So, called them and confirmed the messages were legit, unlike that charge.
And as an aside, this is far from the first time I've had a card compromised while never using it at a physical vendor, and only a handful of large online ones. Once I actually started getting fraud transactions on a card I had never used. I'm guessing access to credit card info is far too broadly available within the bank.
The first four are not secrets. The first two digits identify the card issuer, and the next two are the card type. That's how those credit card numbers can show you your card issuer's logo after you type the first two characters.
I got an email from BMO the other day that I had changed my password. I immediately tried to log in (with my current password) and it worked fine. Never got any other communication from them about it, or even a fraud alert after I supposedly "changed" the password.
I moved to Schwab a while ago, so I'm not sure what I would've done to change the password. Schwab is much better, by the way. BMO is a joke. I never thought I would say this, but I miss Bank of the West.
"FreeMsg: BMO Fraud Ctr: 18774352371 Case 19684358 Did you attempt $4.00 at NYTIMES with card x1234? Reply YES or NO"
The 1234 did match the last 4 digits of my card - not the first four, a common trick - but the rest of the message is, as Troy says, Dodgy AF.
They then followed up with a similar email, prompting me to click on a link that began like this: https://ecs01-us.ficoccs-prod.net/2088/en-US/tran_Not_Author...
That's certainly not a BMO domain. Wtf, bank?
So, called them and confirmed the messages were legit, unlike that charge.
And as an aside, this is far from the first time I've had a card compromised while never using it at a physical vendor, and only a handful of large online ones. Once I actually started getting fraud transactions on a card I had never used. I'm guessing access to credit card info is far too broadly available within the bank.