*Warning, this is a long one*
This scam is so broad! But I’m going to focus on one particular scam, and this is eliciting your credit card information from you in such a smooth manner it actually seems legit. Let me tell you a story about that time my husband and I almost got big-time scammed… it was in January.
I’m in a store, standing in line to make returns. My phone goes off, I don’t recognize the number, so I bump it to voicemail. They immediately call back. I bump it again. Most people will text or leave a voicemail at this point. They call again. I bump it, then immediately go to my settings and block the caller.
Then the calls start up again on my business line. Whomever this is, they have both of my phone numbers and they aren’t relenting. They repeat the process and I block them once more. I finish my business, then check my phone. Nothing from my husband or anyone I know. If it were an emergency, surely that message would come from someone I know, right? I pop the number into Google and it comes up registered to Barclays Bank, where I have my credit cards. I dial it, and sure enough, Barclays. Weird. Banks never call. I resolve to call them when I’m out of the store, in the event it’s a fraud alert.
10 minutes later, Caleb calls me, but he says “before I patch you in, Barclays is on the other line, our cards have been compromised. The guy I’m speaking with is off. He’s making me feel like I’m the criminal or something. He needs to talk to you, since you’re the primary account holder”.
So in I go, meanwhile trying to open my account on my phone, but I don’t have that login with me. Oh well.
The guy starts in. He’s curt, definitely standoffish. He says our cards have 4 fraudulent charges. “Which card?” I ask, and he recites the first 4 digits. I try to get more clarity, and he’s unable to define if it’s my business card, Caleb’s business card, or our family card.
Weird, again. Most of the time banks will ID your card by the LAST 4 digits.
He prattles on about how he’s going to contest each of these charges, one by one, and he keeps putting us on a dead silent hold. No music. Caleb and I are discussing grocery/dinner plans, because the wait is so long. When the guy comes back on the line, I switch him from speaker to regular call and I miss the charge amount, something to the tune of $7,700. I ask him to repeat it because I didn’t actually catch it. He does, and I write it in my notes app. He then recites the second charge of $12,000+ and goes back on hold.
Now I’m really tipped off, because not only didn’t he ask me to verify any of my account info when he started the call, but I know my credit limit and my current balance. If there are 2 more flagged charges, they’re pushing my limit and I’d have gotten text or email alerts. I’d also JUST used my card at a local shop, surely, that charge would have bounced?
We’ve also had our cards compromised abroad and this was NOT the process we went through. Things weren’t adding up.
The guy comes back on the line. He says he’s finishing up fixing the fraudulent charges. He says “don’t log in for 72 hours, your portal is being shut down, you’ll get new logins, while we trace the origin of these charges”. Now I’m super suspicious. Never once has this been part of the process when we’ve had fraudulent charges, and there’s no reason freezing my credit card would invalidate my account logins. They never “trace the origin”, though it sounds very official!
While I’m processing this and the unsettled feeling in my gut continues to build, he says he’s sending me a code, and I need to give it to him. It comes in on my Barclays text thread. It’s the 2 factor authentication code. Hard-pass buddy, I see you, now.
I tell him I’m in a store and it hasn’t come through yet, delaying, as I mute the call and start texting Caleb. “How did you get on the phone with this guy? Did he call you? This isn’t right”
I can hear the guy on speaker badgering me for the code “It sent. What is it?” he keeps repeating urgently, and I keep stalling with excuses, hearing the tension rise in his voice. All of this is just a little off kilter, and I know Caleb was suspicious from the beginning, and so am I.
I don’t like this. As he asks me again, I hang up on the conference call.
He can’t call back in because I’ve already blocked him. Caleb and I call each other and discuss the situation quickly. How did this all happen? Where did this start?
“Barclays” called Caleb while he was driving. They caught him alone and distracted and started right in with the story. They asked if he bought airline tickets, and when he said “no” they went right into the fraud story. Caleb pulled over to discuss the situation with the man on the phone. All of this was taking place before I ever got involved. They asked him for his credit card number and he replied “which card?”, because we have several for different purposes. This tipped the fraudster off that he had a fish on the line with multiple opportunities to win big. As the conversation progressed, it actually got weird.
The guy was so hostile and high pressure that Caleb actually said to him “you’re making me feel like the criminal here” which softened the scammer a little bit, but he persisted. That’s when they got to a point where I was roped into the call.
Now that we were off the call with the creep, we could talk.
Caleb was home, so I had him log into my computer, into the Barclays site, and check our cards for recent activity. None. No pending charges. Nothing. It was all BS.
