Above photo: Anuj Shrestha, special to ProPublica.
Scammers have duped consumers out of more than $1 billion by exploiting Walmart’s lax security.
The company has resisted taking responsibility while breaking promises to regulators and skimping on training.
Christy Browne was in a panic. The man on the phone said he was from the FBI. He warned her that drug traffickers had obtained her Social Security number and were using it to launder money. He said the FBI needed money to catch them.
“They told me not to go to local law enforcement,” Browne testified in court recently about the February 2020 call. The police were watching her and considered her a suspect, the man said.
At his direction, Browne, a retired elementary school teacher who lives in upstate New York, bought four $500 Walmart gift cards at her local Walmart. It was 3:15 pm. She took photos of the serial numbers and PINs on the back and texted them to the man on the phone. With that information, the fraudster had access to $2,000.
That was only the first step. The gift card numbers were then sold to Qinbin Chen, a Chinese national living in Virginia. At 5:47 pm, Chen passed the numbers to a co-conspirator waiting near a Walmart in Sterling, Virginia.
Just eight minutes later, at 5:55, the accomplice did something that an ordinary consumer would rarely do, but which is routine for fraudsters: use one gift card to buy another. With the numbers from Browne’s Walmart cards, he purchased Apple, Google Play and other gift cards at the store’s self-checkout kiosk. He sent the serial numbers and PINs for those cards to Chen, who then sold them to a buyer in China. Transferring the money to other companies’ gift cards for use in another country made it impossible for Walmart to figure out where the funds ended up. Browne had no way to recover her $2,000.
She was far from the only victim. Chen oversaw the laundering of some $7 million in fraudulently obtained gift cards, according to the Department of Justice. It was a complex international operation involving hundreds of victims, thousands of gift cards and multiple co-conspirators in the U.S. and China.
Federal prosecutors would give it a simple name: “The Walmart scheme.”
America’s largest retailer has long been a facilitator of fraud on a mass scale, a ProPublica investigation has found. For roughly a decade, Walmart has resisted tougher enforcement while breaking promises to regulators and skimping on employee training, according to more than 50 interviews, internal documents supplied by former industry executives, court filings and other public records.
Scammers dupe a victim, as they did with Browne, and then they exploit Walmart’s lax systems to get paid quickly and easily. That’s been true whether the fraudsters use Walmart gift cards or instruct customers to send funds by electronic money transfer. The company, in the latter instance, is supposed to be on the lookout for fraud and asking questions: Do you know the person you’re sending money to? Is the money transfer related to a telemarketing offer?
Too often, Walmart has failed. More than $1 billion in fraud losses were routed through the company’s financial systems between 2013 and 2022, according to filings by the Federal Trade Commission and court cases analyzed by ProPublica. That has helped fuel a boom in financial chicanery. Americans, many of them elderly, were swindled out of $27 billion between 2013 and 2022, according to the FTC.
Walmart has a financial incentive to avoid cracking down. It makes money each time a Walmart gift card is used and earns a fee when another brand of card is bought. And it receives one commission when a person sends a money transfer and a second when the recipient picks it up. The company’s financial services business generates hundreds of millions in annual profits. (Its filings do not provide specific figures for gift cards and money transfers.)
“They were concerned about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the U.S. Postal Inspection Service who investigated Walmart for years, told ProPublica.
Walmart’s deficiencies have repeatedly attracted government scrutiny. In 2017, the attorneys general of New York and Pennsylvania investigated Walmart over concerns that it was “reaping the benefits” of gift card fraud. The investigation concluded a year later with Walmart promising to restrict or eliminate the use of its gift cards to purchase other gift cards, a favored tactic of fraudsters such as Chen. Instead, the company let the practice continue until 2022 — even after it knew that millions of dollars were being laundered through its stores.
The FTC sued Walmart in 2022, alleging it “turned a blind eye” as criminals took advantage of its money transfer service. Walmart, the FTC claimed, pocketed millions in fees while “letting fraudsters fleece its customers.” Summarizing the FTC’s evidence, a federal judge in the case wrote that “Walmart knew that its services were used by fraudsters” and that the company was repeatedly warned about certain stores where “twenty-five, fifty, or even seventy-five percent of money transfer activity was fraudulent.” Separately, a federal grand jury in Pennsylvania is hearing evidence of possible criminal conduct in Walmart’s money transfer business, according to corporate filings that did not detail the allegations.
