I recently read about an innovative telephone call scam.
A scammer rings the mark and asks for her credit card details. If the mark refuses, the scammer tells her to hang up the phone, then dial 999 and ask for "Sergeant Scammer of the Fraud Squad".
The mark does so, and is connected to what they assume is the emergency services. However, because the scammer hasn't hung up at their end, the call is still active. So the mark isn't speaking to 999, but to the scammer.
Pretty devious. Luckily, it can't work on mobile. But it got me thinking - how could you get someone to give you credit card details over the phone? I'm inspired by both Bruce Schneier's "Movie Plot Threat" competitions and Kevin Mitnick's work on Social Engineering.
Trying to think like "the enemy" is a crucial part of understanding how nefarious people can exploit a situation. I think it should be considered the seventh "thinking hat".
I want the victim to willingly give me her credit card details. I do not want her to be suspicious or report my activity to the police.
- The victim receives a text on her phone.
"Your Barclay's credit card (starting 4304) was recently used to buy £2,103.54 worth of goods in China. If you wish to dispute this transaction, please call 0113 496 0123."
- The victim checks her BarclayCard - it does start 4304. Damn! She rings the number.
- "Welcome to the BarclayCard fraud line," says the voice at the other end.
- "To protect your security, please type in your sixteen digit card number," says the automated voice. So that's what the victim does.
- ... after typing in several more details, the victim finally gets through to the scammer.
- At this point, the scammer can attempt to get more information - such as home address - or simply assure the victim that the fraud has been reported.
- "Unfortunately," the fraudster says, "the £2,103.54 will show up on your July statement. But you will see the refund on the August statement."
There are a number of factors which go into making this a potentially successful scam.
- People are quite used to receiving texts from their card issuer.
- It's quite common to be asked to confirm a suspicious transaction.
- Credit cards number have a predictable start sequence. That's why credit card receipts often show you only the last few digits. This tricks the victim into thinking that the scammer knowa two crucial pieces of information; the credit card issuer and the credit card number.
- We're trained not to give details to strangers who ring us up. By contrast, we're expected to give details to people when we ring them!
- You can't argue or otherwise interrogate an IVR. You either have to give that disembodied voice your details or hang up.
- Again, we're quite used to typing in our credit card details and then pressing the hash key!
- If we do get through to a real person, the standard Social Engineering tricks all apply. Only, in this case, not only is the victim worried about the potential fraud, she has also primed herself into thinking she's speaking with her credit card provider.
- At this point, the scammer knows that they can use the card for a fraudulent purchase and the victim won't report it! It will only be after two statements have been received that the victim will notice that she hasn't been refunded.
Now, this fraud isn't without issue. The most notable being that you do not know who has a credit card issued by a specific provider. The scammer would either need some third party intelligence that their victims all use HSBC, or they could just go on a phishing expedition. Spam a few thousand numbers and there will bound to be a few which have the card which is being targeted.
They can even handle the automated sending of the text messages, playing back different messages depending on the caller - "Welcome to HSBC", "Welcome to American Express", etc.
There are three main strategies for defending against this scam - and they all boil down to trust
Save your credit card provider's phone number in your address book. That is the only number you should ring. If someone rings you - tell them that you will take their name and call them back on the official number. If you receive a text - call the official number to check it is legitimate.
The first few numbers of your credit card are fairly generic. Trusting someone who guesses your Visa Electron starts with "4197" is like trusting a psychic who says "You were a bit of a handful growing up, especially in your teens." It's such general information as to be worthless.
I sometimes act deviously. When asked to give my address, I'll give an incorrect house number or post code. If the person at the other end doesn't pick up on the mistake, I assume I'm talking to a scammer. Similarly, you don't have to trust interactive menus. You can input incorrect information, and see if it is accepted without complaint - a sure sign of a scam. Or see if it gets you through to a human.
One hurdle is targeting enough people who have the "correct" credit card. The scam would work without the credit card info, but may be less effective.
The cost of sending out the texts is also a constraint. Although text bundles are relatively cheap now.
Shutting down the numbers - or tracing them - is perhaps the biggest issue. Buying a disposable pre-pay SIM is virtually anonymous. A landline number is probably fairly easy to trace - assuming the police have the time and staffing levels to investigate such a scam.
And that may be the deciding issue. If someone reports a suspicious text to the police or their credit card provider, how quickly can the number be shut down? If the scammer is sending out hundreds of fraudulent SMS an hour, it would only take a few responses to make the scheme worthwhile.
Naturally, you should not attempt this. The penalties for credit card fraud a very serious. This is intended as a thought experiment.
If you want people to willingly give up their credit card information - take a look at the morons on Twitter posting photos of their cards!