frauds at any given time.  It’s really not that hard.  This one is a common fraud.  Again, .44 seconds, 162 million hits.  As far as I’m concerned, it is inexcusable that neither the Bankcard Services Prepaid Debit Disputes people. nor my bank’s fraud department, could catch this.  This is their job.  In fact, the sole purposes of the people in Sioux City is to monitor for fraud activity on bank and credit card accounts, and then to investigate.  Nothing more, nothing less.  When I called my bank in November, the agent who promised to get to the bottom of this (but never did), told me that, from the notes on my account, it was the people in Sioux City who noticed the fraud in the first place, before me.  Of course, it’s not like they notified me or anything.

And so, following this most recent conference call between the AG Office, the bank and I, Gloria, promised to get back to me by the end of next week.  I am not holding my breath.

My trust has been violated.  My card was cloned, and money was stolen from me.  And my bank, whose job it is to protect against such things, does not believe. me.  So I am out $184.92, which is a not inconsiderable sum of money.  The money matters to me, to be sure, but the feeling of being violated by my bank is of greater concern.  I don’t trust institutions as it is, and this simply confirms my worst fears.

And worse, there isn’t really anything I can do.  I can’t very well take State Farm Bank to court for the amount.  I cannot file a criminal complaint, as, according to both the bank and the AG Office, no crime beyond the original fraud has been perpetrated upon me.  All I can do is speak my truth to power, hence this article.

And more to the point, if it happened to me, it could happen to you.  When I originally posted this story on Facebook, back in November, a few of my friends let me know this had happened to them, in both Canada and the US.  It was a lawyer friend of mine back in Montréal who told me that this was the scam.  In other words, this is a pretty common scam.  And, frankly, it is easy to clone a debit or credit card.  And, as the Washington Post article I linked to above notes, there was, in early September, a Facebook group where criminals could purchase debit and credit cards from the ones who cloned them.  Right there, out in the open.  And they were selling for as little as $4.   When the Post contacted Facebook, the group was shut down, in early September.  But, given the timing, I would not be surprised to learn this is what happened to me.

When this happened to me back in the day in Montréal, Caisse Desjardins, knew exactly what happened. The Caisse knew exactly where my card had been cloned, it caught the fraudulent transactions, and it refunded me the amount stolen from me within 36 hours.  That is the correct procedure. Of course, that might also have something to do with stronger consumer protection banking laws in Canada versus the United States.  On the upside, I do live in Massachusetts, which itself has a strong consumer protection legal régime.

Oh, and, of course, all of this is taking up my time.  A fair amount of it.  I am spending my time attempting to prove to State Farm Bank that I am the victim of a crime here.  How messed up is that?