Confusion over the switchover to new "chip" credit and debit cards and delays in getting those cards into the hands of consumers are creating a golden opportunity for identity thieves, experts say.
When CreditCards.com surveyed the marketplace at the end of September, it found that 60 percent of U.S. credit cardholders still hadn't received a new EMV chip-enabled credit card. Oct. 1 was the "deadline" for merchants to be equipped to accept the new cards - or face liability for fraud committed with an older card - but some card issuers have been lagging in mailing them to customers.
With all the news coverage about the switch to these more secure cards, millions of Americans are watching their mail and wondering when their new cards will arrive.
"This creates a golden opportunity for identity thieves to attack and steal people's personal information," said Adam Levin, chairman of IdentityTheft 911 and author of the new book "Swiped." "Scammers thrive when there's confusion and anxiety because that's when people are most vulnerable."
In a recent blog post, Colleen Tressler, consumer education specialist at the Federal Trade Commission, warned about the problem.
"Scammers are emailing people, posing as their card issuer," she wrote. "The scammers claim that in order to issue a new chip card, you need to update your account by confirming some personal information or clicking on a link to continue the process."
Steve Weisman, a Massachusetts lawyer who runs the website Scamicide.com, cautions that we should never trust an email that asks us to click on a link and provide sensitive information.
"Do that and you're toast," Weisman said. "Your personal information will be taken and quickly used to commit fraud."
Another security risk: Click on the link in one of these bogus emails and that could install malware onto your device. This malicious software can monitor your online activity and steal your passwords, logins and account numbers.
Fraud experts tell NBC News they also expect scammers to use the phone for "vishing" (voice phishing) and "smishing" (phishing via text message) attacks.
Caution: Don't assume that a communication is legitimate just because it contains all or part of your credit card number — or even the correct expiration date. Crooks can buy this information on the black market.
"They use this legitimate credit card information to make their call or text or email seem very real," cautioned IDT911's Levin. "What they want to do is get you to authenticate yourself by giving them your PIN to the account or the security code on the back of your card, so they can use it for online shopping."
Simple steps to protect yourself:
Don't respond to an email, text or phone call that appears to be from your bank or credit card company that asks you to provide or confirm personal information.
As Tressler noted in her FTC blog: "There's no reason your card issuer needs to contact you by email — or by phone, for that matter — to confirm personal information before sending you a new chip card."
Not sure if that communication is legit? Then contact your bank or credit card company at the number that's listed on the back of your card.
"If you already fell for the scam and provided this personal information, you need to get in touch with your card company right away," advised John Breyault, who runs the National Consumers League's Fraud.org website. "Let them know what happened and take the steps necessary to protect yourself against identity theft."