Millions of Americans now filing for unemployment will receive benefits via a prepaid card issued by U.S. Bank, a Minnesota-based financial institution that handles unemployment payments for more than a dozen U.S. states. Some of these unemployment applications will trigger an automatic letter from U.S. Bank to the applicant. The letters are intended to prevent identity theft, but many people are mistaking these vague missives for a notification that someone has hijacked their identity.
So far this month, two KrebsOnSecurity readers have forwarded scans of form letters they received via snail mail that mentioned an address change associated with some type of payment card, but which specified neither the entity that issued the card nor any useful information about the card itself.
Searching for snippets of text from the letter online revealed pages of complaints from consumers who appear confused about the source and reason for the letter, with most dismissing it as either a scam or considering it a notice of attempted identity theft. Here’s what’s the letter looks like:
My first thought when a reader shared a copy of the letter was that he recently had been the victim of identity theft. It took a fair amount of digging online to discover that the nebulously named “Cardholder Services” address in Florida referenced at the top of the letter is an address exclusively used by U.S. Bank.
That digging indicated U.S. Bank currently manages the disbursement of funds for unemployment programs in at least 17 states, including Arkansas, Colorado, Delaware, Idaho, Louisiana, Maine, Minnesota, Nebraska, North Dakota, Ohio, Oregon, Pennsylvania, South Dakota, Texas, Utah, Wisconsin, and Wyoming. The funds are distributed through a prepaid debit card called ReliaCard.
To make matters more confusing, the flood of new unemployment applications from people out of work thanks to the COVID-19 pandemic reportedly has overwhelmed U.S. Bank’s system, meaning that many people receiving these letters haven’t yet gotten their ReliaCard and thus lack any frame of reference for having applied for a new payment card.
Reached for comment about the unhelpful letters, U.S. Bank said it automatically mails them to current and former ReliaCard customers when changes in its system are triggered by a customer – including small tweaks to an address — such as changing “Street” to “St.”
“This can include letters to people who formerly had a ReliaCard account, but whose accounts are now inactive,” the company said in a statement shared with KrebsOnSecurity. “If someone files for unemployment and had a ReliaCard in years past for another claim, we can work with the state to activate that card so the cardholder can use it again.”
U.S. Bank said the letters are designed to confirm with the cardholder that the address change is valid and to combat identity theft. But clearly, for many recipients they are having the opposite effect.
“We encourage any cardholders who have questions about the letters to call the number listed on the back of their cards (or 855-282-6161),” the company said.
That’s nice to know, because it’s not obvious from reading the letter which card is being referenced. U.S. Bank said it would take my feedback under advisement, but that the letters were intended to be generic in nature to protect cardholder privacy.
“We are always seeking to improve our programs, so thank you for bringing this to our attention,” the company said. “Our teams are looking at ways to provide more specific information in our communications with cardholders.”
I wouldn’t trust something called a “ReliaCard” ,
sounds like a security nightmare to me.
So does “Cardholder Services”. 🙁
If anybody but you had posted this I would think the article was just more urban legend sensationalism. However, Brian, I know you research everything thoroughly and I appreciate the great work you do for us.
so what is the issue itself? nothing, right? does this warrant a Krebs article? this is a good practice that consumers being confused isn’t a story?
It’s a good practice to send a letter warning of an address change for a payment card without offering even the slightest bit of information about who sent the letter or to what payment card the letter is referring? Or any information about how to get more information about the reason for the letter?
I find it hard to be critical of private and state agencies trying to deal safely and quickly to address payments to millions of US citizens now out of work. Of course there are going to be missteps. I would rather be spending time trying to share intelligence on the criminal and state run activities taking advantage of the COVID pandemic versus a process issue with change in address notification.
Because these vaguely written and mishandled notifications create a burden on everyone – people receiving those funds and security professionals trying to combat rampant scam. And yes, absolutely, such reporting is necessary. The main purpose is to whip that bank into shape to actually learn the lesson and change their practice. Otherwise they will do nothing.
Spend your time as you please. How it this article stopping you?