None of this appears to have slowed Walmart’s ambitions to grab an ever-bigger portion of the financial services market. After years of offering gift cards and prepaid cards, money transfers and check cashing, in 2022 Walmart acquired an online banking platform called One, broadening its financial offerings even further.
But as the company seeks to grow, there is reason for caution. Not only is Walmart continuing practices that ease the way for fraudsters, its previous failings go deeper than the government has alleged, ProPublica found. Its long record of spotty training and compliance, and its refusal to take responsibility for the fraud perpetrated using its systems, cast doubt on its ability to run a sprawling financial business, experts and current and former Walmart employees said.
Walmart strenuously defends its anti-fraud efforts. In a statement, the company said its push into financial services has saved customers without traditional bank accounts $6 billion in fees. The company asserted that it has blocked more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from third-party fraudsters,” it said. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”
The company’s legal filings in the FTC case struck a different tone. Walmart is seeking to dismiss the suit, partly on the grounds that it has “no responsibility to protect against the criminal conduct of third parties.” Though fraud is “deeply unfortunate,” Walmart argues, such schemes are “reasonably avoidable by consumers.” The company also asserts that the FTC is exceeding its authority in bringing the action. (The judge upheld the FTC’s authority and allowed the suit to continue. He dismissed a second count, which accused Walmart of violating a rule relating to telemarketing fraud, but permitted the FTC to re-file the claim and address his objections.)
Walmart’s weaknesses provided an opportunity for Chen, whose operation is the largest gift card laundering scheme ever prosecuted by U.S. law enforcement, based on a ProPublica analysis of court records. Including Chen, at least 28 state and federal defendants — almost all from China — have been convicted of using gift cards obtained from fraud victims to transfer tens of millions of dollars through Walmart. It’s likely that many more have avoided detection. One prosecutor called gift card schemes a “worldwide effort to empty the United States of its retirement funds.”
Chen spent five years laundering Walmart gift cards before he was arrested in 2021, according to evidence that would emerge in court. Earlier that year, he complained to an associate that more and more people were competing to resell cards in China, eating into his profits.
So many scammers were flocking to Walmart that he and his team regularly encountered them at self-checkout counters. “All of a sudden, a lot more people started to do it in the past couple of years,” Chen wrote in an online message. “We ran into quite a few at the store, and we even started chatting.”
Store #2038, in the Washington, D.C., suburb of Sterling, Virginia, has much in common with the 4,621 other Walmarts across America. A giant U.S. flag stands out front. Walmart’s yellow “spark” logo marks the hangar-like building. And on a sunny midweek afternoon in late November, the massive parking lot is nearly full, but for a pair of close-in spots reserved for “our law enforcement partners.”
Inside, Walmart shoppers are buffeted by financial promotions. Hundreds of gift cards hang on unattended kiosks near the customer-service counter, where people queue to return broken toasters or exchange pajamas. At the money services desk, where three signs tout Walmart’s recently acquired banking app, you can cash a check, pay a bill, or send and receive money to or from just about anyplace in the world.
It doesn’t look like a hub for fraud. But this was one of the stores frequented by Chen’s crew. Born in Fujian province in southeastern China, Chen dropped out of high school and began working in restaurants at the age of 15. In 2014, when he was 21, he came to the U.S. with his father. In America, he often went by the name Ben Chen and worked in Chinese and sushi restaurants until he found a new way to make money in 2016: gift cards.
In China, gift card trading is a lucrative business. Gamers crave American Google Play, Apple and Steam gift cards because they can use them to purchase credits for games without needing a U.S. credit card. Gift card trading can create “small gold mines” that generate “long-term, stable profits,” according to a post on a Chinese message board.
The lightning-fast model Chen used to launder the money extracted from Browne was typical of such scams. Chen made his profit by purchasing Walmart gift card numbers at a discount from contacts in China. A $100 Walmart gift card obtained from a victim might cost him only $70. He could then use that Walmart card to buy a $100 Apple card, then resell the Apple card at close to its face value, pocketing the difference.
