2019-09-25

Scams: Two Close Calls

Over on Twitter, Eric Mill tweeted:

My stories are a bit too long for Twitter, but let's unpack two scams that were pretty well done which I fell for -- at least partially -- recently. We'll also highlight some early telltale signs that something was wrong, which I embarrassingly either missed or shrugged off at first, so that perhaps you'll be able to spot these scams better.


Feel free to share your own "scammed" stories in the aforementioned Twitter thread, or here in the comments.

My bank's doppelganger phone number 

My debit card had been getting flaky in chip readers recently. In fact, the plastic around the embedded chip contacts was breaking. It was time for a new card. I turned the card over to find the customer service number, which was a bit difficult to read because it was inexplicably printed directly under the embossed credit card number. The conversation went like this:

Agent: Thank you for calling [my bank's name] Card Services, this is [name]. Who am I speaking with today?
Me: ... my real name ...
Agent: Good morning, [name]! How can we help you today?
Me: My card's pretty worn out and isn't working consistently. I need a replacement, please.
Agent: We can get your new card sent out right away! What's your card number?
Me: ... reads the card number ...
Agent: And the expiration date?
Me: ... reads the expiration date after a short pause ...
Agent: And for security purposes, the 3-digit CVV code.

I suspected something was fishy when the agent requested my expiration date, but a few things were going on in my head. *I* called them, not the other way around. Also, the agent was professional and friendly, and even answered the phone with my bank's name. But when I got asked for the CVV code, that's when I knew something was completely wrong. I took a very close look at the back of my card, and compared it to the phone number I was calling. One of the hardest-to-read digits of the phone number on the back of my card was an 8, instead of the 0 that I dialed. 

Having disclosed my first and last name, Primary Account Number and expiration date, I called my bank's real number and had my card disabled and ordered a replacement. My real bank didn't even need my whole card number to look my account up when I contacted them. That was the first red flag, and I had completely missed it.

The mobile phone carrier "Fraud Department"

I got a call unusually early on a Saturday morning from my mobile carrier's customer service number (It was in my contacts and it was the right number). The person on the line was from the fraud department, and explained that they'd seen unusual activity on my account. Someone had changed the address on my account and then mail-ordered a new iPhone X for a little over $1000. She explained that any time an address is changed right before a purchase, their system flags the transaction for review.

This sounds quite rational to me. But who had access to my account? My wife's caregiver had recently quit and moved out, and she had a phone on our account. When she quit, we made her leave the phone behind. Perhaps she was up to no good? I was confused and furious; I felt violated. I explained that our old roommate may be behind it.

"Do you recognize this address?" the agent asks, before rattling off some random address in The Bronx. There's no way our old roommate was in The Bronx. Her family is all in Texas and Oklahoma. I thought it was very strange that a fraud department representative would disclose this information to me. That was the first red flag. I chose to ignore it.

"Sir, we'll take care of this," she explains. "We never processed the transaction, because it was flagged for review. Let's get your account secured! I just sent you a one-time code to verify you're in possession of the phone tied to your account. Can you read it to me?" There's red flag #2. I was still far too flummoxed to see it.

I get an SMS message from my wireless carrier. In a rush, I don't even read the whole message. I rattle off the 8-digit number. But then something catches my eye as I bring the phone back up to my head. Right at the beginning of the text message, there's a big disclaimer along the lines of "For the security of your account, we will never contact you for this code."

Now the plot thickens, but I'm a bit sharpened up. I begin to suspect this is an elaborate ruse, and it worked pretty well.

"I am not comfortable with this call," I say, grabbing my laptop and trying to log in to my account. The password has already been changed, in under a minute. Even the temporary code I'd just been texted isn't working. "Is there a direct number I can call you back at?"

"I'm securing your account, sir. I assure you, I'm from the fraud department. We do this all the time. I understand you're angry. We're almost finished with the password reset," she says, quite professionally. Meanwhile, I'm issuing my own password reset through my carrier's website. I get the exact same text message this agent had "sent" me, with a different one-time code, obiously.

I tell her that something has come up and I'll have to call her back in a few minutes. I ask for her name again. "Jessica," she says.

"May I please have your direct phone number so I can call you back in a bit, Jessica?"

"Sure thing! Just call me back at the customer service number I'm calling from. I'm at extension 105."

I hang up, and finish resetting my password.

I call back while scrolling through my account to make sure nothing's been purchased or changed. I get my carrier's customer service, as expected. There is no way to dial an extension. I get a real human on the phone, and ask to be transferred to extension 105. There is no extension 105. There *IS* a fraud department, but they do not call subscribers directly. Customer service pulls up my account's history. They keep a record of every agent who's looked at my account. No one had opened my account since we added a line to the account for our recently-departed caregiver.

Attackers can easily spoof a call to make it look like it came from any phone number. Armed with only my carrier's customer service phone number, and a list of phone numbers assigned to my carrier, they can trawl through the list and perpetrate this scam over and over. Having a young woman with a southern twang make the calls, with obvious call-center background noise was icing on the cake.