To ease the pain caused by high gas prices, the state of California has sent out a $200-$1,050 mid-range tax refund to eligible households.
Unfortunately, part of this sum fell into the hands of thieves.
The thefts targeted Californians who received their grants in the form of a prepaid debit card distributed by Money Network, a contractor for the state franchise tax agency. An unknown number of residents have reported that their card’s account was emptied by scammers after they started using it.
According to KGO, ABC TV’s San Francisco affiliate, some Californians said the money was taken from them even before they activated the card. And many of the victims who tried to reach out to Money Network for help didn’t get through, KGO reported.
Money Network did not respond to a request for comment from The Times.
Andrew LePage, a spokesman for the Franchise Tax Board, said the board was aware that some recipients had filed fraud cases with Money Network, adding: “Under the terms of FTB’s agreement with Money Network, it is expected that the MCTR Debit card program runs with less than a 1% fraud rate and currently Money Network reports that the rate is well below that level.”
However, with more than 9 million cards dealt, only 0.5% would still be a large number of casualties – 45,000, representing potential losses of $9 million to more than $47 million.
“Given the size of the MCTR program, we anticipated the possibility of fraud,” LePage said. “FTB and Money Network take all fraud claims seriously and will investigate each reported claim on an individual basis. We will ensure recipients receive the payments they are entitled to.”
Here are some tips for protecting the money the state has sent you and what to do if you think you’ve been a victim of scammers.
Why are prepaid cards vulnerable?
At least some of the Money Network cards have come without a security chip, which would make it harder to steal the information stored on the card, such as the recipient’s name, account number, expiration date, and the three-digit security code on the back. As a result, these cards are more susceptible to a technique called “skimming”.
To use one of these cards at a retailer or restaurant, you must swipe the magnetic stripe through a card reader and then either enter your PIN into the reader or sign a copy of the receipt. However, some card readers have been modified by thieves with a “skimmer” that collects the information on the magnetic stripe. The thieves then use this information to use the card to shop online, where no PIN or signature is required, depleting the balance.
In some cases, thieves have also hidden a pinhole camera to record the PINs entered into the keyboard, which accompany the magnetic stripe information captured by the skimmer.
“The whole secret of the prepaid debit card,” said author and cybersecurity expert Adam Levin, “is that whoever owns it is the holder.”
In other words, the card is designed to behave like cash that can be passed from person to person. And having the information from the magnetic stripe is akin to holding the card, at least for transactions that don’t require the card to be present.
This problem isn’t unique to tax refunds — skimming and other forms of fraud are potential problems for any prepaid card. For example, in 2021, CBS News reported that skimming devices used by thieves who appeared to be targeting unemployment benefit debit cards were found at five ATMs near Thousand Oaks.
If you have a card with a security chip, you can make purchases simply by tapping them on a card reader equipped to do so. But these cards also come with magnetic strips, as some businesses — for example, gas stations with older pumps that have built-in card readers — still rely on the strips to complete transactions. So you may also be prone to skimming.
And Levin found that both card types are equally susceptible to e-skimming. This is what happens when hackers load malicious software onto a retailer’s website to collect credit card information entered by shoppers. Unfortunately, he said, “there’s absolutely no way for consumers to know it’s happening.” They won’t find out until their accounts are tapped by thieves.
Money Network and the FTB are not revealing how scammers were able to hijack some Californians’ refund cards, and there could be explanations other than the skimming. For example, Levin said, card recipients’ computers could have been infected with malware that recorded them entering their card information during an online purchase.
“They have a number of extremely sophisticated rings” that dupe the public, he said, including state-sponsored rings in North Korea and other countries. These groups are constantly attempting to obtain information, whether through hacking or tricks that they can use to bleed funds from their victims’ accounts.
Additionally, Levin noted that data breaches like the massive one at credit bureau Equifax in 2017 have left vast amounts of sensitive personal information available online, leaving millions of people vulnerable to identity theft. “We live in a time where we are incredibly vulnerable,” he said.
And if some people’s cards really got drained before they activated, that’s not a skimming issue. Instead, Levin said, it suggests that thieves somehow gained access to vital account information before the cards were mailed.
How to protect yourself from fraud
The easiest way would have been to sign up for a direct deposit with the FTB so your mid-range tax refund could have gone straight into your bank account. About 7 million people received their money this way, compared to 9.1 million who were issued debit cards, according to the board.
But for people who already have cards, as well as the relatively small number who are yet to receive them, there are a few things you can do to reduce your risk:
- Transfer all the money on your debit card to your bank account if you have one. You can do this for free through mctrpayment.com, through the Money Network mobile phone app, or by calling (800) 240-0223. Money Network outlines the steps on its FAQ page.
- Download the Money Network mobile app and sign up for transaction alerts. This is a quick way to find out if someone is using your card without your permission. You can block the card with the app to prevent funds from being withdrawn if you suspect a problem or know you won’t be using it for a while. The Money Network also suggests verifying transactions and regularly checking your balance through the app.
- Follow FBI advice on avoiding skimming. This includes not using ATMs or card readers that have loose, crooked, damaged, or scratched parts (which could be a sign of a skimmer); sticking to ATMs in well-lit indoor locations; covering the keyboard when entering the PIN; and be extra careful in tourist areas, which are often targeted by criminals.
- Ignore text messages, emails, or calls that ask you to “activate” or “reactivate” your prepaid card. According to the attorney general’s office, “the FTB will not contact you via text message, email or phone. Do not give out personally identifiable information to anyone who contacts you in this way, even if they claim to be in the government.” Also, don’t be fooled by authentic-looking emails, texts, or phone numbers, all of these things can being faked by scammers.
- As the FTB says, don’t give out your card details unless you’re talking directly to Money Network or your bank, or buying from a trusted seller. And remember, neither your bank nor the Money Network will ever ask for your account password, card PIN, or full social security number.
When thieves steal your prepaid card account
By law, you are entitled to a refund for unauthorized charges made to your card.
The FTB and Money Network say you should call Money Network immediately at (800) 240-0223 if you suspect your card has been used without your authorization. Be forewarned though: FTB says the phone line is only manned Monday through Friday, 8am to 5pm.
You have to work your way through a series of automated scripts and responses to get where you need to go. When prompted, press 1 to access Customer Service, then enter your card number. After that, you need to press 2 to go to the main menu and then press 6 to dispute the unauthorized charges.
LePage said the FTB and Money Network are “jointly involved in investigating potential fraud to ensure taxpayers are protected and receiving the funds to which they are entitled.” But you’ll have to wait until you’re well – according to the FTB, it can take 45 to 90 days to resolve fraud claims.
About the Times Utility Journalism Team
This article is from the Times’ Utility Journalism team. Our mission is to be essential to the lives of people in Southern California by publishing information that solves problems, answers questions, and aids in decision making. We serve audiences in and around Los Angeles—including current Times subscribers and diverse communities whose needs have not been met by our coverage in the past.
How can we be useful to you and your community? Email Utility (at) latimes.com or one of our journalists: Matt Ballinger, Jon Healey, Ada Tseng, Jessica Roy and Karen Garcia.