For years, the scam paid off. At the time of his arrest, Chen had $304,033.99 in one bank account and $278,602.69 in another, according to one court filing.
Chen seemed to enjoy taking chances. “Let me say it plainly,” he messaged one associate. “Buying this stuff has the risk of being arrested.” Chen lied to his then-girlfriend to convince her to let him move money through her U.S. bank account, she later testified. He instructed one of his runners to give police a fake phone number, and furnished another with receipts to deceive officers who might request proof of a gift card purchase, according to court exhibits.
And he could be threatening. Once, a former runner used Chen’s name to set up a Sam’s Club membership. Chen was incensed, court records show. He told the man over WeChat to meet him at a Chinese restaurant in Virginia. Noting that he knew the man’s license plate number, he said, “You will die very painfully.”
Starting in 1999, Walmart made four unsuccessful bids to enter the banking business. Such services would give customers yet another reason to visit Walmart stores, and owning its own bank would save Walmart millions in transaction fees. But Walmart faced resistance from regulators, protests from lawmakers and an outcry from community banks fearful that Walmart would wipe them out.
The company responded to these setbacks by launching a variety of financial offerings that didn’t require a bank charter, including check cashing, electronic bill payments, money orders, and branded debit and credit cards. In each case, Walmart undercut typical industry fees, saving its customers money.
Its largest financial venture, launched in 2002, was in money transfers. The company partnered with MoneyGram, which, like Western Union, has long been in the business of transferring funds. Walmart employees would serve customers, then transmit the money through MoneyGram’s electronic network.
The money transfer industry was, and is, massive, running into the hundreds of billions of dollars globally. It was also awash in swindles. Scammers had long loved money transfers for the same reason customers did: They made it easy to move cash rapidly across the world. Plus, they were hard to trace. The problems were so pervasive that a federal fraud investigation would force MoneyGram to terminate its partnerships with hundreds of non-Walmart retail outlets in the U.S. and Canada in 2009.
In the aftermath of this crackdown, federal officials warned Walmart that fraudsters were using its stores to send and receive money transfers. Walmart assured the officials that it already had a “comprehensive” anti-fraud program and would bolster its efforts by training employees to identify suspicious transactions and providing warning signs and brochures in its stores. But those claims, according to the FTC, “turned out to be false.”
Fraud soared. Walmart outlets at one point accounted for the top 20 locations for fraud nationally among chains that partnered with MoneyGram, according to internal documents. In a single week in March 2017, consumers claiming they’d been duped into a money transfer filed 610 complaints about Walmart, according to documents obtained by ProPublica. CVS ranked second, with 47. Site inspections routinely found that Walmart staff lacked anti-fraud training and that employees failed to ask screening questions.
At the time, MoneyGram was bound by agreements with the FTC and Department of Justice that required it to police any lapses it detected among its partners. An independent monitor appointed as part of one of those agreements wrote that “Walmart has weaknesses in its compliance program.”
But Walmart resisted MoneyGram’s attempts to fight fraud. “Walmart pushed back more than any [outlet] I’ve ever seen,” said Alicea, the former fraud team leader for the postal inspector’s office in Harrisburg, Pennsylvania, who investigated MoneyGram and Walmart.
MoneyGram’s agreements with the government also required that it quickly suspend or terminate transfers at any partner that exceeded fraud-complaint limits. Yet until May 2017, 15 years into their partnership, MoneyGram hadn’t suspended a single Walmart store, according to the FTC. MoneyGram’s inaction helped prompt additional penalties from the FTC and the Justice Department.
Walmart officials insisted that shutting down transfers wasn’t “customer-friendly,” Alicea said. The company said it could address the problem with training. Walmart also routinely blamed MoneyGram, even though Walmart shared responsibility for compliance and its employees processed the transfers, Alicea said. “They have the face-to-face contact with the customer. MoneyGram doesn’t,” he said. “Someone’s going in there with a walker and $5,000 and sending the money to Nigeria? Come on.”
