As fraud controls get smarter, fraudsters are shifting their attack patterns to bypass controls. Fraudsters have been using automated phone calls to try to steal consumers’ two-factor authentication codes and hack into banking, merchant, and third-party payment accounts. These include Apple, Amazon, PayPal, and bank accounts.

An example of these calls states: “In order to secure your account, please enter the code we have sent your mobile device now.” Financial institutions and valid merchants will ask cardholders to enter this code on their website or app, not via text or automated phone calls. A communication like this indicates the fraudster has tried to access an account and has run into a two-factor challenge from the merchant or institution. This call is an attempt to secure the code sent to a phone number or email on file at the merchant or institution. Usually, something like the enter code that has popped up on your phone. Once entered, the automated message will say: “Thank you, your account has been secured and this request has been blocked.” Sometimes, the call will say don’t worry about any payments or fees; we will refund it and then state, “you may now hang up.”

Scams like these require a hacker to already know several details about a cardholder, such as email address, phone number, and password. Personal data like this is often found on the dark web, collected from previous breaches and hacks, sold by POS merchants to marketers, or given out by cardholders themselves.

Phishing and smishing (phishing by SMS texts) are attempts to trick cardholders into providing sensitive, confidential information in order to perpetrate fraud. Its variants and frequency continue to be on the rise. Phishing schemes such as “spear-phishing,” which is more targeted and difficult to identify, are becoming even more sophisticated than in the past. Instead of using only suspicious links in poorly designed emails, phishing emails mimic websites and appear to be legitimate and credible. The use of web address-shortening tools, such as TinyURL, makes detection of suspicious links more difficult, even by savvy online users.

It is important to safeguard your financial data and your online banking credentials against criminals trying to harvest them. It is also a good idea to avoid clicking on links that appear in random emails and instant messages. Some phishing emails will start with “Dear Customer,” so you should be on the alert when you come across these emails. When in doubt, go directly to the source rather than clicking on a potentially dangerous link.

In general, never give out full card numbers, passwords (either to bank or merchant accounts), full social security numbers, or other sensitive information over the phone.

Avoid storing confidential card information in unencrypted format on digital devices unless it is stored using a Digital Wallet or secure password management application. Security concerns include: 

Unencrypted card information on digital devices is susceptible to malware attacks. 

Sensitive information, such as PIN, Social Security number, or answers to security questions, can also be stolen by way of malware and remote access applications downloaded to a digital device. 

Choose reputable and secure applications to store passwords and other sensitive data on digital devices. Avoid installing applications from alternative online “stores” that are not reviewed for security prior to being published.