About three weeks ago I discovered an unauthorized charge on my debit card. Someone had made some purchases of $10 and $35 out in California (I’m in Las Vegas and hadn’t travelled at all). These were obviously fraudulent, so I called up my bank, reported the charges, cancelled the card, and got a new one sent out. I figured I must’ve been the victim of a card skimmer.
So the new card arrives a week later, with a new credit card number. Since then I’ve been in physical possession of the card 100% of the time (took it out of the mail from the bank), never used it online or put the number on any computer. I’ve only used it to fill up at a gas station I’ve never been to, go to the grocery store, withdrew some cash from an ATM at my bank, and used it at a few restaurants and fast food places.
But Saturday I got a small charge on the card - this time from about 80 miles away rather than in California. But the bank instantly detected something fishy, sent me a warning, and put the card on hold.
Both cards were used in three places. A grocery store, a fast food restaurant, and a bank ATM at a BoA branch. The last time the first card was used at the grocery store was 1/26, and the new card 2/15. For the fast food, it was 12/19 and 2/16. For the bank ATM, it was 10/17/16 and 2/06 (used to activate the new card).
The fraudulent charges on the first card occured on 1/30, and on the second 2/18. This lines up most closely with the grocery store, which involved visits on 1/26 ad 2/15. Which means that the fraud charges followed the grocery store visits by 4 and 3 days. The other places in common are still possible, but they would’ve had to have sat on the number for longer and had a skimming operation running for a longer period.
I thought the first time that maybe I’d had my card read and duplicated from a skimmer. But then… that couldn’t stay in operation over three weeks, right? Let’s say they stole a few hundred debit cards from the skimmer there - Visa or Mastercard or the banks would look at the fraud reports and say “huh, 200 different people reporting fraud made credit card purchases at this grocery store recently” and get that shut down, right? So how could one skimmer operate for the 3 weeks between visits?
If they’re not skimmed, how could they be getting my CC info when I’ve never put the second one online and always had possession of it?
The plot thickens: I got a call today with a recorded message claiming they were from bank of america (the correct issuer). Very official sounding, claimed to be from the department of debit customer protection, using my real name, referencing the last 4 digits of the debit card, telling me to call them back and use a certain claim number to talk to a representative.
I noticed that the number they gave me to call was different than the one the BoA website had said to call, so I googled it. The voicemail message wanted me to call 877-248-6276. A bunch of sites dedicated to scam warnings like this one indicated that it’s a known scam from people posing as BoA, trying to get people to give them their DoB, SSN, etc. in order to complete full identity theft. The number they called from matched the other descriptions too - 315-724-4022.
But here’s the thing. They know my debit card number and name from having stolen/duplicated the card. I get that. But how would they get my phone number to leave this message? And in fact, if I recall correctly, the phone number they called isn’t even the phone number I have on file with Bank of America itself, although I may be incorrect on that point.
So it has to be more sophisticated than simply using a skimmer if they know my phone number, right? And how likely is it that I’d be skimmed twice in the same place over a period of weeks? I’m at a loss to understand what’s going on here. I’ll call the bank security department tomorrow, but I’d like to have an understanding of what might’ve gone wrong first.