The below article was written by Coby Montoya, Director, Risk Strategy at Deep Labs. Coby does an amazing job detailing his personal experience with a scam and articulating the complexities at play. He is bright, knowledgeable and very experienced in fraud prevention. The fact that he chose to share this only reinforces this. Because Coby understands the layered challenges in todays scam landscape. Because he understands in his role he can really make an impact when he shares a story like this. Thank you Coby!
Today I experienced the most sophisticated/targeted fraud scam I’ve ever encountered personally. It all started with an email followed by a text message I believed to be from Capital One, shown below.
This email I believed at this point is a legitimate email from Capital One, when a fraudster attempted to enroll my card into Samsung Pay. Immediately after seeing this email I also noticed I had two missed called from Capital One. From the same number printed on the back of my card. I initiated a call back and while the call was initiating, I received the below text message. It included the accurate last 4 of my CC.
Naively assuming this text was legitimate, and thinking I’d much rather have someone familiar with the issue call me than sit on hold and have to explain the issue, I took an incoming call, again from the Capital One toll free number printed on the back of my card. Below is a screen capture of the call log, Android groups together calls versus showing distinct logs, so you will also see my other interactions displayed that are later.
When I answered, the caller identified himself as a Capital One employee in the fraud department and asked me if I had made a purchase for $953.89 at a Walmart in Modesto California using Samsung Pay. Of course I said I did not and told him I don’t have or use Samsung Pay. He said he’d cancel my account and send a new card to me. Before sending a new card out he had to send me a one time pass code (here is where I failed, and yes I feel ashamed) to my phone and I needed to read it back. I received the OTP and read it over the phone. Once I read it back to him he told me my card would be on it’s way and I’d receive it in 4 to 6 business days. I asked him if I could receive it sooner. He told me he could, but there was a $16 fee to expedite it. I mentioned to him I use this card frequently and asked if he could waive the fee to expedite. He agreed and said I’d receive it via FedEx in 2 days. I thanked him and thought the whole ordeal was over.
Later that evening as I am binge watching Wu-Tang: An American Saga series on Hulu from the comfort of my living room, I received a charge notification for $153 from Walmart, on that same Capital One. Confused why Capital One would approve a charge on a canceled card I called them. I spend 10 minutes explaining the whole situation from the morning and the representative says she can’t see a declined charge in her system or a log of an interaction from earlier but she does see the $153 from a Walmart in Miami. I’ve spent a good deal working in call centers and understand it is common for different tiers/levels of agents to not have access to certain screens that may be sensitive. I also know of certain companies that have been slow to integrate digital wallet payment data into their standard CRM apps/screens. Thinking the agent just could not see what I was referring to, I escalated the call to her supervisor and then to a lead agent on the fraud team.
I spend another 20 or 30 minutes explaining the texts and emails. I read out loud the text message verbiage and she tells me it sounds authentic. I tell her about the $16 expediting fee and she confirms this is the correct amount and sounds surprised. But she tells me there is no record of a new card being sent to me. I go back and describe the email about my card being enrolled in Samsung Pay. She says the same thing the agent told me, she could not see any record of my interactions or that my account was enrolled in Samsung Pay.
Realizing I probably fell for a scam, I read her the email address the Samsung Pay email came from and asked her if this is the same email that it would normally come from. Essentially I wanted to know the extent of the scam. If the outgoing call to me was spoofed, was the Samsung email also spoofed/fake? Unfortunately she was not sure what the email would look like. She looked through her own personal emails and told me when she had enrolled in Samsung Pay, the email came from Samsung, and not Capital One. So she said it was probably fake too.
I was even more confused. The email looked pretty legit, but I then assumed this was spoofed too. The fraud agent changed my account number, this time I could see the account change in the portal in front of me and knew it happened. We ended the call, and shortly after the call ended I received a new email from Capital One saying my account (with the new number) had been unenrolled from Samsung Pay.
Now that I received this email from Capital One with my brand new account last 4, I knew the original Samsung Pay email was indeed legitimate, and by canceling my other account, it triggered an auto-unenrollment of my account. Confusingly, Cap One lists my new account number despite it being my old account that was enrolled. Now that I knew it was just the outgoing call that was spoofed, and not the email, I pieced together what happened. Next I will outline the red flags I missed, as well as the opportunities Cap One has to improve their processes.
Fraudster has access to my name, Cap One 16 digital account, and my phone number.
- 11:11am Fraudster enrolls my account into Samsung Pay. Capital One triggers a welcome email to me even though my enrollment has not been completed.
- 11:12am Fraudster calls me and I don’t pick up.
- 11:13am Fraudster calls me again and I do not pick up. *This is red flag #1 that I missed. I should have expected a voicemail to be left and not an additional call.*
- 11:14am Fraudster sends me an SMS asking me to confirm the charge. I respond No and fraudster responds they will call me shortly.
- 11:17am Fraudster calls me and we have interaction I described above. When he asked me to read back the OTP, this was actually the OTP to complete the Samsung Pay enrollment. *This is red flag #2 I missed. I know better than to read back OTPs over the phone. Unfortunately some banks actually practice this, but I should have refused anyways. Adding to the confusion, based on Cap Ones email welcoming me, I assumed incorrectly I was ALREADY enrolled.
- 7:10pm Fraudster makes a purchase at a Walmart in Miami using Samsung Pay and I receive the charge notification.
In summary I missed clear red flags. Why did I miss these? Excuses excuses. But when I think back I have a few.
- It was in the middle of the day while I was working, my mind was distracted and I was multi-tasking.
- The Welcome email from Cap One looked legit and I now know it was. Having someone contact me that had knowledge of something that just happened with my account essentially gave me false comfort to let my guard down.
- The incoming call to me was spoofed and was Capital One’s phone number. I should have instead called Cap One, versus assuming the call to me was valid. I am familiar with Caller ID spoofing and I know better.
- I literally experienced fraud on a different account just last month and received a text alerting me of it. This desensitized me and I naively assumed this was more of the same in what I just experienced last month.
- Although in this case the text with the fake fraudulent charge was from a phone number that did not appear to be a system generated SMS. I overlooked this.
I take the blame for missing the red flags. But I also think there are some opportunities for Capital one.
Opportunity #1: Don’t send a welcome email to card members until the enrollment is complete. This was misleading to me and gave me the impression my card was completely enrolled and out in the wild ready to be used. That of course gave me a sense of urgency to resolve it ASAP, when the reality was my card was not yet fully provisioned.
Opportunity #2: The agents I spoke to told me that they had no record of my interactions that morning. They assured me that if someone looked at my account they would see the audit trail. This made sense to me. But they also did not see any records of my account being enrolled in Samsung Pay. When I began asking detailed questions about Samsung pay, I was told not many people use it and they were not sure. Agents fielding inquiries about fraud and digital wallet provisions need access to copies of the emails that are sent out regarding them. They also need access to see digital wallet provision activity.
Opportunity #3: This one is more minor but when my account was auto un-enrolled, it included my new account number versus the old account number that was actually enrolled. I’m sure there is a process in the background that just grabs the active account number and places it into the auto-generated email. But given the complexity of this fraud incident, it makes things more confusing.
Opportunity #4: Capital One does mobile device identification. I know this because I used to work for the company that provided it to them. I also know that when I upgraded to Android 10, they alerted me that they detected a new device login and asked if it was me. They should compare the device on file with the device enrolling in a digital wallet. If it is a new/unrecognized device, they should elevate their step-up authentication beyond OTP.
And sadly, this was how a “fraud expert” got defrauded today.