That’s clever, but the card number was wrong. So it isn’t that?
This is phishing - A bank isn’t going to send you a text to cancel your card for that purchase. Or, at the very least, they won’t put ‘cancel’ into a text asking you to validate a transaction. Can almost guarantee you did not just send a new card out to a fraudster. But you might start getting calls from them where, in order to issue the “new card” they pressure you into giving PII (personal info).
Just block the number and move on, and don’t answer calls for numbers you don’t know.
A couple of things.
-
This is how BoA typically contacts customers about suspicious charges (if those customers have opted in for text alerts). If you reply YES, nothing else happens typically. You’ve just authorized the charge to go through.
-
If you reply “NO”, you have to call BoA’s 800 number, and they go through a list of 3-7 recent charges. They typically go through as many as needed, to determine which was the last valid charge. No one else but BoA would have access to these charges, because eventually they’ll get to a real charge…and then they’ll typically do 1 or 2 more “real” charges to make sure.
-
Then after a “NO” and going through that series of charges, they cancel your card, and send you a new one.
What happens then, I’m not sure of, because I have a BoA branch a block away, and I’m usually there the next day to get a temp card and to ensure that everything’s on the up and up.
Oh, and you’ll get an email concurrent from BoA as well as the text on suspicious charges. You can ignore the text if you like and read the email instead and then log into your account normally and deal with any bogus-ness there.
You got it - working for one of the other big 4 banks in the fraud and money laundering space, you hit the protocol - the message would never begin with “we will cancel your card based on just this one transaction and no other verification “.
If you want to play these extra safe, as mentioned above if you get a purported fraud message via text or email, just call the number on the back of your debit/credit card.
Yeah, they won’t tell you they’ll cancel your card up front, I don’t think, but they will absolutely cancel it once you answer “NO”.
This has been my experience with Chase as well.
Scammers will get credit using a fake or phished phone number ( that happens to be someone else’s ) with a valid address, often a PO Box that they have access to. They use the card on line and rack up changes to the card limit. Then they use the card in a manner for which the charges are backed checked. When the number is texted for verification and the person replies “no” saying they didn’t make those charges, the automatic response is for the CC company to send a new card to the address on file. Its an easy scam with little to no actual contact with a person. Wash, rinse, repeat until the CC company catches on and pulls the plug.
You cannot:
- Get a credit card to a PO Box.
- Get a credit card without a name, address, SSN, and DOB that all match and can be verified. Physical addresses are required. A bank account is typically also needed in the verification that is also tied to the same address, SSN, and DOB.
All that stuff has been leaked multiple times for everybody.
The only effective protection is to freeze your credit.
And in the US, sign up for a PIN with the IRS to protect against tax refund fraud.
This still doesn’t make any sense to me. The scammer already has the credit card. Why would they use Jeff’s phone number? Why not use their own number? They’re already using their own address, apparently. And it doesn’t matter if Jeff replies “Yes” or “No”. If he replies Yes, the scammer goes on using the stolen credit card, if he replies “No” they just get sent a new card. It certainly doesn’t seem Jeff’s being scammed in any way, he’s just unlucky they randomly used his phone number.
This would be great in an ideal world, but the weakest link is a bank or cc company that does not have the systems or controls to validate this information properly (the information you provide is to pass the identity verification “CIP” program every financial institution must have).
It is beyond easy for fraudsters to have those four pieces of information and use it to open an account online (who would ever go into a branch anymore to open an account?). No face-to-face verification, and again if a bank has a weak verification system, the fraudsters will find it an exploit it to high heaven. The easiest hole at the moment is if address in not verified properly - yes, regulations prevent using a PO Box, and those are easy to filter, but go search for re-shippers, UPS stores, and virtual offices. Trivial to get a card sent to those addresses, unfortunately, if the bank in question does not have more sophisticated address verification (identifying non-residential addresses and more importantly, using address correlation that looks at the person applying and data that shows strong connection to the address they entered).
The number of accounts being opened on a daily basis from stolen identity information and doing this is quite amazing. What is interesting is how often it is not to simply open a credit card and run up a bunch of charges - it is people opening bank accounts to run stolen funds or funds derived from fraud through a “clean” account.
If you really want to go down a rabbit hole, go see if someone tried to use your name to apply for Covid unemployment benefits. This is going to shock you, but almost no state unemployment departments have the tools to do even basic checks on who was applying - that money flew out the door. I even recently stayed at an AirBnB where the mail that came had about ten different names on state unemployment dept envelopes; someone figured out that address was an AirBnB rental and figured out the owners clearly don’t get their mail, or don’t care.
TLDR - do what stusser said and you don’t really have to over-worry about this stuff, but it is fascinating (to me) the myriad ways and reasons people move bad money around the system.
My best guess in Jeff’s case is that the fraudsters use that text message to get a response, so they can focus on people who they can talk to (there is only so much time in the day, even for fraudsters, so they use that text to identify higher likelihoods of success for the next part, rather than calling everybody on their list). I think Jeff mentioned that he called his bank and they noted it was phishing - in other words, the scammer did not have the card and that charge was entirely made up.
