New Scam: Banks ‘fraud dept’ calls about your card being used somewhere

Don’t give out your PIN over the phone

Saw this on Twitter, decided to post about it. See if you can catch what is wrong, what tipped off Cabel in the story.

Short Story: Never give your PIN out over the phone. If you are buying something over the phone and they need the CVV code, make sure YOU CALLED THEM.

Never give out ANY info if your bank ‘calls you’. You call your bank. They never call you asking for info. Now for the scam story.

Cabel gets a phone call…

Never give your PIN out over the phone.

Exception: Sometimes you will have a ‘telephone pin’ that you can use to identify yourself over the phone. This is not the same thing as the PIN you use to access your debit card. Don’t confuse the two.

Stay safe friends.

Update: How it works

Step 1: Scammers run 5,000 phone numbers through the Twilio lookup API, to get names and addresses. Twilio is a internet phone company, awesome product, but it is being used by the scammers for nefarious purposes.

Step 2: Scammers google the names and addresses. Scammers pick a set of people they think have enough money to steal.

Step 3: Scammers buy the Social Security Number of their targets. Unfortunately this is pretty easy on the various black markets.

Step 4: Scammers call all the major banks pretending to be their target trying to lookup their account. The scammers don’t know which bank you use, so they just call them all until they find the right one. The bank asks for verification info before giving them account numbers or info. Banks usually ask for name, address, and social security number. All of which the scammers have. Once they find your bank, they now have your bank account number, your address, your SSN etc. Now they call you.

Step 5: Scammers call you, pretending to be your bank, and they have the right bank which increases trust. They spoof the number so it looks like it is coming from the bank. Spoofing a number is unfortunately pretty easy to do. They have the last 4 digits of your SSN which they bought, which increases trust. And they are ‘trying to help you protect your money’, which increases trust.

Step 6: They ask for you CVV code to ‘verify’ the card. You give them this info because you are protecting your money, but you are now more likely to give them more info due to the foot in the door effect.

Step 7: They ask you to enter a ‘new pin’, which they don’t care about, but again this increases trust because you feel like you are fixing the problem, and you have already given them more info, which they don’t care about, but you are now more likely to give them more info that they really care about, your pin.

Step 8: Then they ask you to verify your current pin. If you do, they have everything they need.

Step 9: They can create a debit card with a magnetic card encoder (you can get one for around $75 on Ebay) with the account number they got from your bank, and the pin that you gave them and drain your bank account.

Stay safe!