I was informed that there had been a charge for £2900 on a travel booking site.

As this conversation with my bank’s counter-fraud team was happening, I logged into my bank account and could see the fraudulent charge.

“Was this you?”

No, it definitely wasn’t me. Phew, well done for catching it.

“Also, sir, there is another transaction occurring right now that seems odd - for £5900 at Marbella Boat Hire. Is this you?”

Nope, that wasn’t me either.

At this point, my pulse was obviously raised and I was worried what else was going on.

“Ok, sir, we are going to send you a verification code, which we need you to read back to cancel the transaction”.

Ok, bit odd, but yeah, let’s go and get these cancelled.

Then a text/SMS message arrives with a six digit code. I put the call on speaker so I can read it out.

And I notice something odd…

The full text of the message says: “Do not share this message with anyone. To approve the purchase from Marbella Boat Hire for £5900, use code 638267”.

Hold on, I say, this says “to approve the purchase”!

“Ah, right, sir, we’ve had a few problems with our messaging system, so I’m not 100% sure what the message actually says. We just need the code so we can get the purchase blocked. You can ignore the start of the message”.

My spider-sense is tingling, so I challenge…

I can’t share this code, I say.

“No, sir, that’s very smart. I’m so sorry about our messaging system being odd. Let me send you a notification inside your banking app instead”.

The notification arrives and I open my banking app, thinking a hitherto unseen red warning label is about to show me a button that cancels a transaction inside the app.

But again it just says “to approve this transaction”.

Now I’m starting to worry …

So finally I say, look, I need to call my bank directly. This all seems a bit odd.

And then, naturally (in retrospect), the guy hangs up.

I call my bank. They verify that it wasn’t them.

So, very cleverly, the fraudster has used their first fraudulent transaction to socially verify that they knew something only a bank could know - about transactions on my card.

They used that transaction - that they themselves had done - to get me to read a 3D secure code to approve the next transaction that they also wanted to do.

They were able to to do this because the first transaction had happened on a site that didn’t use 3D secure. I’m surprised this is still possible.

In the end, my bank refunded the first transaction. So I haven’t lost anything.

But it shows the clever tricks fraudsters will try to pull and how easy it is to be fooled by the “boiler room” trick. “IT’S HAPPENING RIGHT NOW - DO SOMETHING QUICK!”

End 🧵