We have been asked to share the following story by the Nederland Police Department:
We are passing on a case where a person was scammed and their debit card compromised so you don’t become a victim as well.
The pattern of an online compromise to a debit or credit card when a person makes the purchase online, they can be navigated to what they believed to be Best Buy’s website, but wasn’t. If, for example a person googled Best Buy and clicked a link that appeared in the search results, or a person received an emailed advertisement from who they believed to be Best Buy and clicked that link, the persons is going to the bad guys’ website. Even though it reads “bestbuy.com”. Once a person is on the bad guys’ website, and it will be a very accurate representation of Best Buy, all information is captured as they type it in. The only way to be absolutely certain you are on a vendor’s actual website is to manually type it into the address bar (which nobody ever does, which is why the spoof is so successful).
But the more frequent attack method is the email attack.
So the target link is either embedded in the text of the email or it’s included as an attachment and, just like any other email phishing scam, once you hit that link you’re directed to what appears to be the legitimate site. That is way easier to engineer and can be targeted to specific victims with a relatively high degree of success, as opposed to the search engine version that casts a super large net waiting for anyone/everyone to fall into it.
Best Buy is only used as an example it could be any retailer with online shopping.
The victim received a phone call from what she believed was her bank, the person identified them self as a representative. They were very slick how they played out the scam. The first hook was asking the victim if they just spent a $1000 in a state far from home. Of course the victim says no and is now concerned their money is gone from their account. The scammer has already called from a spoofed number that shows the banks correct phone number on caller I.D. The scammer then tells the victim to google the number to make sure it comes up as the banks so they feel confident they are talking with a bank employee. Next they tell the person about a recent purchase (by chance this was at a Best Buy), the person acknowledges because they did just make that purchase in the last day or two.
(The purchase was to Best Buy on line, where the debit card information and other information like their name and phone number were most likely captured.) From this point the victim feels confident they are speaking with a real employee since they know about purchases made on the account. The scammer starts to ask for user name, pass word info, address etc. telling the victim they are shutting down the account, its all taken care of, there is no need to respond to any e mails the bank will be generating about the fraud they found on the account. The victim is now comfortable feeling like the bank is looking out for their best interest. Once the info has been given, the scammer has it, they quickly either send info to someone to make an active credit card, and start buying cash cards or go shopping. In this case the victim was hit for $2800. The purchases were in Florida and California. This was all done with in a matter of a couple hours tops.
The victims real bank calls waring them of fraud, seeing purchases on the east and west coast. The victim is now so confused saying you guys already closed my acct etc. and does not know who to trust. The only good news out of this story is the bank immediately covered the loss.
The case I give is factual, but is in now way meant to slights Best Buy’s website or its security, scammers make these fake sites all the time, nor is there any facts as to know where the debit card was compromised. Even Colorado DMV got hacked that way so people who were Googling DMV, and then hit the link in the search results, got connected to definitely not DMV.
It’s the holidays, scammers are working double time to rip us off.