A new scam

brighouse55

Thanks to everyone for their comments.
Just to make a few points clear. I never, ever, use a debit card to purchase anything online. I always use a credit card which, as this site oft repeats gives you far better abilities to get your money back should something go wrong. I only use a debit card for local shopping and withdrawing money.
Next point, I take online security very seriously, I have never downloaded an email I didn't recognise, allow an app into my system unless I was sure about it and it came from a reputable source or completed any of those online questionnaires. I have a three tier security system, including a sandbox from my old IT days where anything suspicious goes. The awful thing about this is I used to provide security solutions to companies to prevent this sort of thing happening!
I checked haveibeenpwned and they confirmed no problems.
All the online purchases I make are from reputable websites and mainly Amazon, and I have separate payment methods (never DD or debit card) for each site. I do not give my details willy nilly and over the last decade no more than six sites have had my information - 'cos its valuable and the more people have it the more chance of something like this happening.
After talking to the bank I did deep dives on all my systems using the existing security AND then downloaded two new ones for extra comfort and they all came up crystal clean. So, no trojan horse on my system.
Most of my banking is online these days but any letter I get goes through a shredder before it heads out in the trash. I don't do social media so can't be tracked that way. 
Yes, I should have checked the number and website details but the scammer was so convincing and acted just as my bank do when they contacted me AND they knew bank account details I thought I was fine, until I realised I wasn't. 
I have signed up with a credit agency and will be alerted if any new credit card or loan is made using my details. I am also checking the bank daily for possible payments not made by my wife or I. The real bank (Lloyds) who have been incredibly helpful about all this have also checked every company that holds account information and these are all the usual suspects (power, water, insurance, credit cards etc.) where there is no notification of them being hit by a cyber attack.
As someone pointed out what is the scam here and I think it could be two fold. First as MyRealNameToo pointed out by delaying an action to stop a payment could have meant the scammer got the goods. By sheer good luck I believe that the (I hope) honest seller didn't ship the items as it was discovered within 24 hours. If the items had arrived its quite possible that could have been a key the scammers were waiting for and they would have come back to me with more requests. They must now know I know and the chances are they have sold my details on.
But, if I missing something please do say, how on earth could they have got such private information?            

marcia_

 It's a mystery but the same happened with my debit card but the scam/use of my card was stopped by my bank as being suspicious before I even knew. 

Emmia

brighouse55 said:

Thanks to everyone for their comments.
Just to make a few points clear. I never, ever, use a debit card to purchase anything online. I always use a credit card which, as this site oft repeats gives you far better abilities to get your money back should something go wrong. I only use a debit card for local shopping and withdrawing money.
Next point, I take online security very seriously, I have never downloaded an email I didn't recognise, allow an app into my system unless I was sure about it and it came from a reputable source or completed any of those online questionnaires. I have a three tier security system, including a sandbox from my old IT days where anything suspicious goes. The awful thing about this is I used to provide security solutions to companies to prevent this sort of thing happening!
I checked haveibeenpwned and they confirmed no problems.
All the online purchases I make are from reputable websites and mainly Amazon, and I have separate payment methods (never DD or debit card) for each site. I do not give my details willy nilly and over the last decade no more than six sites have had my information - 'cos its valuable and the more people have it the more chance of something like this happening.
After talking to the bank I did deep dives on all my systems using the existing security AND then downloaded two new ones for extra comfort and they all came up crystal clean. So, no trojan horse on my system.
Most of my banking is online these days but any letter I get goes through a shredder before it heads out in the trash. I don't do social media so can't be tracked that way. 
Yes, I should have checked the number and website details but the scammer was so convincing and acted just as my bank do when they contacted me AND they knew bank account details I thought I was fine, until I realised I wasn't. 
I have signed up with a credit agency and will be alerted if any new credit card or loan is made using my details. I am also checking the bank daily for possible payments not made by my wife or I. The real bank (Lloyds) who have been incredibly helpful about all this have also checked every company that holds account information and these are all the usual suspects (power, water, insurance, credit cards etc.) where there is no notification of them being hit by a cyber attack.
As someone pointed out what is the scam here and I think it could be two fold. First as MyRealNameToo pointed out by delaying an action to stop a payment could have meant the scammer got the goods. By sheer good luck I believe that the (I hope) honest seller didn't ship the items as it was discovered within 24 hours. If the items had arrived its quite possible that could have been a key the scammers were waiting for and they would have come back to me with more requests. They must now know I know and the chances are they have sold my details on.
But, if I missing something please do say, how on earth could they have got such private information?            

Could you try and use paragraphs with spaces it makes your text easier to read. 

There are other ways of getting your card details - you use it for local shopping, so your details could be cloned via that route, perhaps by a dodgy payment terminal or cash machine slot.

