Side note: if unexpectedly getting a new card, call the support number on your old card. A friend of mine almost got taken about 15 years ago by a scam where someone got his address and bank name, then sent him a fake credit card from that bank with a letter saying something like fraud had been detected and they were sending him a replacement card. When he called the number on the new card's activation sticker, something seemed off and he balked when they asked for his SSN. He called the support number from his old credit card and confirmed that he had in fact not been sent a new credit card by them!
Hopefully we can at some point stop treating a SSN as a universal password that can never be changed. At least mother's maiden name stopped being a universal security question.
somebody physically manufactured a fake, new card and mailing envelope that was close enough to pass scrutiny and in person physical inspection, and send it to him by US postal, for the purpose of getting the person to call the 1-800 number on the sticker and give the scammers his SSN and other details?
He was the CTO of a reasonably large hedge fund at the time, so it's reasonable to think he was the target of a spear fishing attack. If you don't need the magnetic strip to actually be magnetic, I don't think making a fake credit card is much different from making a fake ID.
Though, I suppose it's possible he was telling me a tall tale, he's generally trustworthy.
The two additional explanations would be that he was confused about what was going on, or that there was genuinely a mixup at his bank. If he was confused about what was going on, it would seem that he would have needed to have gotten a card that he didn't remember applying for, and being confused about which bank issued it. The spear fishing and mixup at his bank both sound like million-to-one odds to me.
So now, re-evaluating things based on what I've learned about banks in the past 15 years, maybe his bank grew organically by acquiring several other banks, and has incomplete consolidation internally. Maybe he requested a card from one subsidiary of the bank, forgot about it, and called another subsidiary of the bank (the one that gave him his first card), which had no idea what was going on. The internal structures of large banks are much more disjoint than I realized 15 years ago.
Hopefully we can at some point stop treating a SSN as a universal password that can never be changed. At least mother's maiden name stopped being a universal security question.