Recently, the number of reports of unauthorised debits from credit cards has been steadily increasing. This scam uses the so-called vishing method, a phishing attack carried out through a telephone call.
The scam is old and largely known. But the way in which it is carried out is very clever. The scam becomes credible because no credit card details are requested, the cybercriminal already has them. This is probably due to a previous successful phishing activity.
How the scam works
A phone call is received from a phantom operator at the bank or credit card issuer. The criminal tells the ‘customer’ about anomalies, with suspicious movements of money, on his current account. The alarmed customer has no hesitation in collaborating to activate the necessary security measures. This will turn out to be the trojan horse that will allow cyber criminals to make withdrawals from the current account.
Remember that the fake operator knows the card number, the expiry date, and the CVV.
The fake operator, who is extremely polite but at the same time very alarmed about the alleged vulnerability of your account to external attacks, will ask you to read a ‘confirmation code’ which will arrive at that very moment by message. This confirmation code is not protecting your account, but rather authorising the cybercriminal to withdraw a certain amount of money from your account.
Step 1: Acquiring sensitive information
But how is it possible that the cyber criminal already had possession of your credit card numbers if it is still in your wallet?
The data may have been stolen during a previous phishing attack that the victim was not aware of. The phishing attack may have installed malware on your devices. Such malware has been silently listening, waiting to record your sensitive data at the earliest opportunity.
This is precisely the winning strategy used by criminals: the fact that you have not lost your card and that it is safe in your wallet reassures you that no one else but the bank or the credit card issuer could have your data.
How to protect yourself
The postal police always recommends that you never give out your bank details over the phone, let alone via social network or e-mail.
If you receive such calls, the advice is:
- Do not panic. Listen carefully, take your time and try to end the call, so that you can check via the toll-free number of your bank or credit card issuer that the information is genuine.
- Never give out any personal or banking details unless you are absolutely sure that it is your bank or a real operator.
- Most importantly, be extremely careful about clicking on unverified links or opening attachments… malware is silent!