Falling for a Phishing Scam

The day I broke my own rule...

I hate writing this article. I’ve been looking out for phishing scams and avoiding them for years. But, as I said in my last article on identifying scams, the scammers are getting better. Hopefully, recounting my experience will help others avoid it.

It began with a direct-dialed call late in the afternoon; I’m sure it was dialed because my robocall blocker works well. The screen said “Internal Fraud,” which sounded official even though there was no corporate name attached. So I answered it.

The person on the other end identified himself as working fraud cases for both Citi and Chase and quickly said there had been a $212 charge from Walmart on my Citi card—had I made this charge? Obviously, I had not and this was all done so quickly and smoothly that I left behind any concern over the ID of the call and the fact that two banks were supposedly involved.

Remember that Caller IDs can be faked and don’t trust them. I was later assured by security people at both Citi and Chase that one bank never made calls in association with another. Did the caller know I had accounts with both Citi and Chase? It certainly felt like it, but it’s also possible that they were playing probabilities by naming the two credit card operations with the largest market shares.

The caller asked me to name recent transactions on my Citi account and did a good job of appearing to confirm them. He also warned me about using my credit card at outdoor gas pumps—the risk of skimmers stealing card data. Warning about scammers—how better to engender trust? Then he said he would immediately cancel my Citi card and provide a year of credit monitoring. He also gave me a case number to use for “future reference.”

There was no suspicious activity on my Chase account. He then asked if I had any other Master Cards or Visas and I gave up my Bank of America account. He did an excellent job of seeming to be able to locate that account and verifying that there was no suspicious activity there.

Somewhere along the line I know I gave one entire credit card number because he was “having trouble seeing the account.” I did the same with my Social Security number, which was really stupid.

He asked to verify the source of my payments and I gave the name of my bank. At that point I finally came to my senses and told him I would give no more information of any kind. He thanked me politely and hung up, a clear sign of being trained not to waste time.

At that point I was suspicious, but not panicked. I did check all three of my credit card accounts and nothing looked strange, so I left any other inquiries until the next morning. Then it took me only moments to find out that no suspicious transactions had been made on my Citi account and that it had not been cancelled. At that point I could not doubt that I had fallen for a scam.

Looking back, there are many things that should have alerted me more quickly, but the caller was so skilled it all seemed reasonable at the time. Therein lies the huge danger.

I immediately cancelled all 3 credit cards and got a lot of sympathy from the security people, two of whom described similar calls. I’ve spent a lot of time putting on credit freezes at all three bureaus and the National Consumer Telecomm and Utilities exchange, which is used by some firms instead of the three credit reporting agencies. Be sure you get the confirmations of the freezes.

I reported the incident to the FTC although I doubt I had any information that would make it useful to them. I filed a police report which is a good way to document the theft of SSN. Otherwise, it’s pretty much “wait until you see some evidence it has been used.” My password manager has an alert if my SSN shows up on the dark web, but there is nothing that can be done about it.

If I had obeyed my own rule, I never would have wasted the time and experienced the frustrations in getting some of this done. Rule: never give any information to anyone who calls, emails, messages, or writes to you about a financial account, including the IRS. Immediately contact the business or government agency directly to see if there is a problem.

Please join me in adopting that rule and vowing never to disregard it!

CapeCodToday.com welcomes thoughtful comments and the varied opinions of our readers. We are in no way obligated to post or allow comments that our moderators deem inappropriate. We reserve the right to delete comments we perceive as profane, vulgar, threatening, offensive, racially-biased, homophobic, slanderous, hateful or just plain rude. Commenters may not attack or insult other commenters, readers or writers. Commenters who persist in posting inappropriate comments will be banned from commenting on CapeCodToday.com.