Credit Card Scam Recording — November 6, 2021
Here is an example of an attempt to steal credit card details to use for fraudulent purchases. It started with a text message telling us that our credit card was “locked” due to an attempted “fraudulent” use. The text message in this case just said, “your Visa card,” but over the last few days we have received several such text messages with varying messages, such as “your Bank of America credit card,” or “Wells Fargo” card. In all cases, one or two toll-free numbers are provided to call to “unlock” the account. In this example, we received two telephone numbers to call proving that it was a scam.
You can listen to the recording by following the link below:
As the reader can tell from the recording, it sounds plausible because of the use of automated auto attendants. However, if you listen carefully, you will note that the syntax and word usage is a little off, but most will not recognize it as they go through the motions. The scam works by collecting the information they need to misuse the caller’s credit card.
In this case it asked for debit card information because most individuals outside of the United States use debit cards over credit cards. Although the scam is likely targeted at United States users, the use of “debit” card suggests a foreign criminal trying to gain access to the credit card number. Regardless, the scam works on both debit and credit cards.
The first thing it asks for is the full credit card number.
It then asks for another piece of information the scammer or scammers need, the pin number. This is important to note for two reasons. First it tends to betray the source of the scam as foreign in that most foreign credit cards use pin numbers. The second is that with a pin number, an ATM can be used to get cash from the card. Note the use of phrase, “the same pin you use at the ATM”? It further betrays a foreign source for the scam.
It then asks for “your nine-digit social security number” so that the system can presumably “verify your identity.” Banks do not ask for the full social security number to verify your identity. They just need the last four digits to compare with what they have on file.
However, the request for the social security number suggests that the scammers are targeting U.S. card holders as U.S. credit cards have less fraud protection systems in place to detect fraud, so fraudsters prefer U.S. credit cards.
But readers should also note that the fraudsters are also building a fuller financial profile of their target by asking for the full social security number. This will become more evident as more information is requested from you.
Note the “please remain on the line” and what appears to be the call being transferred somewhere else. This just to give the call more authenticity.
Another automated voice asks for the “three-digit code as it appears on the back of the card”. It is referring to the CVV (card verification value). It is the three-digits you are asked for when making online purchases. In my case, I am using fake numbers to enter, more on that in a moment. However, the first number in the credit card number designates the type of card, i.e. American Express (3), Discover (6), Mastercard (5) or Visa (4). I was using a fake American Express but the system was just collecting data so it did not bother to note that I was entering a fake American Express number and thus only asked for the three-digit CVV instead of the American Express four-digit one found in the front of the card. Although I already knew it was a scam call, this lack of error checking confirmed that it was, indeed, a scam.
It then asked for the expiration date of the card. And then it asked for the zip code. These are common in most credit/debit card-related verifications.
It then asked for the “ten-digit phone number associated with your card.” This is not a normal request for verification at this stage of the process with a legitimate bank-related request, but it shows that the scammers are not only collecting credit card details but are building a financial profile on you to misuse later.
You then get “your card has been successfully verified” message, apologies and that you can “use your card as usual.”
As is obvious, the scammer “verified” the card but not for your bank’s purposes but to fraudulently use the card as soon as you hang up the phone. The fraudsters have also built a good financial profile on you with the additional data points it collected from you.
The Financial Profile The Hacker Built
In addition to stealing your credit card details, the fraudsters also built a financial footprint on you. Earlier this year, a 2019 Facebook hack of over 500 million Facebook users was posted online. The significance about the Facebook hack is that it included telephone numbers.
That is why most readers have seen a spike in fraudulent and telemarketer calls to their mobile numbers. But it is also the basis from which fraudsters are building even deeper financial profiles on Americans.
You will note that the scam caller never asked for your name. It didn’t need to because once you provided your telephone number it is easy enough to match it against the Facebook hacked data and gather additional important details, like your name and your gender. With the added details provided to the scammers, they now have a profile on you that includes your social security number, a likely pin number you would use as most individuals recycle their pin numbers and your date of birth.
The profile they can build from this call is enough to steal your identity for financial fraud and for fake identities.
The Numbers I Used
I do not recommend you engage with fraudsters as there are many mistakes that can be made. Additionally, there are legal pitfalls one may encounter. That said, I want to address what I did so readers can understand how I protected our information.
The first thing and most important thing I did was to use a disposable telephone number from which to call from. I did not use the mobile number that the text message arrived at or any other mobile number. This is important because even if you provide a fake telephone number the fraudsters can still identify the number you are using to call them.
The second thing I did was to provide fake answers. But you should be careful here. Do not make up a telephone number with a valid area code as you could inadvertently provide a working number and that is not fair to the owner of the telephone number. To make up a fake telephone number, use the area code 555, followed by 555 and then any combination of four digits between 0100 and 0199, for example 555–555–0112. It is important to note that the 555-area code is valid and therefore make up a number as outlined above.
Some fraudsters are sophisticated enough to employ error checking techniques to stop individuals like me from messing with their fraud. A simple error checking scheme is credit card numbering verifications. Credit card numbers follow a specific numbering system that is easy to verify. For example, the first digit signifies the credit card type, for example all Visa cards start with the number 4.
Programmers have a set of fake credit card numbers they use to test credit verification systems. Here are the ones I tend to use:
American Express: 378282246310005
Discover: 6011000990139424
Mastercard: 5105105105105100
Visa: 4012888888881881
For the expiration date just use any valid date in the future.
For the zip code, I used 20535. That zip code happens to include the headquarters for the FBI. Just a little humor on my end and the zip code by itself is not enough to help the fraudsters out too much.
It should be obvious to readers not to use their pin numbers or birthdates.
Protect Yourself
You should note that the text message is not specific to which credit card it is they are texting you about, even though it may state the bank name of a credit card you have. Most bank communications include at least the last four digits of the credit/debit card in question. A legitimate text message from the bank will have at least those details.
Never provide your full social security number. A legitimate identity verification only needs the last four digits of your social security number to compare against their records.
Although it should not be required, you should always be on the alert for fraudulent text messages asking for identity details.
When in doubt, call the bank directly.
It is important that readers note the part that Facebook plays not only in the increase of fraudulent calls many readers are noting, including attempts at identity theft, but also in providing fraudsters a starting point from which to build a robust financial and identity profile on those who fall for the scam calls. Without the Facebook hacked information, fraudsters would not have the necessary details from which to start a relatively simple automated fraud collecting system to build profiles on millions of Americans who fall for the scam text messages.