MoneyGram was afraid to alienate Walmart, three former MoneyGram officials said. “You don’t shut down one store and make Walmart angry,” said Mark Shaffer, who worked at Walmart for 27 years before joining MoneyGram to help manage its relationship with the retailer. “They [might] say, ‘Fine, you’re out of all 3,000!’” (MoneyGram was released from its FTC and Justice Department compliance agreements in 2021. A spokesperson for the company said it has “invested more than $800 million to enhance its compliance program and doubled the size of its compliance team,” and now has “record-low consumer fraud complaints.”)
Even as Walmart dragged its heels on combating fraud in its partnership with MoneyGram, the company took a major step that effectively loosened security. Walmart launched a second money-transfer service, Walmart2Walmart, a discount operation that allowed people to send money between Walmart stores. If fraudsters seeking to transfer money through MoneyGram at a Walmart store were stymied by security, they could simply try again using Walmart2Walmart, or vice versa.
Scammers immediately abused the popular service, causing an explosion in money transfers by victims of fraud, according to former executives and testimony from law enforcement. “There were a whole bunch of transactions that should have been looked into that weren’t,” former Walmart business development director Axel Wulff, who helped create Walmart2Walmart, said in an interview. “We simply didn’t have the resources to follow up on everything.”
Ria, the company that provides the electronic backbone of Walmart2Walmart, acknowledged the service’s struggles. “Unfortunately,” Ria noted in a statement, Walmart2Walmart was “exploited by fraudsters, who are always looking for new alternatives to facilitate their fraud schemes.” In response, Ria restricted or suspended transactions at high-fraud Walmart stores and worked with Walmart to establish systemwide controls. Ria “prevented significantly more fraud attempts than those that were completed,” it said.
In its own statement to ProPublica, Walmart asserted that it has stopped “hundreds of thousands of suspicious money transfer transactions” and that “fewer than 2 out of every 10,000 money transfers at Walmart were reported as even possibly fraudulent in 2021.”
Walmart was more combative in its pleadings in the FTC case, denying any obligation to act on “alleged” red flags. “No law prohibits consumers from sending multiple money transfers or from using out-of-state IDs, and Walmart has no grounds to scrutinize customers who do so,” it wrote. The company rejected the idea that it should “interrogate” customers sending money to “certain countries” based on “stereotypes that an entire ‘countr[y]’ presents a ‘high-risk’ of ‘fraud.’”
It was unfair, Walmart said, to punish the company for “not second-guessing customers and blocking transfers they have freely chosen to undertake.” But standard industry agreements and federal regulations require precisely that.
As the FTC and DOJ began cracking down on money transfers and MoneyGram responded in 2017 by suspending transfers at some Walmarts, scammers started favoring another tactic: telling victims to buy gift cards.
Complaints about gift card purchases at Walmart flooded the offices of state attorneys general. As part of the joint investigation launched in 2017 with New York’s attorney general, Pennsylvania officials pressed Walmart to compensate “victims who were never questioned or warned of the potential for a scam by Walmart clerks or managers.” The attorneys general also looked at Target and Best Buy.
Walmart representatives met with lawyers from the two states. According to meeting notes obtained through a records request, Walmart again invoked its customer-service argument: “Walmart not sure they want employees to refuse transactions … against the ethos of making customers happy,” the notes said.
On Nov. 20, 2018, New York and Pennsylvania announced that Walmart, Target and Best Buy agreed to make “significant” changes to their gift card policies. They included lowering the amount of money that could be loaded onto a card to $500, limiting the number and total value of gift cards that could be purchased at one time, and improving employee training.
The retailers also said they would restrict or eliminate the use of a gift card to purchase other gift cards. That should have been the death knell for the laundering method used by Chen and others. Best Buy and Target soon implemented a ban on gift-card-for-gift-card purchases.
Walmart said it would do the same, but then let the laundering continue for nearly four more years.
The company decided against imposing a ban, according to Fred Helm, who worked for Walmart’s global investigations unit. “That was a big conversation,” Helm told ProPublica. “The Walmart business side makes that call, not the legal side. I think it was probably just a case of ‘business wins the day.’”
Walmart’s statement to ProPublica did not address questions about its agreement with New York and Pennsylvania. The company pointed to an FTC report that showed fraud losses were considerably higher for Target cards than Walmart cards in the first nine months of 2021. (The FTC’s method didn’t take into account gift-card-for-gift-card purchases, which Target had banned, but which were still allowed at Walmart. The FTC has not run a similar calculation for other years.)
