Social engineering in carding: scripts for obtaining CVV from victims

[Good Carder]

From carder to carders. Technically, hacking payment gateways is becoming increasingly sophisticated: 3DS 3.0, AI anti-fraud, biometrics. But the human factor remains the weakest link. Why crack encryption when you can call the victim and convince them to reveal their CVV and OTP codes? Social engineering isn't the "art of deception," but an industry with well-oiled scripts, psychological techniques, and multi-billion-dollar revenues.

In this article, I'll examine real-life conversations between fraudsters and victims, pressure techniques, creating urgency, and using leaked databases for personalization.

Part 1. Vishing: Why a Trusted Voice Works Better Than SMS​

Vishing (voice phishing) is a type of telephone fraud aimed at obtaining confidential information to access the victim's money. Fraudsters pose as employees of banks, security services, technical support, or even law enforcement agencies.

Why is vishing more effective than phishing? When speaking over the phone, the victim has less time to think. The scammer uses a compelling voice and intonation, creating the illusion of authority. A person hearing the live voice of a "bank employee" is more likely to succumb to emotion than when reading a suspicious email.

The vishing process involves several stages:

1. Preparation. Fraudsters collect information about the victim from social media and public databases.
2. Contact. They call using spoofing technology to make the bank's official number appear on caller ID.
3. Manipulation. They create a sense of urgency or fear by claiming that the account is about to be blocked or that an unauthorized debit is already taking place.
4. Receiving data. They request CVV, OTP code, logins, and passwords.
5. Theft of funds.

Part 2. 2026 Statistics: Increased Attacks and Billions in Losses​

The social engineering industry is growing exponentially. In the first quarter of 2026, the number of social engineering attacks by fraudsters increased by 37.5% compared to the previous period, reaching 19,200 incidents. The amount of funds stolen from bank accounts during the reporting period amounted to $100,340,738.

The number of blocked suspicious calls exceeded 107 million in the first quarter of 2026, an 18% increase compared to the same period in 2025. Experts attribute the increase in attacks to fraudsters shifting from cold calling to targeted, personalized attacks (called vishing).

According to international studies, the volume of vishing increased by more than 440% between 2024 and 2025. IT departments and help desks are the primary target in 42% of attacks, while finance departments are the primary target in more than 30% of successful hacks.

Part 3. Real-World Scripts and Dialogues: How Fraudsters Steal CVVs​

3.1. The classic "Your money is at risk" scheme​

The most common scenario: the victim receives a call from someone claiming to be from the bank's security service, reporting a suspicious withdrawal attempt.

The scammer's script:

— Hello, this is the bank's security service. You are being called about card number ****. We've detected a suspicious attempt to withdraw $250 from an unknown online store. Was that you?
— No.
— Then your information has been compromised. We need to cancel the transaction immediately. Please provide the CVV code from the back of your card and the code from the SMS you'll receive shortly for identification purposes.

After receiving the CVV and OTP, the fraudster immediately carries out the transaction.

3.2. Escalation technique through "switching to the boss"​

If the victim is unsure, a "senior employee" with a more authoritative voice calls.

Dialogue:

- You are currently speaking with the head of security. The situation is critical; we are already recording a second login attempt. You must provide the code, otherwise your account will be frozen for 30 days for verification. Your funds will be frozen.

The illusion of escalation is created, and the victim loses the opportunity to double-check the information.

3.3. Multi-channel attacks (Teams + call + email)​

In 2026, scammers switched to multi-channel attacks:

1. The setup. A finance employee receives a Teams message purportedly from the CEO: "We need to make a payment urgently. I'll call you back in 5 minutes, get ready." The scammer uses the name of a real project found on LinkedIn.
2. Call. Five minutes later, a spoofed number calls, sounding like the manager's, asking for payment of the supplier's invoice.
3. Email. You'll receive an email confirming your payment details and a PDF invoice.

The entire chain takes less than 15 minutes. At each stage, the attack becomes more convincing because it references the previous contact.

3.4. Scheme with a fake OTP request via an API vulnerability​

Some payment systems don't block the transaction if the CVV is incorrect, but instead proceed to OTP verification. Fraudsters first test the vulnerability by sending a request with a deliberately incorrect CVV, and then, when the system initiates OTP, they call the victim and trick them into providing the code.

3.5. Phishing via messengers and fake lotteries​

Script via Telegram or WhatsApp:

— "Congratulations! You've won an iPhone 17 Pro in the lottery. To claim your prize, you need to confirm your identity. Enter your card details for verification (number, expiration date, CVV)."

The victim enters the data thinking that they will receive a free phone.

Part 4. OSINT and Personalization: Why the Victim Believes​

Scammers collect information about the victim long before the call. Sources: social media (photos, geolocations, places of work), leaked databases (passport information, phone numbers, addresses), combo lists (emailasswords).

How personalization is used:

• "We see that on May 15th you paid for a purchase at [store from transaction history]. They are now trying to charge a large amount from this card." The victim, hearing the real transaction, lets down their guard.
• "Ivan Petrovich, was your passport series 1234 stolen?" they ask, citing some of the actual passport data from the leak.
• "Your son was in an accident in a [brand from social media] car" - they use data from public profiles.

The more specific the details, the higher the trust. Without personalization, an attack has a low success rate. With personalization, the fraudster's chances reach 30–40%.

Part 5. Pressure and Manipulation Techniques​

Authority. "I'm a bank security officer." "This is the fraud department."
Urgency. "Your account will be frozen in 30 minutes.
Fear. "Someone is trying to steal your savings."
Reciprocity. "We'll help you save your money, but you need to act quickly."
Flattery. "You're a smart customer, that's why we called you personally."
Emphasizing "don't hang up until the call is over" is one of the most effective techniques for isolating the victim from external scrutiny.

Summary​

Social engineering in carding isn't about hacking, but about manipulation. A bank employee with an authoritative voice, urgency, and the threat of account blocking are classic techniques that break human defenses.

In 2026, the number of social engineering attacks increased by 37.5%, with the theft exceeding $100,338,154. Fraudsters have shifted from mass phone calls to targeted, personalized attacks using leaked data. The 440% increase in vishing in two years isn't statistics, but a reflection of a new reality.