Once a response is received (it honestly doesn’t matter if you answer yes or no to the text), they will come calling claiming to be the bank or cc company, and try to either get your personal information, or try to get money (or gift cards, if they are unsophisticated) by claiming that you have to pay some sort of fee to get a new card issued.
At this point, it is a violation of the Patriot Act to process and deliver a credit card to a PO Box in the US. If you know of credit card issuers extending credit in USD to PO Boxes, I’d love to see that evidence/citation. Extending USD credit without address verification is a good way to get your financial institution fined into 6 or 7 figures for issuing a handful of $300 credit cards.
Yes, it serves the same purpose as an email. Throw a wide net, see who responds, follow up to see if you can land a fish.
But there is no way by the simple act of responding “YES” or “NO” to a text by a phisher that your credit can be impacted, or that a credit card on your identity can be fraudulently issued in and of itself as asserted up-thread.
As a best practice, if you think any message – email, text, or phone – is even remotely suspicious, always call/visit/login to your bank directly and not through any provided links. If your bank legitimately needed to talk to you urgently about account activity, those flags will pop in those situations to be dealt with.
I always assume everybody is trying to scam me in every case, every eventuality, and thus I have never gotten scammed. I also go out of my way to protect myself. You should all do that too.
Yeah, that makes the most sense. Seems inefficient, but then I guess most spam is. Also, we haven’t heard that Jeff got a follow-up call, but maybe they only follow up a fraction of the responses.
Also, I did work on credit card encryption software for seven years, so I do know something about this area. What I know is that scammers come up with all kinds of crazy schemes, and they think of things I would never think of. So yeah, freeze your credit :)
If your credit isn’t frozen, the only reason nobody got a credit card in your name is that you got lucky-- your name wasn’t picked out of the hat only because it’s an extremely large hat containing everybody’s names.
Agreed - that has been a violation since the creation of the Patriot Act, but I didn’t say USPS PO Boxes were the issue; I said re-shippers, mail drops and virtual offices are. Those, funnily enough, do not usually show up with the handy “PO Box 12345” that a bank’s system is going to be on the lookout for - they show up as a street address, sometimes with a suite or office number attached. Like all things, some places do identity verification better than others, and the CIP regulation gives wide berth as how a bank can do it.
To the people who are telling me I am wrong. I got this information direct from the FBI when I had fraud issues. People can and do get credit cards with minimal information. There are ways to shunt mail from fake addresses to PO boxes as well. All of this is possible and it does happen. I am just trying to relay information, I didnt expect the Spanish Inquisition.
A couple of weeks ago, on a Saturday morning, I got a random email from a company I’d never heard of telling my my debit card with [name of my bank] had suspicious activity, noting a transaction that I did not do, and had an 800 number for me to call. Now, I worked in banking for 15 years or so, in both information security and regulatory compliance, so I’m suspicious of everything. However, my bank is a smaller, regional bank, not a nationwide mega-bank, and I knew from my experience working for a small community bank that the smaller banks outsource their fraud detection systems (as did the bank I worked for). But I still wanted evidence that this email was legit.
As I started to google the phone number the email wanted me to call (usually the first thing I do with all unknown numbers), my phone started to ring… it was a call from that very number. Huh. I answered it and it was a robot basically telling me everything that was in the email, with prompts to “press 1 if this transaction is authorized, 2 if it is not.” I made the decision to go ahead and press “2”, at which point the system wanted to transfer me to a person so I hung up… I wasn’t yet prepared to believe this was legit.
I continue my googling for the phone number, and while I’m tapping away at my PC, I get a text… yes, ostensibly from my bank, telling me about the fraud, and telling me to reply “YES” or “NO” accordingly. I ignore it for the moment, and find the google results for the phone number are half people saying it’s a scam, but the other half… are all references on webpages of assorted community banks across the country, describing their fraud detection services.
At this point I’m fairly confident that this is all legit, but even so, I’m unable to find anything on my actual bank’s website confirming that they use this company for fraud monitoring, so since it’s Saturday morning, and my local branch is open until noon, I decide to call them directly.
After finally talking to someone at my local branch, they confirm that yes, the number was legit, the email that I received was legit (she read back to me the address that the email would have come from) and that yes, I should call the number and they will sort it all out (canceling the charge, freezing the card and issuing me a new one). I finished the call by suggesting that she let the folks who are in charge of the website know that it might be a good idea to have this information (the name and phone numbers that customers might receive messages from regarding fraud) so customers can reassure themselves that these unknown contacts are actually legitimate. She agreed and said she would pass it on (hopefully she does).
I haven’t used my debit card since the start of the pandemic, and it’s been in my possession the whole time, so I assume it was out there from some previous security breach at some retailer I probably used in the past. But according to the fraudulent charge, apparently someone in Canada was trying to buy sex toys with it. :/