52

I just got off a very obvious scam call where the scammer was offering to "lower" my interest rate. I played along to try to waste some of their time. I gave a fake expiration date and a fake last 4 digits of the card. He put me on a short hold and came back saying that was the wrong number. I went to a fake CC generator site thinking maybe there is something in the last 4 that can verify legitimacy kind of like the first four can indicate the Brand (Visa, MC, etc.). I gave him those last 4 and once again, after a brief hold, he came back saying it was the wrong number. At this point he lost his cool and started swearing, etc. and eventually hung up, but I've never heard or seen anything like this before.

Is it possible to verify that the last 4 digits of a card number are legit? In this case, it was supposed to be a Chase Visa. Could it be a checksum or something else? Might the expiration date and the last 4 need to match? Or is it more likely that he actually had my full number and was phishing for more info or something?

stormdrain
  • 493
  • 1
  • 3
  • 7
  • 11
    The first 6 digits are the bank identification number (BIN) or issuer identification number (IIN). Then the individual account number, 6 to 9 digits, finally 1 check digit generated from the previous digits by the Luhn algorithm. You need all the previous digits to verify. – Michael Harvey Jan 12 '23 at 20:37
  • 38
    Most receipts have the last 4 digits, they may have some old receipt of yours they're trying to match to. – littleadv Jan 12 '23 at 21:16
  • 1
    I wonder if Security SE would be a better place to ask this question? They might be able to comment on the particular scam involved? – MrWhite Jan 13 '23 at 18:04
  • Did you tell them it was a chase visa card? That gives them at least 4 more numbers to work with. – rtaft Jan 13 '23 at 19:20
  • What would Lenny do? – chux - Reinstate Monica Jan 13 '23 at 21:37
  • "the first four can indicate the Brand (Visa, MC, etc.)." Only the first one indicates the network. And the scammer having your PAN (i.e. card number) doesn't explain his behavior: why would he assume that you're giving invalid numbers, rather than numbers for a card other than the one he had the PAN of? – Acccumulation Jan 14 '23 at 07:04
  • Does anyone know if there are four last digits that are completely invalid? I'd guess there might be no cards at all ending in 0000, for example. – gnasher729 Jan 14 '23 at 16:55
  • Playing along is playing with fire. Hang up as soon as you suspect it's a spammer. Or, never answer the call in the first place. –  Jan 15 '23 at 19:33
  • I tend to agree with @user26460. If you must play along, however, a good rule is to never provide information: ask questions instead, e.g. "which card?", or pretend to misunderstand their questions. With a bit of creativity you can keep that going until they lose patience; if they get angry, laugh loudly before they hang up. – Simon Crase Jan 15 '23 at 21:11
  • @rtaft I did NOT confirm that I had a Chase Visa--they came at me with that out of the gate "We can lower the interest on your Chase Visa" – stormdrain Jan 16 '23 at 14:20
  • 1
    @chux-ReinstateMonica heh, I actually had conferenced Lenny in on the third hold--that is when they started swearing and hung up. – stormdrain Jan 16 '23 at 14:22
  • @user26460 I tend to agree and wouldn't advise people play along--don't answer, or hang up as soon as you suspect a scam. You can always call the number on the back of your card if there is any question. – stormdrain Jan 16 '23 at 14:25
  • 2
    @user26460 How is that playing with fire? I like fooling such "people". – glglgl Jan 17 '23 at 12:54

4 Answers4

148

He was probably trying to impersonate you on a site that legitimately knows your card number, perhaps your card issuer itself. Such a site would challenge your identity by asking for your last four digits; when you gave the wrong information, his verification attempt failed, and he knew it was bogus. He may even have triggered a lock on your account, frustrating him further.

If this scenario is correct, he doesn’t have your card number, but he has other personal information, and reviewing your security and activity on important accounts for a while may be warranted.

erickson
  • 838
  • 1
  • 6
  • 5
  • 19
    That does sound likely; good guess. – keshlam Jan 13 '23 at 14:11
  • I suspect what they are doing is calling various services spoofing your phone number on the caller ID. I can't think of any other way that the cable tv scammers know how much my bill is when I lie to them, they must call from my number to get the balance from the automated system. – rtaft Jan 13 '23 at 19:24
  • Great guess. Interesting, though, because I did not see any activity or get a notifications from Chase (I also locked my card). They typically are very good about this. I also don't use that card for ANY recurring charges...maybe that's why it wasn't working. That said, I can't think of ANY sites that reveal the full number by validating the last 4. In fact, I can't think of any that validate the last 4 for anything, either. If anything, they verify the date, or the security code. Do you know of any that do this? – stormdrain Jan 16 '23 at 14:28
32

The last digit is a check digit that uses the Luhn algorithm to help avoid data entry errors, but you need all of the previous digits to calculate the check value.

