Be careful of emails, SMS messages, or calls claiming to be from your bank about your card being used fraudulently. If this ever happens, call the phone number on the back of your card.
This is a very common sort of social engineering fraud. Do not get scammed like TV host Andy Cohen did.
It begins this way. A potential victim will receive a call, email, or SMS message “proactively” alerting them to their bank or credit card being used fraudulently. The caller or message may even know the name of the bank entity behind the card, your name, your address, your account number, and whether or not you have a spouse. They often have this type of information, but they can also have very generic claims, like “We are calling on behalf of VISA!” or “We are reaching out to on behalf of your bank!”.
They will claim they noticed potentially fraudulent charges on your card and ask if you did them. You will say, “No.” Then they will claim they are protecting you and need you to verify some information. They will ask for some information such as your credit card number, expiration date, three- or four-digit code, your mailing address, your online login name, and your password. If you decline to give your password, they may send you a “verification code” and ask you to repeat what it is. If you give them this information, they will steal money from your account.
Let me give you some examples.
I was called a few years ago. The caller said they were calling on behalf of my bank’s credit card fraud department. They knew my name and asked if I had recently purchased two tickets from Dallas, TX to Nigeria that morning. I had not and told them so. They then explained that they thought that was the case and that they had noticed the fraudulent transactions, stopped them, and called me to verify. They told me that my credit card was likely being used fraudulently. At this point and time, I did not suspect that I was dealing with scammers. My credit card gets compromised about every two years, sometimes more frequently, and these sorts of business dealings are not unexpected or a surprise.
The caller told me that I was a very important person to the bank and that they had canceled the card and would have two new cards, one for me, one for my wife, sent via FedEx overnight. They then again thanked me for my membership and patience. They said they had noticed another $55,000 in transactions and needed me to verify what was and was not fraudulent so they would know who to pay.
They said for verification purposes I needed to give them my login name, which I did. They asked for my password. At this point I got a little suspicious and told them I would never give my password to anyone over the phone. They thanked me for being so security-conscious and said they would send a code to my phone via SMS that I would have to repeat to them as an alternative confirmation.
At this point, I was getting a little more suspicious, so I decided to go into my bank account. I was on my computer when they called, and it literally took me five seconds to do it. As I told the caller I was logging into my account, they told me to stop and that doing so would cause me to lose more money. At that point, I knew it was likely a bogus caller and when my bank account appeared, there were no erroneous charges. There was no $55,000 in additional charges to clear up. Had I given them my password or the PIN they had sent me, it would have been at that point that I would have been robbed. I hung up.
The PIN they sent me was not a verification PIN. It was a password-reset code. They went to my bank account, told the password-reset feature that I had lost my password, and the bank’s account recovery feature did the rest.
I called my bank using the number on the back of my credit card. They confirmed that there was no fraud on my card.
Fast forward to a few weeks ago. I was sitting at home working while my wife was shopping for Christmas. I received an SMS alert that my card was declined for a $885 purchase at Walmart.com. We never shop at Walmart.com. Before I could do anything, I received an alert that there was a declined transaction at my nearby grocery store. My wife did not say she was going there, but she often shops there. My wife called a minute later to say our card had been declined and she had to use another card (that we do not like to use).
Just then I received another SMS message telling me that fraudulent activity has been noticed on my card and to call this number. I followed the instructions. The woman on the phone asks me some verifying questions, but not my password and she did not send me a PIN. After getting into my account, she told me about some fraudulent transactions and asked me to verify some other legitimate transactions. She knew the amounts and vendors. After a few minutes, she told me that they would investigate the case and send me and my wife new cards in two days. She then hangs up.
By the time my wife gets home, I realize that there is a chance that I just got taken by a fraudulent caller. I cannot believe I had possibly been tricked. But the SMS fraud alerts were unexpected and came from an unknown phone number. And I had just blindly called the number the SMS message told me to call. I panicked. I called the number on the back of my card. Sadly, it took over 30 minutes of holding and arguing with the person who answered my call to confirm that my card had been used fraudulently, but only at Walmart.com, and that I was being issued new cards. There were no other fraudulent charges on my card. Whew!
I sat stunned for a few minutes about how close the previous fraudulent call and real call had been. The differences were subtle and minor. With the real call, the person answering my call never asked for my password or PIN, but she did ask for lots of other information, such as my name, address, and last four of my social (which would be very helpful to a fraudster if they got it). The person on the real call knew real transactions, so they did have access to my real account.
But I have to tell you…the fake and real support calls were so close to each other that I was shaking a bit afterward even though I did nothing wrong either time. But I need to absolutely slow down and do things differently next time. I fight social engineering and phishing full time and even I was almost scammed (the first time). Lots of very smart and knowledgeable people have been scammed by fraudulent credit card support calls. What can a person do?
Solutions
Whenever you are told by anyone or any message that your card has possibly been used fraudulently, hang up the call or ignore the message, and call the phone number on the back of your card. I have found one card that does not have a phone number on it. Research the right number to call on the Internet and do not get tricked into using a false phone number.
Educate everyone you care about with the same information. Tell them about this type of fraud and what to do to confirm if the credit card fraud is real or just a fake story to take you into a brand-new fraud scenario. Details matter.
If anyone asks for your password over the phone or a message, it is likely fraudulent. While this used to be a common legitimate request years ago, it is not (for anti-fraud reasons). If any legitimate service asks for your password in a call or message, do not do it! If a legitimate service asks for a PIN they have sent you, beware. I still do see legitimate services that send and ask for PINs. But consider the scenario and do it with care. Ask yourself how you know for sure if the person who sent you the message or has called you is really who they say they are?
Sometimes I ask the person calling me if I can call a known good telephone number for their company and get passed to them. Sometimes I can. Sometimes I cannot. I trust people more when I can call their main company phone number and get passed over to them.
When in doubt about a caller, chicken out. Just stop communicating with them, hang up, and call the company on a legitimate, known phone number. The world is full of scammers. Protect your interests.
Use phishing-resistant MFA when you can to protect valuable accounts, systems, and information. You do not always get the choice of what type of MFA solution your bank or credit card company uses, but when you have a choice, use a phishing-resistant MFA. Unsure what that means? Look here.
Be careful about using debit or direct-account cards where fraud can steal your money directly from your bank or savings account. Instead, use credit cards or cards where you can carry a balance that you pay later, so that if anything is stolen, it will not impact your real money right away.
For online purchases, consider using PayPal or other similar services that are not directly connected to your bank account and who offer good anti-fraud benefits.
Lastly, just be aware that you really do not know who is calling or messaging you. It might be the legitimate person or business, but it might not be. You cannot trust phone numbers (for calls you receive). You cannot trust email addresses (for emails you receive). Heck, you cannot even trust that the voice you recognize on the other end of the phone is real in these days of AI and deepfake technology. Be a forever skeptic on any unexpected call or message asking you to do something that could hurt your interests, if malicious.
I am well trained, knowledgeable about social engineering and phishing, and I almost became a victim. But I did not. My training and awareness won. Be more like me and less like Andy Cohen.