Here’s an elaborate scam I’ve seen reported a few times in the UK in the past few months. (Some of these wrinkles would actually work in the US, but Chip and PIN is much less used there, which may account for the lack of exactly corresponding reports there.) I was actually holding back on blogging about it as I’ve been unable to confirm some of the details, but some fraud along these lines certainly seems to be taking place.

(There are other scams and malware delivery messages that could be described as courier scams - for instance, those where a malicious attachment is passed off as information about a delivery that a courier is unable to deliver - but that's a whole difference kettle of phish/vish.)

The essence of the scam as it has been reported is this: the scammer calls you posing as the anti-fraud department of your bank (or as a police officer) and tells you that suspicious activity has been detected on your bank card. It’s not that unusual for your bank to ring out of the blue to ask you to verify a transaction, but what (reportedly) happens next is quite different.

It's not me, it's you

If your bank (or anyone else ‘official’) does ring you unexpectedly, you should bear in mind that it’s more important for you to be able to verify their identity than vice versa.

After all, they have your telephone number. The reports say that sometimes the scammer pre-empts that thought by suggesting that you ring the number on the back of your bank card to confirm, but that they don’t put the phone down at their end, so that you’re still connected to the number that they called from. (This allows time for transferring legitimate calls between extensions, for instance.)

I guess that the victims don’t insist that the caller puts the phone down, wait for the dial tone, realize that they’re not actually able to call out, or worry about not getting a ringing tone before they hear someone speaking on the ‘new’ number. On the other hand, I can think of at least one technically unsophisticated way round that, so if you’re feeling really paranoid, you could ring a completely unconnected number and see if you get a response from ‘your bank’ or ‘PC 49’ rather than the real holder of that number. In fact, the line shouldn’t remain open indefinitely if only one party hangs up, and in any case the scammer will not to want to tie his phone up longer than he needs to: things to do, other people to scam… It might, however, take several minutes for the line to clear automatically, though I’ve seen estimates for how long it takes ranging from five to 12 minutes. If you’re checking a number someone’s given you like this, it’s worth using a different line (if available) or a mobile phone.

According to a NatWest description of this scam, the scammer may give you a different number. Of course, if someone just says ‘ring the following number’ they could be directing you absolutely anywhere. If they suggest ringing a verifiable number, however, clearly they could be using the same technique for keeping the line open. In this instance of a different scam, all the scammer needs to do is stay on the line to convince the victim that his phone has been temporarily disconnected.

PINs and needles

The scammer may ask you for full details of your account and ask you to enter your PIN.

First of all, the bank doesn’t need full details in order to verify who you are. Any bank worth your custom may well ask for something like the 2^nd, 4^th and last letters of your ‘special word’, and slightly dubious old favourites like your mother’s maiden name, and even the last four digits of your card number, and all that has some potential value to a scammer, if combined with information gleaned in other ways. But your bank already knows your account details, and doesn’t need info like the card security code (the magic three digits on the back of the card) in this context. The only reason anyone would ask you for all that information is for fraudulent purposes. We’ll get back to that in a minute.

As for keying in your PIN, there is no legitimate reason why your bank should ask for it. They already have access to that information, and they certainly don’t need it to cancel the card or to activate the new one: the point is that if you do key it in, the scammer can see what it is on his own phone display. (If they were sure your card had been used illegitimately, they’d almost certainly have cancelled or blocked it before they even talked to you.)

Your account number tells them which bank you’re with, even if you haven’t told them already. Did they tell you which bank they were at the beginning of the call, or did you assume that they were genuine and let slip the information as the call proceeded? Unfortunately, there are quite a few other ways in which they might have already known which company you bank with or whether you have an XYZ credit card. However it’s more common for scam calls to be made more or less randomly, with the scammer relying on getting the information he needs from you and the telephone directory.

Sending the lads round

The next stage, according to the alerts I’ve seen, is that the scammer tells you he will come round or send a courier to collect your ‘compromised’ card. This is a dead giveaway: it would be a very expensive way for a bank to deal with a compromise: they could simply cancel your card without needing any information from you. They might, of course, want you to return it by post. If they send you a new card, they might want you to verify it by phone.
The chances of their coming round personally or sending a courier to take the old card and give you a new one are tiny. That’s a very expensive way of doing business, and frankly, I suspect that most banks don’t care about most of their customers enough to give you such instant service. Actually, I’m surprised that it’s economical for scammers to pay for a courier, but apparently it is. I suppose if he gets to that point, he’s reasonably sure he’s going to get the card. It seems to be carried out exclusively by people who are geographically (fairly) close to the victim: this probably works well for the scammer, since many people are nowadays less likely to believe everything they’re told by someone with a ‘foreign’ accent, due to the prevalence of West African and Indian telephone (and other) scams.

All cut up about it

A variation I’ve seen reported here is that the scammer advises you to cut up the card before you hand it over, but subsequently tapes it back together to use in an ATM. I’m not sure how reliably a sellotaped bank card works in an ATM, (certainly if it’s been cut into several pieces, as it should be if you want to render it unusable) but it could certainly be used to get or confirm information about the card that hadn’t already been captured over the phone and use that information to clone the card or use it over the internet or some other form “Card Not Present” (CNP) fraud.

So here’s a possible reason why they might want all that information about your account even though they’ll get most of it anyway once you hand over the card: it’s really not difficult to take a bank card blank and add all the information that they have given you so that it looks like a genuine replacement card. Of course, it won’t actually work. Even if the scammer is able to clone your card accurately from the information you give him, he certainly doesn’t want you to have access to the account he’s about to plunder.

Variations on a rip-off

An alert from the Metropolitan Police (London’s ‘Met’) reports some variations:

The scammer wants you to withdraw lots of money from your bank and take it home as part of a ‘police investigation’, perhaps into a corrupt employee. At some point they will want to take the money off you so as to put it back into the banking system. Which may well be the case, but it will be the scammer’s account that it goes into, not yours, and they certainly won’t have marked the bank notes. Helping a police investigation is the last thing they’re thinking about.
Another variation is to ask you to purchase ‘an expensive watch or other expensive items’ and hand that/those over. I’m not sure how that works, but no doubt there is some convincing reason presented by the scammer.

Points to remember

Banks don’t usually do home visits.
A compromised bank card can simply be cancelled: the bank probably doesn’t need it at all, and certainly won’t treat collecting it as a matter of urgency.
Your bank doesn’t need all your account data to authenticate your identity, and won’t ask for your PIN. Banks use different authentication criteria for internet banking, telephone banking, ATM access and counter transactions.
The police don’t offer a card replacement service, and they aren’t likely to ask you to help with an undercover operation. They won’t ask for your PIN either.
Legitimate, honest couriers and taxi services can be used for dishonest purposes.
When you put your phone down, it doesn’t mean the line is immediately cleared. This may be changed at some point because of the ways in which this feature can be misused, but the system does have legitimate advantages: for instance, if the phone is put down on 999 call, it allows the operator to trace the call (for instance, where the caller has disconnected under duress). I can’t say if the same is true with 911 calls.

The scam has been referred to by some resources as a vishing scam, which is fair enough. However, it’s only one type of vishing (Voice over IP or VoIP phishing), not an alternative term. Sometimes a phishing message will include a number to call rather than a web link, and of course that’s no more to be trusted than an unsolicited URL.

My thanks to Martin Overton, Richard Clayton and the Anti-Phishing Working Group for help in researching this issue.

David Harley
ESET Senior Research Fellow

Some other resources (including some already included in the text):