Chen had already made Walmart his focus before the 2018 agreement. The company’s decision not to bar card-for-card purchasing enabled him to expand his business. He recruited runners by placing ads on WeChat, a Chinese social network, and on a Chinese-language site focused on the D.C. area, according to trial evidence.
In 2019, Chen connected with Jin Hong, a Virginia native, and offered him a 3% commission on the dollar amount of Walmart gift cards he laundered. He could earn $300 a day by moving $10,000 in cards.
“Easy to do [USD] 2,000 in a single store,” Chen said, according to WeChat messages translated by the FBI. He added: “Working hours are from 11 to 6. [You] may leave early if there is no order.”
“I don’t mind giving it a shot!” Hong said.
Chen sent him a list of Walmarts and Sam’s Clubs. “These are the ones where are relatively easy to make the purchase,” Chen said. Hong started the next day and worked for Chen for six months. Hong would later plead guilty to one count of conspiracy to commit wire fraud and agreed to cooperate with the government.
“You would sit in a Walmart parking lot from 11:00 to 6:00, five days a week, redeeming gift cards, correct?” a prosecutor asked.
“Correct,” Hong said. It was Hong who waited in the Walmart parking lot before converting the gift cards that Christy Browne was tricked into buying.
Reached by phone, he declined to comment.
Chen had two rules for his runners: Move fast and use the self-checkout kiosk. Speed ensured a victim couldn’t reclaim their funds before a runner could launder the Walmart gift card. Self-checkouts were key because they operate with little oversight.
But even if Walmart employees had noticed Chen or one of his minions, they weren’t properly trained to identify and stop financial misbehavior. With Walmart’s high turnover, many workers lacked experience, and they were under pressure to make quick sales to keep checkout lines short. A former manager who spent a decade working at Walmart said it was “very rare” for associates to ask questions to determine whether customers might be involved in, or a victim of, fraud. Federal regulations require such questions for money transfers but not gift cards.
Today, Walmart cashiers handling gift cards, prepaid cards and money transfers are supposed to complete anti-money-laundering and anti-fraud training through computer-based courses. They consist of videos and multiple-choice quizzes. Associates must score 100% before being allowed to work the register.
A current Walmart employee with six years’ experience in the MoneyCenter, a financial services section offered in some Walmart stores, said that the training videos include obsolete technology and don’t cover all of Walmart’s financial products. “I think the training could be a heck of a lot better than it is. They’re not current to what we’re doing.”
Walmart said that associates “are part of a large team dedicated to fighting fraud. Walmart trains hundreds of thousands of associates annually.” It said employees handling money transfers receive additional training, including “job aids, manuals and infographics” and “daily knowledge checks at the register.”
ProPublica readily found copies of Walmart’s current “advanced” anti-money-laundering and anti-fraud quiz online, complete with answers. They were posted by Walmart associates who said they shared them to help colleagues pass the quiz.
ProPublica showed a copy to Christian Hunt, a former head of compliance at UBS Asset Management and the author of “Humanizing Rules: Bringing Behavioural Science to Ethics and Compliance.” Hunt said Walmart’s test is riddled with “lazy, pointless” questions that don’t help employees identify or prevent fraud. “It allows you to say you have tested them,” he said. “It does not allow you to say they genuinely understand this.”
The test’s first question is, “Which of the following is the process of collecting basic information about a customer regarding their identity?” The answer is “Know Your Customer.” Hunt said Walmart cashiers don’t need to know the phrase; they need to understand what information to collect and why.
Walmart cashiers and managers said they are responsible for enforcing a limit of four $500 gift cards per purchase (as laid out in the agreement with New York and Pennsylvania). But, according to police reports and a current Walmart associate, employees often ignore the limit.
Walmart seems to have had more success in staving off fraud when it relies on technology. The company employs analytics and artificial intelligence, and Helm’s team developed a system called Redemption that can automatically freeze the balance of a gift card if it exhibits activity consistent with fraud.
In 2022, Walmart turned over to the Secret Service roughly $4 million that it had frozen using the Redemption system. The funds, which were seized from gift cards loaded in July 2017, are being refunded to people who purchased the original gift cards.
