One of our customers received a call from someone who claimed to be from the bank.

The caller had the correct last four digits of our customer's debit card wanted sign our customer up for special promos-

The caller wanted to debit $1 from our customer's account, who would then receive $40 in gas coupons.

Going forward, $19.95 would be taken out monthly to give them more promo opportunities.

Caller needed to 'verify' the rest of the debit card number.

Our customer refused to 'sign up' and called us. They had caller ID and I called the phone#--Not local-from Florida.

I heard a recording from a company, was told to hold for the next representative. No one ever came on the line. Just more recordings about repecting their customer's privacy!!!!

Does a SAR need to be filed?

Considering that you don't have an identifiable suspect, you're well below the mandatory reporting threshold of $25,000.00.

Your most praqctical approach in this case is to replace the customer's debit card and close the file.

Filing a SAR may be debatable, but if you don't file one, that's not to say you should just drop the issue either. By now, you've probably done some research to determine how the perpetrator may have obtained the last 4 digits of your customer's debit card. If not, I suggest doing this to see if there is some potential for improvement to your information security.

Next, if the perp is actually operating out of Florida, I would think the Florida Attorney General would like to know about it. A complaint could also be made to the FTC, but I know that will get a few chuckles, so I'll also suggest that the FBI could be contacted, too, since it appears the perp is using the phone lines and crossing state lines to commit the fraud.

To do nothing will allow the fraud to continue. AR.

I would aslo warn and inform your customers with a lobby securty alert and on your website that this scam is cuirculating in the area- alert the press- I find that the local papers and media love to broadcast this type of consumer alert and lastly I notify my local senior center as they are the most vunerable when it comes to savvy callers who weasel their account information out of them by being "so nice." I have found that by doing these things has saved me and the bank a lot of error resolution time for unathorized transactions and our customers love that we are so "up" on issues that affect there financial security and well being. We have an area of our website dedicated to personal information security and the latest scams are posted as we hear about them.

I agree with AnonRegulator and murphysgirl. I would most definitely pass along all the info you have (the exact nature of the phone call your customer received, exact words used, and the phone number from your customer's caller ID) to the FBI, the FTC, and the Attorney General's office of the state the call originated from and the AG's office of the state in which your customer lives. I'd also warn your bank's customers in some manner with which management is comfortable.

I would make an immediate phone call to your core software provider and discuss this situation with them - brainstorm how this may/could have happened - and how you can lock down security a bit tighter.

Aggregate losses to U.S. businesses and consumers from this sort of fraud (which directly violates the Gramm-Leach-Bliley Act) are expected to near 2.8 Billion dollars for 2006.

Just replacing the debit card and closing the file on it doesn't do a thing to prevent this from happening in future. Sure, the authorities MIGHT choose not to investigate it, but they will definitely not investigate if nobody reports this stuff to them!

As to the SAR, I am not knowledgeable enough on that process and those regulations to give any advice.