Robocall phishing credit card scam

(Variations on this scam have probably been posted but this was so clever and dangerous, I will post again)

Last weekend, I got a landline call from a credit card company that went to the answering machine. It was a voice-synthesized robocall from my credit card company fraud department. They had my name, address and last four of the card number. They told me charges had been declined and requested an immediate callback to an 800 number.

Being cautious, I checked online and saw no new charges. I then called the number on the back of the card and asked for the fraud department. They told me that they had no record of attempted fraud or declined charges.

The rep suggested that he call the 800 number while I listened in. As the automated call started he said “Boy, that sounds like our automated menu system”.

He then keyed in garbage responses to automated prompts asking me to confirm my ownership of the card by verifying:

  1. Full card number
  2. Security code from card
  3. Last four of my SS#
  4. My mother’s maiden name

It all sounded so authentic… Had I taken the call, I might have started answering the questions. Even just one answer would have left me screwed…

NEVER respond to “Fraud Department calls” - ALWAYS hang up and call the number on the back of your card!

And yet, the number of times genuine contact violates these principles is astonishing.

Pretty much every electronic bill or financial statement that I get by email invites me to click on a link in the email, taking me to a link to enter my credentials to get into my account.

Half the time I receive a phone call from a financial institution or a medical insurer/provider I am asked to provide confidential identifying information.
“No, you called me. I don’t know who you are.”
“Um, data protection requires us to identify you.”
“Okay, I’ll call you back through the main number that I know. What’s your extension?”
“I work in a different place, we can’t take incoming calls.”

Until companies making genuine phone calls or sending genuine emails get some basic common sense about security, they should be held 100% liable for losses due to phishing.

On the rare occasion that I’ve gotten an email from the cc office, the instructions were invariably to call the number on the back of the card. And I will never click a link in an email without verifying with the sender that he actually sent it. And if the sender is unknown to me, I will never click on a link. Period.

There was an interesting article about that backfiring in England- basically, after using his card at an ATM with a sketchy guy hanging around, he gets a call saying there is possible fraud, and he should call the number on the back of his card asap. He hangs up, calls the number, they ask him a bunch of questions and request that he mail his card back to them. Turns out, English landlines don’t (or didn’t at the time) properly hang up until both parties hang up. The scammers just stayed on the line, changed people and waited for him to “call”.

If there was a bigger word than EXACTLY!! I would use it. I could not have put this better.

j

The connection won’t be broken until the calling party’s phone transmits CSC [Calling Subscriber Cleardown] signal. It will be broken a set time after the called party clears down, or else the line would be permanently busied out. This default time has now been shortened.