A clever scam involving your credit or debit card's CVC

Last week, I had a remote appointment with a client who had very recently suffered the trauma of being scammed.

What was different about this client in comparison to many victims I see is that she was young and quite tech-savvy, and she had done lots of on-the job-training about scam detection.

So she really was so shocked that she had been caught out, and wanted to discuss how she could better protect herself in future.

Unfortunately, she fell for the scam because

• The scam was very clever, using a credit card feature that many people are not aware of.
• The scammer gained her trust (initially, at least).
• She was tired and rushed - being the mother of a baby and toddler.
• The caller used ‘false urgency’ to persuade her to act quickly if she wanted to avoid losing large amounts of money.

How did this scam work?

It was a phone call, where the caller said they were from her bank - advising that her credit card had been compromised, and they were detecting fraudulent transactions. So she/they needed to act quickly to prevent further loss.

They gained her trust by telling her that, as a bank, they would not ask her for any personal details. Instead, they asked her to open her banking app. That certainly sounded like something the bank would ask.

They told her that the scammers had changed her credit card’s CVC, and that she could verify this herself by going to the Card option in the banking app, and viewing the card details.

She did this on her iPhone, and it showed her that the CVC was, as the scammer warned, different to her physical card’s CVC number. So she was very concerned. (I must say that I didn't know that they can be different, so this bit might have fooled me too.)

It was then the next part that she can’t believe she fell for.

The scammer said he needed remote access to her iPhone to assist from this point. She knows that this is the point at which she should have realised it was a scam and hung up.

He told her to download a remote support app, called Zoho Assist - a common remote support tool used in technology support.

He then walked her through the process of connecting with him and got her to share her iPhone screen - thereby allowing him to view the banking app, which was still showing the Card Details screen that he has previously asked her to check.

She then saw verification code (NetCode) notifications appearing in quick succession, providing two-factor-authentication codes for approving new payments.

The scammer told her this was proof that the scammers were currently actively using her stolen details while he was solving her problem, so she needed to stay on the line while he secured her account. In reality, he was the initiating payments and could also see those NetCode codes, allowing him to verify these fraudulent payments.

The scammer was getting quite agitated that the remote session froze on occasion, or that the screen went to sleep. He just wanted to keep her on the line for as long as possible with the screen active, to put through as many transactions as possible. It was this agitation that finally set off the victim's alarm bells.

She terminated the call, contacted her bank, removed the remote support app and reset her phone to factory settings as a precaution.

Fortunately, only some of the approx. $10,000 worth of transactions went through successfully, but she still lost over $2000. She knows that it could have been far, far worse.

Of course, this client knows that if her card ever appears to be compromised, there is the option to Lock Card Temporarily in here banking app. She knows that she should have done that, then hung up and contacted the bank to check about her card.

She knows she could have Googled to find out whether the CVC can be different in the app to that on the card. This is what such a search would have shown:

"If you have an eligible CommBank debit card, your digital card will have a unique CVC that is different to what is shown on your physical card for security purposes. While your physical card is in the mail, you can use your digital debit card CVC. After you’ve activated your physical card, either CVC can be used to make online or recurring purchases and set up digital wallets."

Unfortunately, very few people are able to think clearly when in panic mode, being pushed to act quickly - especially when under the threat of losing large amounts of money. The scammers know this.

Some good advice on scams

A couple of days after hearing this client's story, I received an email from my energy company, with some really good advice on scams, and particularly relevant in the above case. I have included this advice below, tweaked to remove the company-specific references and adding a couple more.

The scammers may sound legitimate - but don't be afraid to hang up
There have been several large scale data breaches recently, where the scammers may have already obtained information about you illegally. They may already have access to some information like your full name, date of birth, address etc. that will make them seem legitimate. Don’t be afraid to hang up and call the business/organisation on their published contact number.

Those who call you will never ask you to download an app or click a link to receive a refund
If you are owed a refund, the business involved will never ask you to click a link to receive the refund. And any caller who asks you to allow remote access to any of your devices is likely to be a scammer.  Of course, exceptions apply in cases where the caller is responding to a request from you for support - but even then, it is essential to be absolutely sure that the site you used to request support was authentic. Many victims of scams have Googled a support site and inadvertently chosen a fraudulent site, hosted by scammers. 

Be wary of false urgency
Scammers may try to create a sense of urgency to persuade you to do what they’re asking. Be wary any time someone tries to convince you that you must act now.

Co-incidence can catch you out
So often, a scammer is successful because of co-incidence. For example, your internet has been mis-behaving and you get a call from someone who says they are from NBN, telling you there is a problem with your internet. Or you have just purchased something online and you get a call or text saying that you just purchased a computer using Amazon. Always stop, think, check and double-check. Assume it is a scam until proven otherwise.

Only trust specific emails and websites 
One of the first indications of a scam is an email address or website that is not the official email address or website of the business or organisation that supposedly sending the email. Make sure you check this on every email. Even if it looks legitimate, be aware that email addresses by be 'spoofed' - ie. the scammer can make it look like the email has come from a legitimate source, or may have a slight spelling error in the 

Create strong and unique passwords
Avoid using easily guessable information like birthdays or pet names and use unique, complex passwords for each of your online accounts. Wherever possible, set up Multi-factor Authentication

Do not click on links or attachments
Avoid clicking on links or attachments in suspicious communications, and never enter your personal information or financial information in response to unsolicited messages.

Keep your software updated
This includes your operating system, web browser, and antivirus software.

Need advice or support?

In the hour-long appointment, we covered lots of things that this client can do to prevent being caught out in future and make sure her online world is as secure as possible. 

If you too need support or advice in relation to scams and security - or on any other technology topic - make an appointment with iTandCoffee.

And if you are a member of the iTandCoffee Club and you need advice about a suspicious email or text, forward it to [email protected] and we will let you know if it looks legitimate or is a scam. (Texts can be sent as screenshots.)

Not yet a member of the iTandCoffee Club? Here's where to learn more and join.