From the Bruce Schneier's Crypto-Gram newsletter:
(http://www.schneier.com/crypto-gram-04
This one is clever.
You receive a telephone call from someone purporting to be from your credit
card company. They claim to be from something like the security and
fraud department, and question you about a fake purchase for some
amount close to $500.
When you say that the purchase wasn't
yours, they tell you that they're tracking the fraudsters and that you
will receive a credit. They tell you that the fraudsters are making
fake purchases on cards for amounts just under $500, and that they're
on the case.
They know your account number. They know your name
and address. They continue to spin the story, and eventually get you to
reveal the three extra numbers on the back of your card.
That's all they need. They thenstart charging your card for amounts just
under $500. When you get your bill, you're unlikely to call the credit
card company because you already know that they're on the case and that
you'll receive a credit.
It's a really clever social engineering
attack. They have to hit a lot of cards fast and then disappear,
because otherwise they can be tracked, but I bet they've made a lot of
money so far.