Novel and scary phone scam

[pjigar]

I set up email alerts on transactions in my account. I would have gotten an email as soon as the first transaction took place.

Lot of scammers change e-mail address and phone in your profile as soon as they hack your account. This happened to me. And lot of online accounts don't notify these changes to old e-mail/phone. They are getting smarter.

 

[blthomps]

Also, be aware that your Amazon email and password can be changed without your knowledge very easily (happened to me). All someone needs is your email, name, and address, then a phone call to Amazon customer service gets the control of your account (and knowledge of transactions) taken away. Took Amazon about 24 hours to get it fixed. The hacker didn't charge on my card, but used a few remaining $$ on an e-gift card I had sitting there on the account. Funny thing is, the fraudulent order took place the exact same day the gift card was put into my account. Same thing happened to a friend.

Now have my credit card removed from being stored on Amazon.

 

[ivinsfan]

Lot of scammers change e-mail address and phone in your profile as soon as they hack your account. This happened to me. And lot of online accounts don't notify these changes to old e-mail/phone. They are getting smarter.

Not in my experience, everytime I change an email address or a password I get an email from the vendor telling me a change has been make to my account and if I didn't do it I should contact them immediately.

 

[jazz4cash]

I keep thinking there’s a database being assembled somewhere. Every call goes into the database. If I happen to answer the database records a male answered at xx o’clock on Tuesday or whatever. Best not to answer at all unless I recognize the number.

 

[FlaGator]

I just got a funny 1. I didn't recognize the phone number out of Texas so I let it go to voicemail. They need me to call back immediately because there's been fraudulent action on my social security number. Unless I call them immediately they are going to take legal steps against me. Well the weird thing is if I was a victim social security would not take action against me. I wonder how many people fall for this and call back.

My 80 year old mother did, and after a lifetime of supporting herself, she's now on her children's payroll

It was a pretty elaborate scam. Last I heard it was in the hands of the FBI

 

[sengsational]

Simple in restaurant solution. I'll call you right back, what's your number?



Scammers will probably try to force you into revealing information at that point. If they do, hang up. They could (but probably won't) give you a fake number to call. Turn on speaker phone, switch into your browser and type the number into the search box. If the first link isn't the bank's main site, hang up and be done. If it IS the first link, don't be tempted to continue the call. Hang up and call them back at the verified number.

 

[pb4uski]

I was wondering how a real code could be sent by the scammer.......so I guess the bold above is the heart of the matter which perhaps you should emphasize in the future. Yes, thanks for posting.

I think the way it works is that the scammer is online with your user I'd and ready to change a password and receive the code from the bank. Then they call you with the OPs friends story... when the scammer click s on the change password link the bank sends a text with a verification code to the OPs friend.. the OPs friend tells the scammer the code, which the scammer inputs, changes the password and now has control over the account.

What is a mystery is how the scammer then gets money out without creating some trail. Also, in the few cases that I've wired money out of an account it required that I sign a form a secure email it to the bank... the bank then called me to verify the details IIRC.

 

[audreyh1]

I think the way it works is that the scammer is online with your user I'd and ready to change a password and receive the code from the bank. Then they call you with the OPs friends story... when the scammer click s on the change password link the bank sends a text with a verification code to the OPs friend.. the OPs friend tells the scammer the code, which the scammer inputs, changes the password and now has control over the account.

What is a mystery is how the scammer then gets money out without creating some trail. Also, in the few cases that I've wired money out of an account it required that I sign a form a secure email it to the bank... the bank then called me to verify the details IIRC.

Another poster pointed out that if they had the online user name, all they would have to do is request a password reset online.

Now the OP mentioned that the victim’s user name had been compromised. I’m wondering how that could have happened. That is not the kind of information that would be lifted from an Experian breach.

 

[GTFan]

Yeah that's what I can't figure out, how the bank username got compromised unless it was the same one used for Equifax.

That's a really smart scam btw.

 

[MrsHaloFIRE]

I had the reverse happen yesterday. Someone claiming to be from my brokerage called and wanted to authenticate me. My rule is I call you and then you can authenticate. I googled the generic customer service number, called it etc.. Turned out the first call was legit. Always lookup your own customer service number of you call in to check if something is legit.

 

[cbo111]

We have an active scam in our area where the caller ID shows "sheriffs department." Lots of folks are inclined to at least answer these calls, but hopefully most do not fall for their scams.

 

[audreyh1]

Yeah that's what I can't figure out, how the bank username got compromised unless it was the same one used for Equifax.

That's a really smart scam btw.

But they’d have to know which bank. Really odd.

 

[Chuckanut]

I thought that the text verification was a pretty secure alternative, but as the scammers get more and more sophisticated this could become a large problem. Especially for older folks...

No, text messages are not secure. I only use text messages for accounts that have no other option for 2FA. If possible I use an authenticator app or even one of those key devices.

SMS, the text system, is notoriously insecure.

Obviously, never give these codes whether they come from an app, a device or as a text message to anybody you don't know for sure.