EDD in CA uses BOA debit cards. I received a similar message via email that my address and phone number had been changed and to contact them if I didn’t authorize it (which at this time is next to impossible). I immediately went on both sites to make sure nothing had changed which it hadn’t. But I didn’t need this type of stress. Thanks for the article.
Let’s not forget that “Rachel from Cardholder Services” is a very commonly used telemarketing scam. So much so that “Cardholder Services” itself is now associated with fraud.
I think the reason for the letter needs to be better spelled out. Like a git code commit that shows what was the information before and after. If that’s not available, something more specific like you had an old expired card on file that is not activated. It is better to not require further inquiry or communication that that will:
1) add to customer service load which smart communication can prevent
2) adding a way to ask for more clarification, invite scammers to intercept the phone call, e-mail, web form, to get more details. Say you have identity theft scam going and need to update contact info so you can run a scam up to date. Having a contact point on the letter just invites more fraud.
My husband received this letter.
So glad to know he wasn’t the only target, yet sorry for anyone who underwent the stress of receiving one.
So…. what is the outcome? Do we just ignore it?
Or….Do we write a letter to the ‘company’ using the PO Box #.
Would really like to know what everyone else did or is doing.
Thanks in advance.
I just got the letter. What I should do?
They are intentionally hiding their identity. I can only speculate on why. When questioned, the responses seem questionable. It makes one think something is up.
My health insurance company outsourced to an outfit calling themselves “spending account processing” for the healthcare reimbursement account. They had an address in the same city as the health insurance company, but they are also now using a Florida address. I receive most communications “paperless” and the emails become very suspicious looking. They are addressed from “noreply@spendingaccountprocessing.com” the body text begins “Dear Member,” finishing with a salutation of “Sincerely, Your Member Advocate Team”. At the top here is a logo image of the health insurance company I do not see in plain text or simplified HTML or protected HTML. The logo is hosted at https://atqaeastsqldiags.blob.core.windows.net and a filename with the company’s initials visible in the raw email text. Only at the very end of the email do you see mention of the health insurance company in their standard text block with another image hosted at a different server.
One time there was a claim adjustment resulting in an overpayment I had to return. That letter stated I was to make the check out to “Spending Account Cashier” addressed to “Cashier”. It was signed “Collections Department” and to contact “Customer Service Advocate” with any questions.
I almost sounds like a comedy skit.
Big bureaucracies, big mistakes.
…and people ask me why as a Veteran I don’t take up any of the VA benefits. Government systems and processes are embarrassingly behind the times. States and cities are just beginning to understand what spearphishing is while those in the private sectors have been bombarded with anti-phishing training monthly. With the news outlets hyping another half year of recession and unemployment, of course everyone is going to laser focus on personal P&L. Generic, cost saving correspondence reads exactly like spam, junk mail, and fraud.
exactly!
Cardholder Services…. How many of the SPAM calls you receive start out with “Hi, this is Lisa from Cardholder (or Cardmember) Services…”
Exactly!
Exactly!
“Cardholder services” is what the return address is on statements from every credit union I’m in. Does this mean that US Bank processes the statements for credit unions in Texas and Maryland?
Not all of the credit unions, because they are each independently (member) owned and operated. But, U.S. bank owns a company called Elan which other financial institutions can contract to in order to outsource their credit card handling and possibly offer more attractive rates and card benefits to their members than if they did the work in house.
Could be, mark. Or it could be they’re using some other outsourcing provider who also uses that same generic phrase for the same reasons. Or they do it inhouse using the same nomenclature. One reason for keeping it so generic is they can change the back end processing easily. So today it might be in house, tomorrow management decides to outsource and cut staff and customers never know the difference, except maybe quality of service erodes but these days who expects good customer service anyway?
Thanks for this article, Brian, and for all the digging you had to do in order to find out what was behind these letters. I noticed that in the body of the letter, it refers to Cardholder Services and Cardholder Service. Inconsistency in referencing their own company name is a red flag for a scam. Telling you to call the number on the back of a card without indicating which card doesn’t seem like very efficient phishing, so maybe not a scam. Now what? Call the customer support number on the back of every card I have and sit through the long “hold” times? That sounds like fun. (“Hi. I’m calling to see if you sent me a letter.”) Maybe just add it to the list of things I’m already stressed out about?
