Scams like These - When to Beware
It’s hard to go a week without hearing about a new scam on the news, but if we’re lucky we don’t usually encounter one ourselves. Recently that changed, as one of our staff members experienced a close call with his credit card. It’s the first time we’d come across a scam like this, which was very brazen. We thought it was worth sharing, as we’re all now being encouraged to use 2-factor authentication more and more, and scammers are clearly adapting.
While at work, our staff member’s mobile phone rang. It was a private number. Normally he’d just ignore private numbers, but this time he picked up. Initially, he thought that was a good decision. On the other end of the phone was a man with a proper sounding English accent from Bankwest. He held a credit card with Bankwest. Not only was the English voice from Bankwest, but it was also from the Bankwest fraud department!
“Oh dear,” he thought.
The English voice asked had the cardholder made two transactions. One for a company called “mediamarket” and another with booking.com, both transactions were in Auckland. Combined, they totalled over $3000.
“No, I haven’t made those transactions.”
“Are you in Auckland at the moment?” The English voice asked.
“Nope. I’m sitting at my desk at work,” he replied.
With confirmation he hadn’t made those transactions, the English voice said he’d have to go ahead and cancel the card because it had been compromised.
“Alright, that’s fine. Best to stop them in their tracks.”
As he was at his desk, he thought it was opportune to log in and see what was happening in internet banking. Upon logging into Bankwest, neither of the supposed transactions were visible. At this point he became wary.
He’d had fraudulent transactions made on an old card a few years back. Those transactions were all visible in his internet banking.
“Ok, I’m going to send you a code to your phone confirm we’re cancelling your card,” the English voice said.
“Sure, go ahead.”
When the code came through it read:
Never share this code with anyone, including Bankwest. Your code to authorise a card purchase of AUD 2225.90 at mediamarkt.ch is 359966. (don’t worry, it can’t be used now)
“Has the code arrived sir?” asked the English voice.
“Yeah, um, if this is to cancel my card, why does the message say it’s to authorise a purchase for one of the transactions you’ve just told me is a fraudulent charge?” He asked.
“Sir, can you read me the code please?” the English voice asked.
“I think I better hang up and call Bankwest to be sure,” he responded.
That prompted some panic on the other end of the line: “sir, please, please please!”
Upon hearing such desperation, he knew it was a scam. He hung up and immediately called Bankwest. After going through verification and confirming he hadn’t given the English voice any additional information, the Bankwest rep said whoever was behind this had earlier made two zero-dollar transactions with Google and Microsoft. They wouldn’t be visible in his internet banking.
These confirmed the card was working. With his name, card number, and phone number, they’d still need the SMS code to authorise any overseas transactions. That’s why he received the call. They’d likely readied the transaction and clicked purchase when they told him they were sending an SMS code to cancel the card.
With the fraud averted, the real Bankwest rep cancelled the card and reissued a new one. A minor inconvenience, but after it was all done, he considered how it could have easily gone wrong.
Firstly, he wasn’t expecting the call. When you hear it’s the fraud department on the phone, he said, the initial reaction is minor shock, but you quickly feel relieved and compliant with the person who says they’re going to help you. The English accent seemed reassuring, as often frauds are attempted in a heavy foreign accent. It was only when he thought to log into his internet banking during the call, that things didn’t seem to line up. Where were these supposed transactions?
The game was up when the SMS came through and he saw the transaction listed, but he did think if he were a little bit more compliant, and not as engaged, allowing himself to be talked through the process, he could have been fleeced. Had he not logged into his internet banking and saw there were no transactions, he wouldn’t have been as alert. When the SMS arrived, his suspicions meant he didn’t look at the authorisation code, but immediately noted the message was asking to authorise a transaction.
However, he did note something he missed in the moment, and only saw it when he walked back through what happened. The first line of the message: Never share this code with anyone, including Bankwest. Had he skimmed the SMS to simply look for the code, the money would have been gone. Banks are unwilling to reimburse customers if they’ve unwittingly handed over any information that’s furthered the scam.
The lesson from this story is never feel pressured to act and don’t give people any additional details. If you don’t recognise the number calling, or the number isn’t identified, always remain cautious. Remember, when you call the bank, they must ID you, but if someone calls you, there’s no way for you to ID them. They’ll have all manner of prepared lines in an attempt to keep you on the phone so they can talk you around.
The best thing anyone can do if they receive a call claiming it’s from their bank, and there’s no way to verify it, is tell them, thanks for the call, but you’ll be hanging up and calling them back via the official bank phone number just to be safe.
Go directly to the bank’s website and call the main number listed. You may have to wait and listen to some elevator music for a few minutes (or longer), but that’s a good indication you’re talking with a legitimate bank: you’re forced to wait a while before you can talk to anyone!