Scammers are calling unsuspecting consumers on the telephone to steal credit card numbers. If you get such a call, just hang up and do not engage.
Cyber-criminals employ various tools and techniques to launch their scams, including malware, hacked websites, and bots. They also like social engineering, because it is so effective. When you get an email from a friend stranded in a foreign country needing some money to get home, your first instinct is to help. When you are surfing the Web and you suddenly see a pop-up window telling you your computer has been infected, you get nervous at the prospect of losing all your important files. And when someone calls your phone claiming you—or your loved ones—are about to be arrested because of overdue taxes, it's hard not to panic.
Let's face it, fear sells.
"Probably the best way to react is to relax first. High pressure situations are exactly how social engineers get you to react too quickly," Robert Hansen, head of WhiteHat Labs at WhiteHat Security, told SecurityWatch in an earlier conversation about phishing scams.
Give Me Your Card Number
In this scam, I received a call over the weekend on my cell phone informing me my prepaid MasterCard had been suspended due to fraud. I pressed "1 to unlock the card," and was told to enter my 16-digit card number. Sadly, I didn't have a spare prepaid MasterCard (I keep a few on hand for testing purposes) handy, so I couldn't continue. It was pretty clear by this point that this was a scam, since I don't have a prepaid MasterCard.
A less paranoid—and more trusting consumer—may have thought, oh, maybe the caller means my regular MasterCard. Here is a tip: If an automated system calls asking for your card information, it's probably a scam. Don't disclose card numbers or other account information during these types of calls.
I got another call this morning, at way-too-early 6 AM, where a computerized voice said, "This is an official notification from NetSpend. Your prepaid MasterCard has been locked due to suspicious activity. Press one to unlock it." I still didn't have a test card, so when I got to the point where it needed my card number, I pressed 0 and a few other keys to see if I could get a human on the line. The call didn't sound like a recorded message, but rather that the caller was using text-to-speech software.
Another tip: if you don't have a prepaid card, don't put in your debit card info. If you never use your debit card and get a call about a problem with the card, be skeptical. Even if you do use the card, hang up and just call the financial institution directly.
No human operator ever answered, so I hung up. I went out and got a card this afternoon, to be ready for the next call. I am actually looking forward to this.
How the Scam Works
A quick search on ripoff.com, bbb.org, and other consumer advocacy sites show a handful of complaints from earlier this month from users who received similar calls. The format of the call differs slightly, and the bank name changes, but in general the recipient is directed to "press 1" to fix the issues with their card, and then to hand over information such as the card number and PIN, and sometimes even the expiration date and security code.
Scammers are calling to get your card information and PIN so they can withdraw money from the account. The proper response is to hang up, call the bank or financial institution directly, and verify their information is secure.
My caller ID showed the call from 10000000000, which would indicate the caller was spoofing a call over VoIP. According to forum postings on 800notes.com, the scam uses a variety of numbers, with area codes such as 223 and 323. It's not clear how the caller got my number. It could have been random, or it could have been bought off mailing lists or hacked from a database.
Protect your information. If you get a call asking you to enter your card number—no matter what the reason is—just hang up and call your bank directly. Don't finance the criminal's shopping spree.