A fraudster had convinced Terry they were calling from his bank. They knew his name and address, their phone number even matched the one on the back of his card, and text messages landed in the same chain as older texts from his bank. There was even hold music. Within minutes he’d lost thousands of pounds from several accounts, but couldn’t understand how. It all seemed so real.
Terry is not alone. He was targeted by fraudsters in a scam we know is affecting thousands of people in the UK and beyond. If you have a mobile phone number and an account with a credit or debit card, it could happen to you. We wanted to take a few minutes to make sure you’re up to speed with their methods, so you can confidently steer clear of these fraudsters.
For Terry, and others affected by this scam, it started with a phish.
Step 1: The Setup - How did they know so much about me?
The call itself can only work if the fraudster can share back to you the personal information they stole. Information they get from phishing. Here’s how it typically works:
- An SMS is sent out to hundreds of thousands, if not millions of numbers stating you’ve missed a package delivery, you’ve had a close Covid contact and need to order a PCR test, or anything else demanding your immediate attention.
- On the message, a link provided takes you to a realistic-looking website, mimicking Royal Mail, or the NHS, or a different legitimate organisation.
- If it catches you when you’re half asleep or distracted by work, you might not realise the suspicious web address.
- Believing it to be real, you enter your personal information - name, date of birth, address, phone number, email address etc. Crucially, a small payment request is made. An insignificant amount (typically between £1-2) that means you’re much more likely to pay without thinking. You enter the 16 digit card number, expiry date and CVV.
- It’s not a real payment, despite a screen flashing up that your payment is successful. Now, armed with your complete card details, it’s easy to work out which bank you’re with via a quick search online. They’re now ready to dial your number and start their scam.
Step 2: The Knight in Shining Armour - ‘thank you for protecting me’
Terry said the fact that they knew his name and address, and even stopped a new live transaction for a pizza delivery, made him think they had to be authentic. Worst of all, he remembers thanking the fraudster for protecting his money, especially on a bank holiday.
With the information the fraudster has from the setup, anywhere between one minute and several days later you receive a call from them claiming to be from the bank who issued your card.
Using simple technology known as number spoofing, they disguise their own phone number and display one that’s from that financial provider.
You’re told your card has been compromised, and might be reminded of the initial phishing text - “Did you receive a message about a missed package?” or “There’s a COVID scam message going around - remember that?” You’re then informed about an ongoing fraud attempt by scammers, but by following their instructions, your money will be kept safe.
You may be directed to a website to sign in and ‘check your devices’ or change your password. This will take you to a fake login portal that will steal your details. Only ever log in via our app or at wise.com.
Alternatively….
You’re sometimes told to change your password to a specific one given by them - NEVER do this: passwords should always be secret.
They may also ask you to share the SMS code sent to your phone - this is the 2nd bolt on the door to your account (in addition to your password) and should also never be shared with anyone, including our own team.
- This level of authorisation is designed to show your bank they are dealing with the real you, so it’s harder for your bank to spot fraudulent payments when this is shared.
Remember, the fraudsters have your full card number, expiry date and security code, so if they try to ‘prove’ they’re real, they may even put a transaction through live during the call.
At Wise we do not call you during an ongoing card fraud threat. If we detect fraud, we’ll freeze the card. There’s no time pressure exerted on you from our side.
Once they have access to your account, they can act quickly to steal your balance, meanwhile doing what they can to delay you reporting the crime.
Step 3: Preparing the Getaway - buying time
Terry felt reassured and confident he’d get a call back in a few days with an update. Deleting the app for security reasons, and sitting tight to receive a new password in the post the following week. He didn’t realise this was designed to help the fraudster’s get away.
The call is often ended with methods to prevent you from reporting this to your genuine card provider for as long as possible - so as to give them the most time to successfully get away with your money.
If you’re told to
- Delete your app for security reasons
- Wait for a new PIN through the post
- Not worry about notifications relating to unrecognised transactions
- Wait for a call back in a few days
This is the fraudster buying time - don’t let them.
What to do if this is happening right now?
If you recognise any of these techniques while on a call, the safest thing to do is immediately click SETTINGS -> SIGN OUT OF ALL DEVICES.
Change your password straight away - better if you’re still on the line without letting them know you’re on to them.
After this, end the call and contact us right away either by phone, chat or email.
Remember:
- We will never call you about fraud that’s happening live: if we spot fraud, we will secure your account and notify you in different ways.
- We will never ask you to change your password to something specific
- We will never ask you for your 2FA code - these should never be shared with anyone, ever.
- We will never advise you to move money out of any other account for safe keeping.
- We don’t coordinate live fraud operations with any other bank in real time: if someone states they’re speaking to us on the other line, they are a fraudster.
If you have lost money to this type of fraud:
Let us know as soon as possible. Our specialist team will be in touch about the next steps in getting your money back.
Final Thoughts
Thankfully for Terry, he did ultimately get his money back, but this isn’t always the case for victims of scams. Even with the money returned, the whole experience left him feeling vulnerable and deflated.
There has been a significant rise in scam cases in the UK, and all over the world, and the methods are becoming increasingly harder to spot. It’s important to approach anyone calling you regarding your money with sensible cynicism. And it’s a good idea to familiarise yourself with the way your bank or financial provider does communicate with you.
Just because your phone associates them with a trusted company doesn’t mean it’s legitimate. The safest thing to do is end the call and contact us through safe details you find at wise.com.
Terry’s story is a combination of events that have happened to real people, but in itself is fictional to help raise awareness about scams currently affecting the financial sector.
*Please see terms of use and product availability for your region or visit Wise fees and pricing for the most up to date pricing and fee information.
This publication is provided for general information purposes and does not constitute legal, tax or other professional advice from Wise Payments Limited or its subsidiaries and its affiliates, and it is not intended as a substitute for obtaining advice from a financial advisor or any other professional.
We make no representations, warranties or guarantees, whether expressed or implied, that the content in the publication is accurate, complete or up to date.