Interesting, I had a very well-done phone attempt against my American Express card two weeks ago.
I have to wonder if all that data came from the TMobile hack.
* The caller ID was spoofed (not just the name, the actual number on my phone bill and phone app logs are a real AMEX number).
* The caller claimed to be reporting a fraudulent attempt on my account
* In order to verify my identity, please read back the six-digit PIN they're sending me (~ALARM BELLS GO OFF~)
* SMS 2FA shows up, "Enter this code to add your card to Apple Pay" (Oddly, this message doesn't carry the "WE WILL NEVER CALL YOU FOR THIS CODE" all previous SMS 2FA carried)
* I ask for a call-back number, for security purposes. I'm told "This is AMEX. This is AMEX." every time I ask.
I hung up, and froze the card. Then I called AMEX with the number listed on the back of the card. They acknowledged they did NOT call me at any point that day, that a transaction WAS attempted AFTER I froze the card, and issued a new card.
The caller was calm, call-centery, had my full name, credit card number, expiration, 4-digit CVV, and phone number.
I also learned that AMEX doesn't actually cancel the old card... my regularly billed transactions and new online purchases went through just fine with the old card info. I called AMEX to ask them to unambiguously reject all attempts for all previous card numbers, they acknowledged. Tried a few days later, the old number still works...
I had a very similar pattern happen a year or so ago on one of my bank debit cards. The difference in my case was that they made one fraudulent charge on the card beforehand to lend authenticity to the "we're the fraud team" claim. They knew the card number, and the details about the charge (presumably because they were the ones who made the charge). Then they tried to reset the password for my online banking login and asked me to read the security code I received via SMS to confirm my identity. Luckily the code sent to me was clearly labeled as a password reset code (though not with the "we won't ask for this code over the phone" line), so I froze the card and went down to my bank to talk about it. Apparently it had happened to a lot of my bank's members, and I was one of the few to not fall for it.
I have to wonder if all that data came from the TMobile hack.
* The caller ID was spoofed (not just the name, the actual number on my phone bill and phone app logs are a real AMEX number).
* The caller claimed to be reporting a fraudulent attempt on my account
* In order to verify my identity, please read back the six-digit PIN they're sending me (~ALARM BELLS GO OFF~)
* SMS 2FA shows up, "Enter this code to add your card to Apple Pay" (Oddly, this message doesn't carry the "WE WILL NEVER CALL YOU FOR THIS CODE" all previous SMS 2FA carried)
* I ask for a call-back number, for security purposes. I'm told "This is AMEX. This is AMEX." every time I ask.
I hung up, and froze the card. Then I called AMEX with the number listed on the back of the card. They acknowledged they did NOT call me at any point that day, that a transaction WAS attempted AFTER I froze the card, and issued a new card.
The caller was calm, call-centery, had my full name, credit card number, expiration, 4-digit CVV, and phone number.
I also learned that AMEX doesn't actually cancel the old card... my regularly billed transactions and new online purchases went through just fine with the old card info. I called AMEX to ask them to unambiguously reject all attempts for all previous card numbers, they acknowledged. Tried a few days later, the old number still works...