So the scenario is the potential victim got a purported call from their bank saying that they had detected a fraudulent charge in Miami and wanted to verify that it was them. They ask them to verify their bank account number. The victim of course says that it was not an authorized charge.
The scammer then said that they were going to send them a verification code to their phone that they needed to read back to proceed to review other suspicious transactions on their account. The victim then gets a legit text from their bank with a verification code that they read back, to which the scammer verifies it is the ‘correct code’.
They then begin reading off various legitimate transactions which the victim confirms are legit transactions (thus further verifying that it is a legitimate call from the bank).
The scammer then says, “It appears that your account has been compromised and so we will need to shut down your credit card, can you confirm your PIN number to your card.”
Luckily in this case the victim recognized this was not right and refused to give it to the caller. Hung up and called the bank’s fraud department to discover what happened.
So what the scammer was doing was going on the bank’s site, getting the account number, doing a legit request to change the password to the account which triggered a text verification code - which the unwitting victim gives back because they see it coming from a legitimate source. Once into the account they can read back legit transactions, thus seeming more legitimate. Finally they ask for the PIN, with which they can then start fraudulently using the person’s account.
Pretty slick, but a heads up as always - the bank will not ask you for your PIN and certainly would be able to disable an account without it. Fortunately this guy was smart, I can’t say for sure after all of that apparent verification I wouldn’t have fallen for it.