 

[Chuckanut]

The OP's description made me think it was related to the SS7 hack on text message systems. This type of Multi-Factor authentication is no longer "secure" since the SS7 Network was hacked a few years ago.

Known as the SS7 network, the SS7 network is shared by every telecom provider to manage calls and texts between phone numbers. There are a number of well known SS7 vulnerabilities.

Click on this link to read the full story of this hack.
SS7 Hack

.

That was my first thought, but I see now that the weak link is we human beings who gladly give our 'codes' over the phone to people who we don't know. I might have fallen for that myself.

OP, thanks for the warning.

 

[Chuckanut]

But they’d have to know which bank. Really odd.

If you read Krebs on Security you know that there is a dark web out there where tons of information on ordinary people like you, me and the guy behind the tree is available for little cost. They only need a small % of people to fall for their scams to make a lot of money quickly.

https://krebsonsecurity.com/2019/03/hackers-sell-access-to-bait-and-switch-empire/

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

 

[Sojourner]

Obviously, never give these codes whether they come from an app, a device or as a text message to anybody you don't know for sure.

+1

Security codes shouldn't ever have to be read back verbally to anyone, especially to someone calling you on the phone. They should only ever be used for verification by typing them into the bank's website or app. Reading out a security code like that to someone on the phone is akin to telling that person your account password, which most people (I hope) would be very reluctant to do.

 

[audreyh1]

+1

Security codes shouldn't ever have to be read back verbally to anyone, especially to someone calling you on the phone. They should only ever be used for verification by typing them into the bank's website or app. Reading out a security code like that to someone on the phone is akin to telling that person your account password, which most people (I hope) would be very reluctant to do.

That is certainly the takeaway from this post. But many folks would not think about it and I'm not sure if I would have since I've occasionally received calls about fraudulent charges. But I've never been asked for a code. Otherwise I've refused to answer identifying information if I'm the recipient of a call.

At least the OP was able to change the password again and get back into his account, and then contact the bank quickly to get this corrected.

 

[NgineER]

I don't know the details of how they got the customer ID, unless they could use his account number somehow.
He told me that he got all his money back, but that he had to setup new accounts and all auto-payment information.

 

[Lsbcal]

Another poster pointed out that if they had the online user name, all they would have to do is request a password reset online.

Now the OP mentioned that the victim’s user name had been compromised. I’m wondering how that could have happened. That is not the kind of information that would be lifted from an Experian breach.

I am guessing that the hack from Experian included the Experian user login (user name) and perhaps his bank's name. Then if the stupid user has the same login (not password) for the bank, the scam works. The login might even be the user's email address.

I always have a separate login for each financial institution. Well now that I think of it, I have 2 banks with the same login. So I have some homework to do.

 

[jazz4cash]

Most of my accounts seem to be migrating to using email address for user ID and I’ve wondered if that is more risky.

 

[Lsbcal]

Most of my accounts seem to be migrating to using email address for user ID and I’ve wondered if that is more risky.

Clearly it is. But I would just make changes to finance sites first.

 

[Chuckanut]

I pick very odd logon names such as bagofbolts or lineupnow. I always lie when asked to give a answer to a question like "Who was your 1st grade teacher?" Anybody with 1/2 a brain can probably figure out it was Mrs. Dechamp. But how many will guess 'polkabreath'?

All this info is stored encrypted by me.

 

[audreyh1]

I am guessing that the hack from Experian included the Experian user login (user name) and perhaps his bank's name. Then if the stupid user has the same login (not password) for the bank, the scam works. The login might even be the user's email address.

I always have a separate login for each financial institution. Well now that I think of it, I have 2 banks with the same login. So I have some homework to do.

Hmmm - that’s still quite a leap to target someone - guessing that there might be a shared user name with a financial institution?

And I don’t believe that the Experian hack disclosed login names for Experian accounts. It disclosed name, addresse, SS#, date of birth. It was unrelated to who had an internet access to Experian with a username.

None of my banks use email as user name, but I suppose some might.

 

[Katsmeow]

I need to wire funds for a RE transaction soon. My broker said to do everything verbally. He said if you communicate routing numbers, etc in an email, hackers will catch it and change the destination numbers so that you could end up wiring money to the bad guys. He says he has seen it at least twice.

I think your broker meant to say to do it orally. Doing verbally simply means in words and those can be written or oral. So, you can do something verbally by email. But I think your broker really used the word verbally probably meaning orally.

I agree that you shouldn't email wiring instructions. Problem with doing it orally is possibility someone will write down the wrong number or misspeak.

I sold some property earlier this week and the closer told me that people shouldn't email wire transfer instructions. For my sale, I actually had gone to my bank and got written wiring instructions from the bank. I then took those physically to the title company. I figured that way, if anything went wrong, no one could blame me. The title company said that was the best way to do it.

Anyway, the closer told me that this changing of wiring instructions in email happens. Apparently someone intercepts it and then recreates a fake email that looks very much like the original email but changing the wiring instructions and sends that to the recipient. The title company recommends not to do wiring instructions via email.

 

[GTFan]

But they’d have to know which bank. Really odd.

Easy to get from Equifax records, assuming a CC on the report is from the same bank as checking.