Scam call - they knew all about me

TVR450

Ah, interesting they only ever quoted be the last 4 digits of the card number.

DullGreyGuy

TVR450 said:

Ah, interesting they only ever quoted be the last 4 digits of the card number.

So they tricked you into thinking they had the whole number but only actually had the last 4 digits which they could get by going bin diving. Some card receipts even have the cardholders name on them, as long as it isn't A.Smith a bit of detective work and assuming the person lives relatively local to where the receipt was found and it wouldn't be hard to make that call to you; people post far too much on social media etc!

jimjames

TVR450 said:

Ah, interesting they only ever quoted be the last 4 digits of the card number.

The most commonly stored part of the card data, points back to retailer breach again

TVR450

Ah, interesting, he only ever mentioned the last 4 card digits.

TVR450

AmityNeon said:

TVR450 said:

Yes, ok, the only part they did not manage was to convince my phone provider to send them a new SIM, then they could have received the OTP themselves.  I guess they did not manage to work out who my phone provider was or my security is good enough on my phone account.

How do you know they attempted to take over your mobile number?

I don't to be honest.  That was just speculation that the scam would have worked if they had taken over my mobile phone account.

AmityNeon

DullGreyGuy said:

TVR450 said:

Ah, interesting they only ever quoted be the last 4 digits of the card number.

So they tricked you into thinking they had the whole number but only actually had the last 4 digits which they could get by going bin diving. Some card receipts even have the cardholders name on them, as long as it isn't A.Smith a bit of detective work and assuming the person lives relatively local to where the receipt was found and it wouldn't be hard to make that call to you; people post far too much on social media etc!

How did the scammers initiate the Santander OTP for a £1,500 transaction? I doubt a phishing text would make it so blatantly obvious that it was for a high-value transaction completely unrelated to the phone conversation.

AmityNeon

TVR450 said:

AmityNeon said:

TVR450 said:

Yes, ok, the only part they did not manage was to convince my phone provider to send them a new SIM, then they could have received the OTP themselves.  I guess they did not manage to work out who my phone provider was or my security is good enough on my phone account.

How do you know they attempted to take over your mobile number?

I don't to be honest. That was just speculation that the scam would have worked if they had taken over my mobile phone account.

Indeed it could have. I recommend a second mobile phone number that's strictly reserved for banking and 2FA, and never revealed to any contact. Modern phones can support Dual SIM Dual (Standby/Active) and PAYG SIMs are very cheap to maintain connectivity. Whilst it won't stop rogue employees, at least your mobile number that's likely been uploaded by your contacts to countless databases won't be associated with your banking.

flaneurs_lobster

AmityNeon said:

DullGreyGuy said:

TVR450 said:

Ah, interesting they only ever quoted be the last 4 digits of the card number.

So they tricked you into thinking they had the whole number but only actually had the last 4 digits which they could get by going bin diving. Some card receipts even have the cardholders name on them, as long as it isn't A.Smith a bit of detective work and assuming the person lives relatively local to where the receipt was found and it wouldn't be hard to make that call to you; people post far too much on social media etc!

How did the scammers initiate the Santander OTP for a £1,500 transaction? I doubt a phishing text would make it so blatantly obvious that it was for a high-value transaction completely unrelated to the phone conversation.

Don't think OP has confirmed but if scammers had acquired full card details from OP (having been given last 4 digits) then that would be used on online site to initiate purchase of shiny thing, triggering Santander to send OTP which scammers want read out to them. 

AmityNeon

flaneurs_lobster said:

AmityNeon said:

DullGreyGuy said:

TVR450 said:

Ah, interesting they only ever quoted be the last 4 digits of the card number.

So they tricked you into thinking they had the whole number but only actually had the last 4 digits which they could get by going bin diving. Some card receipts even have the cardholders name on them, as long as it isn't A.Smith a bit of detective work and assuming the person lives relatively local to where the receipt was found and it wouldn't be hard to make that call to you; people post far too much on social media etc!

How did the scammers initiate the Santander OTP for a £1,500 transaction? I doubt a phishing text would make it so blatantly obvious that it was for a high-value transaction completely unrelated to the phone conversation.

Don't think OP has confirmed but if scammers had acquired full card details from OP (having been given last 4 digits) then that would be used on online site to initiate purchase of shiny thing, triggering Santander to send OTP which scammers want read out to them.

The quoted line of conversation was along the assumption that the OP was tricked into thinking the scammers had the whole card number but only actually had the last 4 digits; hence the question.

PRAISETHESUN

AmityNeon said:

TVR450 said:

AmityNeon said:

TVR450 said:

Yes, ok, the only part they did not manage was to convince my phone provider to send them a new SIM, then they could have received the OTP themselves.  I guess they did not manage to work out who my phone provider was or my security is good enough on my phone account.

How do you know they attempted to take over your mobile number?

I don't to be honest. That was just speculation that the scam would have worked if they had taken over my mobile phone account.

Indeed it could have. I recommend a second mobile phone number that's strictly reserved for banking and 2FA, and never revealed to any contact. Modern phones can support Dual SIM Dual (Standby/Active) and PAYG SIMs are very cheap to maintain connectivity. Whilst it won't stop rogue employees, at least your mobile number that's likely been uploaded by your contacts to countless databases won't be associated with your banking.

I'd also recommend setting up/changing the default SIM PIN to protect against SIM swapping attempts. It's not foolproof, but it slows things down if it gets to the point of a scammer actually managing to hijack your SIM.