I'm the target of debit card fraud/scam

Factual Questions
1

About three weeks ago I discovered an unauthorized charge on my debit card. Someone had made some purchases of $10 and $35 out in California (I’m in Las Vegas and hadn’t travelled at all). These were obviously fraudulent, so I called up my bank, reported the charges, cancelled the card, and got a new one sent out. I figured I must’ve been the victim of a card skimmer.

So the new card arrives a week later, with a new credit card number. Since then I’ve been in physical possession of the card 100% of the time (took it out of the mail from the bank), never used it online or put the number on any computer. I’ve only used it to fill up at a gas station I’ve never been to, go to the grocery store, withdrew some cash from an ATM at my bank, and used it at a few restaurants and fast food places.

But Saturday I got a small charge on the card - this time from about 80 miles away rather than in California. But the bank instantly detected something fishy, sent me a warning, and put the card on hold.

Both cards were used in three places. A grocery store, a fast food restaurant, and a bank ATM at a BoA branch. The last time the first card was used at the grocery store was 1/26, and the new card 2/15. For the fast food, it was 12/19 and 2/16. For the bank ATM, it was 10/17/16 and 2/06 (used to activate the new card).

The fraudulent charges on the first card occured on 1/30, and on the second 2/18. This lines up most closely with the grocery store, which involved visits on 1/26 ad 2/15. Which means that the fraud charges followed the grocery store visits by 4 and 3 days. The other places in common are still possible, but they would’ve had to have sat on the number for longer and had a skimming operation running for a longer period.

I thought the first time that maybe I’d had my card read and duplicated from a skimmer. But then… that couldn’t stay in operation over three weeks, right? Let’s say they stole a few hundred debit cards from the skimmer there - Visa or Mastercard or the banks would look at the fraud reports and say “huh, 200 different people reporting fraud made credit card purchases at this grocery store recently” and get that shut down, right? So how could one skimmer operate for the 3 weeks between visits?

If they’re not skimmed, how could they be getting my CC info when I’ve never put the second one online and always had possession of it?

The plot thickens: I got a call today with a recorded message claiming they were from bank of america (the correct issuer). Very official sounding, claimed to be from the department of debit customer protection, using my real name, referencing the last 4 digits of the debit card, telling me to call them back and use a certain claim number to talk to a representative.

I noticed that the number they gave me to call was different than the one the BoA website had said to call, so I googled it. The voicemail message wanted me to call 877-248-6276. A bunch of sites dedicated to scam warnings like this one indicated that it’s a known scam from people posing as BoA, trying to get people to give them their DoB, SSN, etc. in order to complete full identity theft. The number they called from matched the other descriptions too - 315-724-4022.

But here’s the thing. They know my debit card number and name from having stolen/duplicated the card. I get that. But how would they get my phone number to leave this message? And in fact, if I recall correctly, the phone number they called isn’t even the phone number I have on file with Bank of America itself, although I may be incorrect on that point.

So it has to be more sophisticated than simply using a skimmer if they know my phone number, right? And how likely is it that I’d be skimmed twice in the same place over a period of weeks? I’m at a loss to understand what’s going on here. I’ll call the bank security department tomorrow, but I’d like to have an understanding of what might’ve gone wrong first.

2

Just call the 1-800 number provided on the back of your card instead of the 1-877 number. It’s confusing that the fraud departments of banks give out an alternative number to call when they give out these “Possible Fraud” messages to their customers.

As for why your card is being skimmed, maybe look into RFID blocking/protection for your card when its in your wallet/pocket?

3

They didn’t shutdown your credit card just because it was skimmed or used in the periods the skimmer was used ?

  1. they didnt know yours was skimmed for sure… the skimmer might have worded there only weekends or something.
    But also because its the banks who look at fraud on debit cards, and the banks run their eftpos terminals… So while the bank who provided that grocery stores might have had a good idea about many cards being skimmed, they might only act to rectify the issue on the cards linked to their own bank accounts.
    Also, the small purchases you quote might be totally unprofitable to the skimmer.
    The skimmers main aim may be to engineer people to respond to the fake message and thus let the skimmer then engage in identity theft and get to real cash , big value cash…$$$$

What if the bank transfer scammers were operating in Las Vegas to do the skimming with the aim of getting into the news and the rumour mill and grapevine (word of mouth…) that the cards in Las Vegas are being skimmed… and then they send/left that scam message to everyone in your area of Las Vegas they can … so as to have worried people respond in a panic, believing that they had to… I think the “you have been skimmed, please call” fake number scam is just spammed out to a lot of people to get a few responses… thats why they use an autodialer thingy !

