This is a most excellent place for technology news and articles.
When a fraud department calls you, you don't need to provide any more information than your name and yes/no answers. If they are asking for any additional information, tell them that you don't trust their authenticity and that you'll call the number on the credit card. A legitimate agent will politely end the conversation there.
Then you better call that number on the card quickly.
I hadn't given [the scammer] the last four digits of my card.
Wait a sec.
He hadn't asked for the last four digits. He'd asked for the last seven digits. At the time, I'd found that very frustrating, but now – "The first nine digits are the same for every card you issue, right?" I asked the VP.
I'd given him my entire card number.
Huh. I hadn't realized the institution prefix was so long.
Props to him for talking about it. A lot of people get too embarrassed to tell anyone they got scammed. The reality is that phishing works on a ton of people and we should avoid shaming the victims. Everyone's acts like they're a digital security expert until their credit card gets stolen.
Told a family member the same when she almost got tricked by a scammer & called me to see if it was legit. They wouldn't try it if it wasn't convincing enough to catch people in the scam to make it worth their time to do this crime instead of some other.
The real answer here is to have decent digital ID as 2-factor authentication.
This scam would be practically impossible in Sweden with BankID for example.
He gave them his CC number over the phone. How would Sweden's BankID protect against that?
More that you'd never need to provide it, but many transactions will also require 2FA, even by the credit card.
Hold on the scammer could spend 8000 usd without even knowing the card's PIN number?
It's a credit card, they don't typically have pins like debit cards do. They do have a 3 digit CVC code on the back, but 3 digits is pretty easy to get just by brute force guessing.
Three digits is not that easy to get by brute force. It'll be locked for fraud pretty quickly.
However the CVV is usually only required for card-not-present purchases. One way around that is to imprint the number onto their own magstripe card and run it as a card-present transaction.
Never, ever, ever, ever volunteer personal information, for any reason, on a call you did not initiate, with a number you haven't verified from a trusted source, like a brick and mortar branch, or your online banking account.
He said someone in the bank's supply chain was compromised, as they knew a lot of details that should have been known only to the bank. Also that the only information he gave away were the last digits of a card number.
No, he gave away the last seven.