This goes beyond consumers being confused. This was a big fail, and it obviously created a lot of distress to people who are already distressed at being unemployed. Brian, thank you for posting this, and thank you for letting U.S. Bank know precisely how they created a public relations nightmare.
In keeping with the rigor that went into designing these processes from soup to nuts — and many of the designers were nuts — they may as well have called it the MurphysLawCard.
I recognize CardHolder Services as the dba name of what had been Elan Financial Services, Inc., a USBank (formerly Firstar nee First Wisconsin National Bank) subsidiary. They are a credit and debit card processing company, used not only by USBank but also Fidelity and others. Undoubtedly Elan’s “householding” of Customer Information Files across multiple client subsytems noted differences between identical dafa elements and generated these ‘exception reports’.
Their effort at “white label” (ie generic) identity in their correspondence undoubtedly helps keep their paper and IT processing costs down, but have high collatoral costs in terms of creating trust in the age of ID theft etc.
It seems that Financial Institutions (including insurers as well) have yet to fully grasp the idea that authentication is a two-way street. Customers need to authenticate companies as much as companies need to authenticate customers. Maybe we consumers need to have the companies tell us THEIR PIN or favorite color (which had been previousy established as their Safe Word) before we can trust their communications.
That is one of the most spot-on ideas I’ve seen in a long time.
It really is a two-way street. And may I add, a second or third factor for verification (at least as an option) would also be nice.
But at least a PIN from them is a move in the right direction.
Thanks Doug!
Before I log into my banks online portal, to check the balance & transaction history for my debit card, their website will display a unique image & a custom phrase. The image was chosen from a large selection of images that are kept in a secured database that can only pull one image at a time, and only during initial account setup over a fully encrypted connection. The phrase was written by me during the setup. Both of these items are to ensure that the website my browser is loading, is actually the legitimate one no matter where I log in from, or on what platform. I must first enter my email address, and nothing else in order to display these two items & before entering a password. I also have one of three pre-selected challenge questions. The answer to each of those I treated as a randomly created passphrase that only dimly have anything to do with the question. If I get any challenge question other than the three I chose, or do not see the correct image or passphrase, then I’ll log the connection details. Maybe save the website to a thumbdrive & directly phone my bank about it with a number that I keep in my phones contact list
Another reasonable idea would be when someone applies for Unemployment and it’s expected they will get a debit card, for the state’s website to display information regarding that card, i.e., “You will receive a ReliaCard that is administered by CardHolder Services at address and phone number”.
That would set expectations on the recipient’s end, and hopefully if they get a generic letter, they’ll remember what they saw on the state website and won’t freak out.
In the state where I am, it’s also possible to have UI money deposited into a bank account as well as a debit card.
I’ll take the debit card.
I don’t need an unaccountable entity ACHing cash into and out of my checking account.
Most debit card UI payments can be cash-advanced from the card directly into your checking account by your bank at the drive thru (not ATM) without incurring fees.
Of course U.S. Stupid Bank is not the only bank that sends out these same useless letters from “Cardholder Services” at depositor’s expense (one reason you only get .005% interest on savings. I have gotten similar useless no info letters from my bank’s Cardholder Services and they don’t have anything to do with unemployment compensation.
Thats funny but true.
Thats funny.
Malware and installed programs can configure system settings resulting in problems in the performance of the system. Windows Repair Software sets your system settings to default and protects from different harmful malware. The program has a simple user interface which makes it easy to use.
That’s funny! but doesn’t look like a scam.
I have to wonder how many of those letters are really being triggered by fraudsters trying to take advantage of the surge in unemployment benefits by hijacking accounts?
In other words, how many are true positives not false positives for attempted identity theft?
My gut feeling is, probably more than US Bank would want to admit.
I just recive the letter so is this a scam or what?
What should I do?
My address is still the same hope this is not scam