Fundamentally the only way of preventing people getting your bank / card details is never to use your bank account or card - but that's not especially realistic.

Grumpy_chap

MyRealNameToo said:

The only really unusual feature in this all is that they had the last 4 digits of your card number AND part of your account number... I can think of very few sources that would have both for me. 

Well, if they somehow got an image of the debit card.
My debit card (and I assume most debit cards) has the card number plus the account sort code and account number displayed

noitsnotme

Emmia said:

brighouse55 said:

Thanks to everyone for their comments.
Just to make a few points clear. I never, ever, use a debit card to purchase anything online. I always use a credit card which, as this site oft repeats gives you far better abilities to get your money back should something go wrong. I only use a debit card for local shopping and withdrawing money.
Next point, I take online security very seriously, I have never downloaded an email I didn't recognise, allow an app into my system unless I was sure about it and it came from a reputable source or completed any of those online questionnaires. I have a three tier security system, including a sandbox from my old IT days where anything suspicious goes. The awful thing about this is I used to provide security solutions to companies to prevent this sort of thing happening!
I checked haveibeenpwned and they confirmed no problems.
All the online purchases I make are from reputable websites and mainly Amazon, and I have separate payment methods (never DD or debit card) for each site. I do not give my details willy nilly and over the last decade no more than six sites have had my information - 'cos its valuable and the more people have it the more chance of something like this happening.
After talking to the bank I did deep dives on all my systems using the existing security AND then downloaded two new ones for extra comfort and they all came up crystal clean. So, no trojan horse on my system.
Most of my banking is online these days but any letter I get goes through a shredder before it heads out in the trash. I don't do social media so can't be tracked that way. 
Yes, I should have checked the number and website details but the scammer was so convincing and acted just as my bank do when they contacted me AND they knew bank account details I thought I was fine, until I realised I wasn't. 
I have signed up with a credit agency and will be alerted if any new credit card or loan is made using my details. I am also checking the bank daily for possible payments not made by my wife or I. The real bank (Lloyds) who have been incredibly helpful about all this have also checked every company that holds account information and these are all the usual suspects (power, water, insurance, credit cards etc.) where there is no notification of them being hit by a cyber attack.
As someone pointed out what is the scam here and I think it could be two fold. First as MyRealNameToo pointed out by delaying an action to stop a payment could have meant the scammer got the goods. By sheer good luck I believe that the (I hope) honest seller didn't ship the items as it was discovered within 24 hours. If the items had arrived its quite possible that could have been a key the scammers were waiting for and they would have come back to me with more requests. They must now know I know and the chances are they have sold my details on.
But, if I missing something please do say, how on earth could they have got such private information?            

Fundamentally the only way of preventing people getting your bank / card details is never to use your bank account or card - but that's not especially realistic.

There have been a couple of threads on here from people who experienced fraudulent use of a card that they never used anywhere or even left the house after being received.  The general consensus was card details were ‘discovered’ by a brute force attack, if I recall correctly.

mta999

I also couldn't see the scam until I realized that there is the eBay transaction shown as pending

if they hadn't called and if you'd looked at your bank account you'd have seen it and called the bank to stop it

since the 'bank' called you and said they would already stop it, you probably would just have let it ride and not contacted thr bank to stop it

It's quite a clever scam !

JadedAngel88

I don't know if I'm fortunate or something but in my 53 years of life and 47 years of having a bank account I have never had a call from a bank. Not one. 

powerful_Rogue

brighouse55 said:

I never, ever, use a debit card to purchase anything online. I always use a credit card which, as this site oft repeats gives you far better abilities to get your money back should something go wrong. I only use a debit card for local shopping and withdrawing money. 

Only if the purchase is over £100. Anything less then that and you have the same protection whether it be credit card or debit card.

Silvertabby

Had an initially plausible call recently.  Said he was calling re my M&S credit card, as they had noticed a couple of 'suspicious' transactions...had I spent £99 in TK Max recently?  No, I hadn't.  Had I lost my card?  No, I hadn't.

He kept saying that he wasn't going to ask me for any passwords or pin numbers, and that he was just trying to keep my money safe....  So far, so much like a genuine call with Barclaycard a few years ago.  But there was just something about him that had my BS antenna twitching....

Then he blew it by asking me to log on to my M&S banking app.  Immediately told him that I would have to call him back on that, and something in my tone of voice (Mr S said I had switched to my bossy WRAF mode) made him hang up on me as a lost cause.

Yes, very much aware that if I had logged on to the M&S banking app (which I don't have) the next stage would have been to grant him remote access.

Went through all the normal checking procedures and everything was fine.  Can only guess that he got my name, home phone number and the fact that I was a M&S cardholder from one of the on-line shops I've used in the past.