“The secret sauce is miles per hour — the speed that the money is moving between the reload [of a gift card] and redemption,” Helm said. The system could, for example, detect if someone had bought gift cards in Pennsylvania and the same cards were being redeemed in Texas soon after. “We may have the disease of being so large, and things fall through the cracks, but this was one hell of an effort,” Helm said.
Still, Redemption captures only a small fraction of the fraud. And Walmart has not returned any money that was frozen on cards since 2017. Walmart declined to comment on the lag or to reveal how much money it has seized in total.
The flimflams continue, even in Walmart’s home state of Arkansas. In March 2022, a 39-year-old man with autism and what his mother described as “a mental impairment” began an online romance with someone he believed was WWE wrestling star Bianca Belair. Following the impersonator’s instructions, he used a credit card he’d obtained at the direction of the scammer to purchase $7,500 in Apple gift cards at a Walmart in Hot Springs, Arkansas. His mother filed a complaint with the Arkansas attorney general, asking how Walmart could permit such a suspicious transaction without asking questions. As she put it, “I’m a pissed off angry mom.”
A few months later, an 82-year-old woman ensnared in a fraud scheme purchased $14,000 worth of Walmart gift cards at two stores in Rogers, Arkansas. According to her son, employees didn’t ask anti-fraud questions and failed to enforce the gift card limits. She never got her money back. The woman had worked for many years in a warehouse — at Walmart.
Gift card fraud is increasingly taking a different form: balance theft. A scammer grabs Walmart gift cards and takes them to a private spot, such as a bathroom stall. The criminal peels off the protective tape covering the PIN and photographs it and the card’s serial number. They reapply security tape and put the cards back on display, hoping a customer will pick one up.
As soon as a customer activates a card and loads money onto it, the crook (who uses the PIN and serial number to monitor the card’s balance on Walmart’s website) spends the money. When people go to use the card, they discover it has a balance of zero.
Walmart could thwart balance theft by wrapping its gift cards in secure packaging, as other retailers do, and by keeping them in a secure location. Walmart already puts items such as video games, nicotine gum and replacement bulbs for car headlights behind lock and key.
Walmart gift cards are “just sitting on the shelf like an open deck of cards,” noted Craig Heidemann, an attorney who filed a class-action against Walmart in 2018 over its alleged failure to protect gift card buyers. (Heidemann’s suit was dismissed in 2022 and he wouldn’t comment on whether he’d reached a settlement.)
The difference between Walmart and other brands was evident in November at the Virginia store formerly targeted by Chen. Among dozens of varieties of gift cards, only the Walmart-branded ones lacked protective packaging.
In September, Qinbin Chen went on trial. Six of his confederates had already pleaded guilty to criminal charges. Now the diminutive Chen sat at the defense table, with a Mandarin translator, to answer to eight counts of money laundering, conspiracy, access device fraud and aggravated identity theft.
The pretrial period had been contentious. Chen was chronically dissatisfied with his lawyers, most of whom were court-appointed. As the trial began, he was on his sixth attorney.
The trial lasted three days. Prosecutors used testimony from co-conspirators and messages obtained from Chen’s phone to portray him as a driven criminal. The government called him the “quarterback for a criminal organization that obtained, used, transferred, and laundered” Walmart gift cards with millions of dollars of value. Chen’s lawyer countered that his client ran a legitimate gift card business and that the government failed to show Chen knew the Walmart cards came from fraud victims.
On Sept. 14, after less than three hours of deliberation, the jury convicted Chen on all eight charges. He faces between two and 20 years in prison and is expected to be sentenced in February.
In late November, Chen sent a letter to the trial judge, outlining multiple grievances. Printing by hand on yellow lined paper, Chen complained that he was “treated in an Incorrect and careless way. It’s led me lose my trial. … I really need my retrial with different lawyer.” (By Dec. 13, a seventh attorney was representing him. That lawyer did not respond to requests for comment.)
For her part, Browne, the retired teacher who lost $2,000, is still grappling with what happened to her. Even before being defrauded, she didn’t use credit cards or digital payments due to security and privacy concerns. Now she’s scared to answer her phone.
She told ProPublica: “There isn’t anything I trust any more.”