When Rachel from Card Services calls about your credit card, she might be calling from any one of dozens of fraudulent call centers in India. Have you ever wondered why all the different scammers use a similar (or in some cases identical) script? In a word, familiarity. Their scripts, and the recorded message that calls you, are crafted with specific reasons for every phrase.
Some of the calls I get start with, “This is Chase Bank.” Some of them even spoof the phone number on the back of a Chase credit card in their Caller ID. And why do they claim to be calling from Chase? Because JPMorgan Chase has about 92 million credit card accounts in the United States, compared to a small issuer like First National Bank of Omaha which, while no slouch in the business, probably has no more than 7 million. So chances are good that whoever answers the phone might live in a household that does indeed have a relationship with Chase.
The familiarity with the brand name is enough to make someone who might actually be a Chase customer pause for a second. The script depends on that pause to get you to “Press 1” on the chance that there’s something going on with your account, because chances are pretty good that you’re a customer. Usually the call center scammer who answers has no idea what the outgoing recorded message said, but that message has accomplished its purpose: You pressed 1 and your defenses are down just a little.
Once you’re talking with the human scammer, the script is littered with terms consumers might be familiar with but might not fully understand. Even the fake company name, “Card Services,” is familiar to you because the payment address on many credit card statements is indeed, “Card Services.” The script says “our records reflect that not only do you pay your bills on time, but you usually try to pay more than the minimum payment.” Well, duh? That’s true of the overwhelming majority of people who use credit cards. On an intellectual level you might understand that that’s true of millions of people, but the emotional response to that question comes because he’s talking to you.
Once he asks whether your have a higher balance on your VISA or your MasterCard, he’ll ask you to verify the expiration date on the card. Deep down, you’re feeling safe because he didn’t ask for the actual account number. And that sounds okay, right? He’s not asking you for the expiration date – he’s just asking you to verify it. At this stage in the scam if you answer him, no matter what date you give, valid or not, the scammer will say, “Yes, that is what our records show.” So, by asking the expiration date but not the account number, he’s asked a less threatening question and gotten you to answer it. He’s confirmed that either you know your number by heart or you’ve now taken out your card, and he’s confirmed that you’re willing to part with a little information. And if you have given him the actual expiration date from an actual card, he’s obtained a potentially valuable piece of information. You’re like a bobblehead doll at this point: just nodding, Yes, Yes, Yes.
Once you’ve been softened up, he’ll ask you to verify your account number, but it’s okay, right? He’s not asking you to give him the number, he’s asking you to verify it. He must already know it. And he’ll prove he knows it because he asks for the account number, “which I see from our records has 16 digits and starts with 4” (or 5). A typical American consumer may know that every VISA account number begins with ‘4’ and every MasterCard number begins with ‘5.’ And yes, every bank credit card number has 16 digits. But then, maybe that American consumer doesn’t know. Or, once the familiarity game is moving along, that consumer may not make the connection.
The scammer’s script might have a response to someone who says, “I’m not comfortable giving you my number.” The scammer may say all you need to give him to “verify” the account is the last four digits of your account number, hoping that you’ll breathe a sigh of relief that you don’t have to give him all 16. But if you’re this far into the conversation, you’ve already parted with your ZIP code and “only the last four” of your social security number. And for lots and lots of credit card issuers, all you need to dial in for automated customer service is two out of those three: Phone number, social security number last four, or account number last four. While you’re on hold, his associate is going to spoof your number – the one he called you on – to dial into the bank, and then try the ssn and the account number. And when he comes back on the line to let you know your balance, last payment and payment due, his associate will be listing the number for sale or dialing in again to perhaps change your address, order a new card or arrange a transfer while you’re still talking about reducing your interest rate to zero percent.
We’re all aware, probably, that “con” is short for “confidence.” The basis of scams like this is building a bond based on a sense of familiarity on the part of the target. Every word in the outgoing message and every word in the scammer’s script is crafted to build familiarity and trust. Because, after all, I can’t steal from you – until you trust me.