I have never seen such a well-engineered fraud attempt, so I thought that I absolutely must share it with my readers for your own protection. I will also note that it was something that I began to actually fall for, but then started to see red flags. I will note the red flags I saw in red and I’ll note the red flags that I should have seen but did not, in orange. I want to extend my deepest gratitude to Santander and the customer service representative that helped me identify this fraudulent attempt.
I was ending my day at work this afternoon when my cell phone rang with a toll-free number (877) 768-2265. I didn’t immediately recognize the number, so I figured I’d let it go to voicemail and if it’s legit, they’d leave a voicemail. Well, no voicemail. Then I got another call, and another, and another. Seven calls later I finally pick up the phone, “Hello?”
“Hello, this is Daniel Morgan from Santander’s fraud prevention department, is this Mr. Stadtlander?” the man asks.
“It is,” I reply.
“Is your home address ***************, Massachusetts?”
“Do you have a debit card ending in ****?”
“Yes, it’s right here in my pocket.”
“We are showing two charges at a Walmart in Atlanta, Georgia for $280.87. Are you currently in Atlanta sir?”
“No, I’m in Boston.”
“This was registered as an alert in our system and we wanted to reach out to you to resolve this. Do you have a few minutes?” the man says.
“Yes of course,” I reply.
“We would like to close this card and send you out a new one. Let me just confirm that there are no other charges appearing other than these two. One moment.”
He did not bother to verify any transactions with me. This did not occur to me until later.
There is silence as he ‘checks his computer’.
A moment later he comes back, “Yes. It looks like those are the only attempts. We will need to send out you out a new card just to be safe. Can you verify your mailing address as **************?”
“Yes, that’s correct.”
“And the best number to reach you is ***************?” he asked stating my cell phone number.
Yes, that is correct.” I reply.
“And your debit card ends in **** with an expiration of ** of ****?”
“Ok, we will send out a new card via Fed-ex and you should have it by tomorrow. Let me just check with my supervisor that we can waive the $15.00 charge for overnighting it.”
Despite my irritation that someone must have been using my card, my eyebrow raises, why would they charge me to overnight a card if I’m their customer? But, I go along with it. In the meantime, I put him on speaker and google the phone number, which sure enough comes back as Santander’s customer service number. I am aware that it is not hard to spoof (fake) a caller ID number, I’ve demonstrated how to do it myself. But at this point, I’m not on full alert yet.
A moment later he comes back on and says, “Ok, no problem. We can have this to you by tomorrow morning. We want to reset the PIN as we aren’t allowed to use the default pin. What is your current PIN so we can reset it?”
WHAT?! Why on EARTH would they need my PIN? I think to myself. Now my ‘bullshit’ antennas are quivering like there’s a thunderstorm coming.
“I’m sorry, I’m not comfortable providing that over the phone,” I reply.
“I can understand your concerns sir, I assure you that this is just to protect your own confidentiality and ensure that we expedite your card back to you as soon as possible.” he begins calmly. “If it helps, I can verify additional personal information.”
“Ok, thank you,” I say. (At this point not believing a word that’s coming out of his mouth.)
“Can I verify that your date of birth is __________ and your social security number is _________?” repeating back to me my true date of birth and my full social security number. My jaw drops open and my mind is reeling.
“Yes, that’s correct,” I begin, “My PIN is _____.” I stated, giving him a fake PIN, then I say “can you hold for just one second, I have an emergency call coming in on the other line from my child’s doctor. One second.”
“Certainly sir, I’ll hold and see if I can get this input while I wait,” he states and I press the mute button.
I get on my work line and dial the same number that called me (which is also on Santander’s website) and after a series of verification prompts a woman picks up. “Hello, this is Beth (name changed to protect her identity) from Santander, how can I help you.”
I take a moment to explain the whole situation to her and I can sense her jaw also dropping open. “What?! We would never ask you for your PIN and we would never give out your social security number.” At this point, the man is asking if I’m still there and I ask her to stay on the line and listen in to the speaker call on my cell phone which she graciously agrees to.
“Hello, I’m sorry – are you still there?” I ask the man.
“Yes. Not a problem Mr. Stadtlander. I entered your PIN into our system and it says that the PIN is incorrect, is there a chance you gave me the wrong PIN?”
“No, it was definitely the correct PIN.”
Then Beth says to me in the other ear, “Ask him for his name and employee ID.”
“I’m sorry, I didn’t catch your name, what is your name and employee ID? I’m just taking notes here and want to make sure I get everything.”
“Certainly sir,” he begins, “My name is Daniel Morgan and my employee ID is 45321409.”
In my other ear, Beth states “Nope. Our employee IDs do not use that format. This is completely made up. Ask him to speak to his supervisor.”
“I’m sorry, Daniel, can I speak to your supervisor?” I ask.
“Certainly sir, one moment.”
There is a pause of about a minute and then another male voice comes on the phone, “Hello, this Roger with Santander. I understand my colleague attempting to help you by getting a replacement card out to you? How can I help?”
“I’m sorry, what was your name?” I ask.
“Thank you, Roger. I’m sorry can you hold one second, I have an emergency call I am still trying to deal with, just give me two seconds.”
“Absolutely Mr. Stadtlander.”
Beth and I are both in shock at the level of detail on this and she recommends that I let him know that I have Santander Fraud Prevention on the other line and see what he does.
“Hello, Roger are you still there.”
“I am, do you have that PIN so that we can help get your card reset?” he asks.
“Actually, I just have a question. I have Santander’s Fraud Prevention and the local police tied in on the other line and they feel that things aren’t adding up. Do you mind if I patch you in?”
One second later he hangs up.
Now, I thanked Beth graciously and she did some further investigating while I had her on the phone and she was able to determine that there were two attempts to check my account balance using my debit card in Las Vegas a few minutes prior. But it registered as an invalid PIN and did not work. We talked for a bit and she also told me that she had recorded the entire conversation which I was happy for. She then helps me to cancel my card and send out a new one.
I am still floored at the level of detail and social engineering that went into this. As best I can figure, they got my debit card number and expiration (most likely from a card scanner in an ATM – it’s easy to do) and then matched up my relatively unique name to my information in the Equifax Data Breach (to which I am also one of the millions of victims).
Please, I cannot state this enough – be very aware anytime anyone is asking anything from you. Get validation and if there are any doubts, call your bank on the other line and confirm the validity. I would hate to guess how many people fall for this scam.