This guy had all our phone numbers, the first couple digits of our card, and through strategic conversations learned we had more cards with Barclays and tried to weasel the info out of us. He “confirmed” our DOBs and the last 4 of our socials. All this info is relatively easy to get if you know where to look. The recent nationwide hack of all American SSNs didn’t help, but we’ve locked down our credit at all 3 bureaus, offering some measure of security. By pretending to be our credit card company, he could have gotten enough info to legitimately use our cards, without having to open ANY lines of credit. So this is their work-around.
I called Barclays on the way home and confirmed it was all a scam. We added additional fraud alerts to our accounts, and verified their notification process with them. They were kind as could be( and had lovely hold music).
When I got home, we debriefed and this is what we took away as warning signs:
1) Barclays (and most institutions) will never call. They will text/email fraud alerts and ask you to verify the charge
2) They aren’t hostile, or high pressure. Every time I call, they are gracious and polite
3) Which leads me to the next point – you know how your businesses treat you. The guy who called us did not treat us the way every other interaction with Barclays has gone. That was one of my first red flags.
4) The scammer didn’t confirm my account info when patching me into the call, and they ALWAYS confirm, ad nauseum. In fact, they won’t discuss the account with the secondary account holder UNLESS they confirm with the primary first, and I’m the primary account holder. Again, knowing how your institutions do business is so important!
5) The scammer rattled off the FIRST 4 of the card. Who does that?? Someone who knows what you don’t – that those numbers identify the BANK, not the consumer. Visa, MasterCard, Discover, Amex… they all have their own unique identifiers.
6) The 72 hour “don’t log in” thing was weird, and made no sense. Again, we’ve been abroad when these cards got hacked, and they just cancel the card, not your login. Perhaps this is a ploy to ensure the charges age past the cancellation window?
7) And this one I wouldn’t have picked up on. When I asked the scammer to read back the charge amount, because I missed it, Caleb believed he actually provided a slightly different number. In hindsight, a good tactic to catch a liar!
8 ) The scammer got high-pressure and rude with the security code and my delaying. He was SOOOO close! So close to getting into our accounts.
9) Never, ever, EVER share your 2-factor authentication code with anyone. Especially when it’s your banking info. Your bank has your info, they don’t need that code, that’s for you.
I included my text history with Barclays and you can see how it changes with each method of access I was using. Note the very last one, which matches this incident. “Only share this code if you contacted us directly”.
Moral of the story – when your spidey senses are going off, trust them. It was a lot of little things that added up. Caleb and I both work in fields where fraud is HUGE business, and we nearly fell into the trap. You hear these stories and go “how can people be so stupid?”
But it’s not stupidity. It’s excellent communication and playing into fear that makes these people successful. They are professional predators. When you hear 2 of the 4 charges on your card are almost $20,000 your brain goes into “oh shit” mode. They know this, and they prey on you.
How do you avoid this?
- First, know that your bank will never call you (unless you initiated a call which got disconnected).
- If you ever get a random call from your bank or credit card, hang up and call them on their official number. Ask the rep if someone from their organization called you.
- Make sure your credit is locked down. It is 100% FREE to freeze your credit with the 3 major bureaus Experian, Equifax, and Transunion. (Find the “How to” here)
- Trust your gut. If the person you’re talking with is even the slightest bit “off”, trust your gut. The more I interact with these people, the more often I see them crack. They get frustrated, rude, and even threatening when you’re not complying. Your bank will NEVER treat you like this.
- Lastly, and I swear by this one. USE A PASSWORD MANAGER (not the Apple or Google keychain). To trigger my 2-factor authentication he had to have my username and password. Sure enough, when I looked at my manager, it was one of my older passwords. I immediately updated it to an alpha-numeric gobbledegook that the manager remembers for me, for ultra secure passwords. It’s so complicated I don’t have a chance at remembering it. I only need to remember my master PW.
- Even if you use a password manager, make sure each website login is unique. Do not repeat passwords. All it takes is one data breach and all your information can be vulnerable.
- In my previous life, I worked for Data Privacy not-for-profit. The manager they approved for our use, due to its security, is called LastPass. They offer free and paid versions.
If you accidentally fall into this trap, do not hide. It is NOT your fault.
Get into action. Call your bank or credit card companies and report the incident immediately. This is time sensitive. You want to lock down your card before they can do any real damage with it. This is especially important if it was a debit card, because they often have less protection.
Have a story to share? Send it along and we can include it in this series!
Until next time, be safe.