@Edent so Scam-2 is on the phone with the bank and gets the bank to send the notification before Scam-1 or 2 have any of your card details. how the hell did S2 convince the bank to do that? sure, the notification came in legit, but what convinced the bank S2 was you at that stage to send the notification? did the bank just test a phone number? it sounds... improbable.
after that it's all sorts of dumb. 12 digits... nah. CVV and 12 digits... you kidding?
i still can't get to why the notification was sent. okay, a phone number not hard, people have those everywhere. but a bank would never simply use that as authentication. first pet name, anyone?
honestly the whole thing sounds like BS, or the guy in question was d-u-m-b dumb. perhaps both. why did the bank send the original notification? was this guy's whole life available online? xfer money instead of lock the account? sounds like he was scammed and has made up a "they were so good" story to save face.
@Edent oh, and the multiple transfers would have flagged both AML and Fraud systems and locked the account down automatically. this can happen with one really odd transaction, let alone a stream of them. even SWIFT would flag up "ya think???".