Short version of my story: May 8th, I bought 3 $500 Paypal My Cash prepaid reloadable cards from Walgreens store #5106 in Grayslake, IL. I took them home and essentially left them alone, I was in no need/rush to load them to my account and was rather busy with work and travel at the time.
July 8th I went to reload one. You scratch off the back, reveal a PIN, then load to an account. These can only be loaded to Paypal accounts – so in theory the money is quite easy to track. Tried this… found the money to be gone! Called up the number on the back of the cards. They are not operated by Paypal but by a company called InComm aka Interactive Communications. Calling Paypal will generally get you routed back to Paypal. The woman on the phone basically said it was IMPOSSIBLE for someone to load any money unless I had given them the PIN (silly and not true, see further explanation below.) I scratched off a 2nd card at this time – with them on the phone – the money was gone as well. Of course it was supposedly my fault, per the rep.
I will sum up my phone experience here for anyone who may go through this: you can only get to 2 types of people at the number on the cards – 855 721 5035 – first line customer service and their managers. They are rather well trained at giving you very little info. Dates money was taken out of my cards? I still don’t know. Most are unhelpful and just trying to get you off the phone. I did run into one southern sounding guy who couldn’t help but sympathized and was actually cool. He provided me the corporate number – 770 240 6100 – to their headquarters in Georgia. From here you might be able to get to a legal department, you can definitely get to a fraud department.
On the first line customer service number you will basically go through a loop of options but they are basically this. They will ask you for pictures of your id and the cards and to fill out a form. This opens a ticket in a jira tracking system for identification. They said they would call me back, although I had to call in for an update. They basically did nothing but say the money was gone and that I needed to open a police report. At this point the only thing they will do is work with the police if you do open a police report. The officer is the only one they will speak with about the case. I was still busy, and my officer was retiring – so fast forward to now and it’s December and I haven’t had much progress down this path. InComm appears to have sent him some info about the Paypal accounts my money was sent to via e-mail, although he retired and did not leave any notes about what is going on with the case. I essentially have to open up a new report at this point.
The problem with this avenue is that it is very very likely the Paypal accounts the money was sent to were password compromised. I was able to speak to someone in the corporate fraud office about this, and they noted the money went to many accounts and that it was no longer there. This (finally) useful information was provided from the corporate fraud department after I provided my jira case number. To sum this up though: the odds of getting your money back by actually tracking down the person that took it is quite small. It’s gone through a web of layers and transfer and is maybe in Nigeria by now. It’s highly unlikely that it went to the person that owns a Paypal account that was sent the money, and the money was likely not sent as $500 to one account but $50 to ten accounts.
The fraud department would not help me because they believe I was scammed – it was my own doing, that I simply won’t admit to them that I was duped and gave out my PIN. They decide this based essentially solely on the fact that the money went to many other accounts. My guess is it all went rapidly as well. If this is something they consider suspicious activity, then how do they know whether it was by some kind of fraud or by a scam? Why assume it is one vs. the latter? Easy, if it is fraud they could be held accountable in some way, while if scam they can just blame cardholders and avoid paying out, absolving themselves of responsibility.
I would bet that this is atypical and suspicious behavior indeed – given that the primary usage of these is likely loading the entire amount to someone’s account. If this behavior is suspicious and a likely indicator of a problem, why do they continue to allow the funds to move at all? It would seem a reasonably precaution would be to freeze the funds for the card and recipients, and give the user a message on their next attempted load that they need to call in and verify some information on the card.
So let us go over some elements of this transaction.
InComm absolves themselves of responsibility by saying there was suspicious activity, and all suspicious activity is by duped people who were scammed. They also say it’s just outright impossible for someone to load money without having this card in their possession or a cardholder providing the ID. What’s wrong with this?
- It’s unreasonable to state every person who has had missing money from this card is a victim of a scam, or that simply because they think it was a scam, the cardholder was duped. There’s no proof whatsoever of this, and they are simply taking this position to avoid paying the cardholder their funds back, or improving their fraud detection and handling procedures of their product. Ultimately I believe this would be taken to a judge to decide, and I would suspect many would fall on the side of consumer protection vs. a company with millions in revenue.
- The card process seems poor in that it only requires the scratch off PIN. If someone got super lucky and guessed the PIN, they could take money. A likely more secure system would be that as seen on something like Starbucks cards – to load their gift cards, both the card number and scratch off PIN are required.
- It’s possible someone could reverse engineer the card algorithm that creates the PINs.
- It’s possible someone who has access to the computer code that generates the PINs shared it.
- It’s possible that someone who works where the cards are manufactured had access to record the PINs before application of the scratch off, or was able to scratch the material off and re-apply it before shipment.
- It’s possible that someone from the public or employed at my store scratched off the material, copied down the PIN, and found a way to apply new scratch off material.
- It’s possible that the PIN was sniffed off the computer network for Walgreens, or InComm, or something during the activation page
Although it was most likely a low sophistication non-technical hack – it’s possible that the thief got the PIN any number of the above ways, without the cardholder being duped into providing it. If anyone ever claims InComm is magically unhackable and that could never happen either, hey, just point them to this story where last year where hackers manipulated their system and ran off with over 11 million dollars!