The skimmer never got the link between your phone number and your card… they did skim your card, and used it, but they just called your number in a mass calling of people in your area of las vegas.
(its possible that there is a link and they actually got your number because you provided it to the bank… and the bank’s website leaked… eg call centres in India are given access to the list of complaints… and then numbers are then leaked to the scammers, who did the skimming to cause a rush of panicked responders… )

4

Doesn’t sound like you are financially at a loss for any of the transactions. Let BOA fraud dept. take care of it. That’s why you pay them fees, give them the float on your balances, etc. Unless you are just curious and some part of you wants to be Sherlock and figure it out, I wouldn’t worry about it. Get a new card…again…and go on with life. You are not unique. Thousands of people are targeted for scams.

5

Sister had credit card issues on 2 different accounts within weeks of each other… but doubts problem was a skimmer. She got a statement from one and noticed a purchase she didn’t recognize. The card rarely had a balance or more than $50 and this was maybe $250… I don’t remember exactly how much. Purchase was from a store she did not shop at… in person or online. She called CC company and they immediately cancelled and reissued a new card. Within a few days of that incident, she actually go a call from her bank asking about a purchase? Seems there’s some sort of cap that often doesn’t raise suspicion… if it goes unnoticed, oh well!?! That car was cancelled and reissued. She suspects someone got number at one of the places she was doing online purchases of pet meds?

Not a CC issue, but I get robo calls at least 1-2 times a day from someone claiming to be able to reduce my electric bill significantly. They leave a robo message, which I never listen to, I’m imagine it’s someone trying to sell some solar panel system?? If I’m near the phone when I hear the message going, I look at where it’s coming from… and from all over the US or “unknown”… never seems to be the same place more than once?!?

6

Gas stations are where a lot of skimming goes on. Did you pay at the pump? Crooks will open the pump and put a skimmer inside the machine. I imagine they like pumps because they can tamper with them in the middle of the night when no one is around.

I’m not sure exactly how they got your name, but that may have also come from the skimmer. I don’t think your name is on the stripe. Often on your receipts you’ll see your name when you pay by CC, so somehow in the communication with the CC company they get your name. Maybe the scammers have devices which can get your name when the pump communicates with the CC company.

Once they have your name, it’s a matter of searching public records for your number. If there are multiple people with your name, they may have called them all with a similar message.

7

Skimmers are not the only way to steal credit card data.

In the massive Michael’s case, it turned out that the card readers the chain installed in their stores were programmed to store the data and forward it to the thieves. In the massive Target case, apparently the data was being stolen from one of their backend systems. In both cases, the thefts went on for months before anyone could figure out what was going on.

A skimmer is nice (for the thief), but it can only get a few hundred (maybe a few thousand if the thief is lucky) cards. The real hacks grab card numbers by the millions (3 million at Michael’s, 70 million at Target).

And data can be stolen from the banks and card processors themselves. These type of thefts get less publicity because they are handled internally. One of the biggest data breeches was at Heartland Payment Systems, a processor for thousands of merchants. Someone planted malware in the their systems that stole credit card data.

If you think that skimmers are all there are to worry about, you are missing the big picture.

8

In the United States, at least, it is.

9

I’m guessing they called a cell number? If you have a landline, you’re in the phone book, naturally. If not, and they have your name, they could still possiblyl get your number from someplace like spokeo.com. Or in some cases they can find it by Google dorking. Say you’re in a a church or social group, and you give your number for some reason. Like you’re the contact for people who want to sign their kids up for soccer or whatever. The group puts that in a bulletin that ends up online… Credit card crooks make their living at this. A little poking around is worth the effort.

10

Make an Excel sheet, & list all the places you bought things with Card A.
Add a second row, with Card B.
Find the overlap.