It is possible that they have a "current" list of credit card numbers that are linked to people. The numbers in their database don't include the entire credit card number, because the legitimate vendors they stole it from aren't supposed to store the entire number.

They checked your last four with their list and didn't get a match. Therefore they couldn't move on to the next phase which is to get more of your data.

Freiheit
  • 8,742
  • 2
  • 43
  • 64
mhoran_psprep
  • 139,546
  • 15
  • 193
  • 389
  • Maybe I didn't get your point correctly but any sequence of 4 digits corresponds to the final 4 digits of some credit card. There are just way more credit cards then 4 digit numbers. So unless you can combine the 4 digits with some personal information they don't provide anything useful. – quarague Jan 13 '23 at 16:02
  • @quarague The last 4 digits might be sufficiently unique for the scammers "limited" list of card numbers. Although the fact that the OP had to be put on hold and told that it was "wrong" perhaps suggests this was not the case IMO. – MrWhite Jan 13 '23 at 18:17
  • @quarague While true, the very nature of the check digit plus the fact that only certain IINs are valid means that having the final four digits translates to far fewer card numbers to search than the theoretical 1,111,111,100,000,000 you would need to search. Combine that with some simple statistical inferences based on the location the phone number maps to you can narrow that down even further (for example, if the phone number starts with +90, it’s significantly more likely that the IIN starts with either 65 or 9792). – Austin Hemmelgarn Jan 13 '23 at 19:20
  • 8
    @quarague The crooks might have a leaked database from a vendor containing customer details (phone number) and a partial card number like 123456xxxxxx7890 (the way it's printed on all sorts of statements and receipts). The idea might be to phone the customer, ask them for the last 4 digits first to double-check, and if those are "7890", proceed to ask them for "xxxxxx" and recover the full card number. – TooTea Jan 13 '23 at 19:49
  • 7
    @quarague They obviously had OP's phone number, so the "some personal information" part was satisfied. – Acccumulation Jan 14 '23 at 07:07
17

More likely he had nothing and was trying to get you to read out the entire number "so we can correct it."

Or, as @freiheit suggested, more likely they were trying to use this to authenticate themselves as you in a system that might give them the rest of the digits. In which case, if you weren't going to just hang up on them, giving a false response was absolutely the right thing to do.

keshlam
  • 45,770
  • 6
  • 77
  • 152
  • Wouldn't he just have asked for the number, then? Not out-and-out "What's your card number?" but something like "We have 4929...5678, is that right? No? What should it be?" – Andrew Leach Jan 13 '23 at 14:38
  • I don't assume a crook's script is optimized... But I agree the other suggestion, that he was trying to use this to validate a login and get the rest of the number that way, seems more likely. – keshlam Jan 13 '23 at 14:41
  • 2
    Good time to update/improve your passwords in any case, since you know you're being attacked. – keshlam Jan 13 '23 at 14:43
  • I feel like this is the most likely culprit. I can't think of ANY sites that reveal the full number by validating the last 4. In fact, I can't think of any that validate the last 4 for anything, either. If anything, they verify the date, or the security code. – stormdrain Jan 16 '23 at 14:30
  • 1
    I've sent a few sites that use last-4 as part of their password recovery process or something of that sort. It's possible one of those has a flaw that exposes the full card number, or other information that could be leveraged. The fact that the caller realized the number was wrong and got angry rather than continuing the conversation suggests they had something they were trying to feed it into... – keshlam Jan 16 '23 at 15:55
3

It is possible that the scam caller already had your full credit card number and was simply trying to confirm the last 4 digits as a way to verify their information. It is important to be cautious and not give out any personal information, including credit card numbers, to unsolicited callers. If you are unsure about the validity of a call, it is best to hang up and contact the company or organization directly using a known phone number or website.

Emotional words Poetry
  • 31
  • 1