I personally have an accessible history of use of these cards, and the only thing I ever do is load the $500 straight into my account. I am also young(ish) at 36, have a degree in computer science, career in IT, work at a major US bank, have been a power seller multiple times over with thousands of feedback entries on eBay – hardly the profile of someone that sounds like they are going to be falling for a scam and be duped into providing their PIN.
What Can Be Done?
I’m just beginning to explore options and here is where my research stands as of 12/7/15. The below simply addresses getting your money back and does not pursue the prosecution of the thief or attempt to do so, something I would consider wholly separate at this point.
Contact Your State’s Attorney General – It seems they often have a consumer protection division. I am in IL; as of this writing the website I’m looking at is here. I will be sending my form in soon, this could range from resolving the issue to getting some advice to finding out they are backlogged. I’ll update this post with more info as I encounter it.
Write a Demand Letter – This is a letter that you can write or have an attorney write for you. You basically lay out your demands and what you will do if they are not met. Make me whole or I will go to the BBB, the news, take you to court, steal your ice cream, etc. It needs to get to a decision maker. I suppose you could make a few copies and mail them to all sorts of departments and people. If you send stuff via USPS you can do so via registered mail or with certificates of delivery and delivery signature confirmation as well. I suppose that won’t necessarily mean the CEO is signing for it but you’ll have clear proof someone at corporate signed for the piece of mail you addressed to the CEO.
As far as I can tell, InComm is about a 2000 employee company. Per their about page, if you want to send some notes to specific people, you can try
Brooks Smith, CEO
per this rather lame CEO move, it seems his e-mail address may be firstname.lastname@example.org. Although no surprise if it’s changed now after this note went public, it may be possible to reach some of the others below via first letter + last name @incomm.com though. Note it’s generally common for full email addresses to be limited at 8 characters following this convention too, who knows.
Phil Graves, President
i found Phil on linkedin here.
If you have an upgraded linkedin account you can mail people directly even if you’re not connected, I believe. If you haven’t upgraded ever (or maybe even just the last year) you can sign up for this for free for a month as well.
I’ll leave it to you to track the others down via linkedin, facebook, or other social media; it is likely many are in the Atlanta area.
Scott Meyerhoff, COO and CFO
Brian Parlotto, EVP
Greg Casagrande, CTO
Michael D. Gruenhut, General Counsel
Julia K. Norris, VP and Deputy General Counsel
Feel free to link them this blog entry as well.
Sue in Small Claims Court – I believe you must sue in a state where InComm has some kind of physical address. Headquarters is in GA, although they also have job location search available in: AR, CO, FL, MN, and TX. Small claims is good for up to $5000 generally although varies state to state. My understanding is the statute of limitations is 2 years from the most recent contact/attempt to resolve a dispute. So it seems if one keep in perpetual contact it will not expire. My understanding is also that some states allow lawyers in small claims, some do not. If they do not, then a representative from the company will be sent. Check your state. I believe your own state’s attorney general should be able to advise where to sue as well and if suing in your own state is a possibility, as after all, some business was done there (card purchase.)
In small claims, you are pleading your case to the judge to recover your funds. I believe you can sue for the amount to make you whole, and I believe you can ask for any amount you want – including the effort to chase down this money. So taking off work and traveling to the other state as well. Maybe you get it, maybe you don’t. Be ready with dates, numbers and facts. My understanding is the next element I’ll refer to below is not enforceable but personally I would refer to it court. Your intent is to prove that InComm has been negligent in the handling and protection of your funds.
Sue in Federal District Court – I believe InComm to be in violation of Regulation E, the Electronc Fund Transfer Act. This is a federal regulation which is why it cannot be enforced in the above mentioned state small claims court. I believe Regulation E applies to InComm Paypal My Cash prepaid reloadable cards.
The table on page 13 describes consumer liability depending on the situation and dates – I believe there to be $0 I am liable for in my own case.
Per page 14 on error resolution I believe InComm failed to make me whole within the specified timeline.
Per page 38, failure to comply also carries a civil liability of $100-$1000 per “individual action.” They may be liable in criminal court for even more. I’m not sure what each individual action refers to in this case; I have 3 cards and 2 jira cases with InComm. In any case it seems a minimum of $100-$1000 for your trouble on top of being made whole.
The good news with this option is that the regulation is enforceable by a judge, and you can stay home in your state and sue in federal court. The bad news is you are probably going to need a lawyer, and lawyers are expensive. You can only sue for lawyer fees if the statute allows it – I’m not one but it doesn’t seem that this one does in my naive reading of it. You could try representing yourself, although it looks pretty hard.
Can you and I both hire the same lawyer and represent both of us in one case? I’m not sure on that one. Certainly with a class action lawsuit, although we may be a lot less likely to be made whole ourselves at that point. Lawyers get a ton of that money. Then again, if it comes down to this as a last ditch effort, great, what do I care? If my choice is between receiving nothing, or receiving 50 cents and watching InComm get fined millions of dollars, I’ll still feel a lot better about the latter.
Nonetheless, I do find people who have had similar experiences to me. Contact me if you’d like to be listed. Some complaints:
The list I’ll keep track of here of people who contact me:
|Name||Purchase Date||Attempted Use Date||Amount||State|