If your bank calls you, even if the phone number is legit, don’t verify ANYTHING, call them back first
This may also get posted in /r/tifu as well … ’cause I’m a dummy.
Got a call today from my bank (caller ID confirmed) saying they’d seen fraud on my ATM card (telling me the last 4 digits of my ATM card) at a Walmart in Florida.
I live in Colorado. Of course that wouldn’t be me, and yes I do have the ATM card in my possession. They never asked for the full card number.
While they put me on a brief hold to verify something, I did a reverse lookup on the phone number, it DID match my bank. They sent me an SMS code to verify over the phone, the shortcode of the sending number ALSO matched my bank’s SMS shortcode.
Figured everything was legit, gave them my home address to ship me my new card. They put me back on hold “to talk to a manager” to waive an additional fee to expedite sending the card.
But it was NOT my bank.
While they put me on that second hold they withdrew almost $1,000 in small increments at an ATM in California. (again, I live in Colorado)
I hung up, *I* called my bank, they verified they did NOT call me, had no record of possible fraud in Florida but that the six ATM withdrawals in California DID flag as fraud.
I happened to record the phone call of the “bank” calling me, so I’m sending the phone recordings to my *actual* bank.
Meanwhile I have to wait 10 days to get the $1,000 back. Yay.
Thank goodness for things like an emergency fund, so the lack of the cash doesn’t hurt, but still a major nuisance.
Quick edit: Thanks for the incoming messages about this and the genuine support. Many have had similar experiences, and I posted this as a reminder to all that you should always call your bank yourself to verify anything, never verify anything on an incoming call.
EDIT for clarification from several comment conversations:
Here’s what likely happened: they spoofed my bank’s phone number, asked me where I wanted the new ATM card shipped thus I verified my mailing address. They followed my bank’s verification playbook and said they were sending me a verification code via SMS, which I then relayed. What was very likely happening on another phone line was they were social-engineering my bank, pretending to be me, verified my mailing address, verified the SMS code which I relayed to them, and likely changed my ATM card PIN so they could withdraw cash. Even down to my bank charging a fee for rushing a new card and waiving the fee in case of fraud. This was a VERY clever social engineering feat.
ALSO an important note: there are tons of apps out there which can record phone calls, but the legality of this depends on where you live AND the location where the person/business on the other end of the call are located. One comment has a link to a lawsuit where the second party was NOT in a one-party-consent state, which makes recording a phone call illegal. Always tell your caller that you’re recording the call. I miss being on Google Voice that could play a message that you were recording the call etc..
Friendly reminder of the day (besides drink more water, go out and enjoy some sunshine, and be nice to one another)
If someone calls, claiming to be your bank, never verify any information even if everything like phone numbers and SMS seem to match. Thank them for the alert, and tell them that you’ll call THEM right back. Do not provide any information to them!