One of those places is the issue.
Discuss thins with cops/card companies.

11

Or just let the card company handle it. The cards are from the same issuer, and their fraud department probably can run a database query to get that info.

Unless you really like filling out spreadsheets, in which case go wild! :smiley:

12

Or just use your credit card or cash. I only use my debit card to get cash from my bank’s ATM and nowhere else.

13

Bingo!

14

…and honestly, the card issuer isn’t going to worry about it either. They’ll cancel the card, reissue a new one, charge back the transactions to the merchant if possible, or just eat the loss. It is a built-in cost of their business. They’re not going to expend resources and money to investigate this type of thing at the local store level. There are far too many of these fraudulent transactions for them to be able to do so.

15

Right. I had something similar happen to me. My card was used fraudulently, they issued a new one, and within a month it also had fraud. I compared charges and the ones in common were a gas station and parking meter. I told the CC and they didn’t care at all. I guess it’s just part of business for them.

The CC companies should be able to figure this out themselves. Visa/MC has all the transaction data for millions of cards. They should be able to compare all the cards with fraud to get an idea of which specific scanners are compromised.

16

OP probably got skimmed at the gas station. They sell 3d printed parts on AliExpress that are indistinguishable from many common ATM or gas station card readers. Its trivial to purchase the card reading hardware, and the latest ones have Bluetooth capability so the scammer just drives up and downloads the stolen info. As far as detection is concerned (LOL), most police forces are decades behind in terms of technology and know-how.

BTW, debit cards have significantly weaker fraud protection than credit cards. Might be time to get a credit card.

17

You might consider changing banks. Years ago I had 8 straight months of this kind of problem, with new VISA cards, checking accounts, savings accounts, replaced over and over. Didn’t stop until I left that bank and went to another.

Also, consider keeping accounts at multiple banks, with checking and debit cards and automatic payroll deposit, and maintain fairly big balances in each. That way, when one gets disabled by fraud, you have others already in place to rely on. I keep 3 for this reason, and when I was hit again a couple years ago I briefly got down to only 1 that was still working.

18

Sorry, SenorBeef. It sucks. Our credit cards seem to get shut down semi-regularly over theft (even though we have never lost our actual cards), so much that we’re used to it and switch to another credit card whenever the first one is compromised.

We’ve started getting a wad of cash every month and paying for restaurant meals and other smaller stuff in cash and that seems to have cut down on it. I guess anyone working those jobs would have access to a lot of your info. if you pay by credit card. Online, I use PayPal whenever possible.

I don’t even use a debit card because I’m afraid then any loss might not be covered the way it is with credit cards.

I do wish that when they catch people, they’d inform the ones they stole from who did it (they refuse to tell. I tried). For one thing, it would help immensely to know, if the problem was coming from one particular place or something. For another thing, it would not hurt thieves to be made to worry a little bit that they might get something back, you know? I feel like they protect thieves by withholding that knowledge and that if someone is caught stealing from you, you have a right to know who did it. After all, they certainly get to know who you are!

It is super sucky!

19

I’ve had my credit cards compromised 3 or 4 times over a decade or so. The last time was about a year and a half ago. Since then I have apps for each of my credit card issuers on my phone, and I have them set so they let me know every time my credit card has a charge on it. The notification pops up almost immediately after a charge is made, generally when I’m still standing at a register. That way I don’t have to wait for a statement or check my account online to look for fraudulent charges, and if one pops up, I can cancel the card immediately.

There’s an interesting video showing a card skimmer attached to an ATM being removed by police here (I’m pretty sure you have to log into Facebook to view):

And a news report about these skimmers here:

20

This is the way to go. Although I don’t even use the debit card anymore at all; it stays locked in my safe ever since someone planted a skimmer on my bank’s drive-up ATM. When I need cash, I just go inside and make a withdrawal, which comes with the added bonus of being able to get money in denominations other than $20 (also, the teller is kind of cute ;)). I also like being on a first-name basis with the folks tasked with watching over my money.

I keep a credit card for emergencies, but do all of my regular shopping with cash. I’m old-fashioned that way, I guess, but it works for me.