Novel and scary phone scam

[NgineER]

I posted this in another thread but wanted to highlight the scam in a new thread to make more people aware... Sorry for double posting if you've already read it.

A colleague of mine told me a scary story today. He was part of the equifax breach a year or two ago. Apparently his username for his online bank was compromised. They somehow also got his cell phone number, don't know if that was from the breach or if they had to look it up.

Yesterday while in a noisy restaurant he got a phone call from his bank (spoofed caller ID) and they told him that they were looking at what appeared to be fraudulent charges on his account. They asked him to verify a few transactions (all made up of course and none matched anything he'd purchased recently). Since there were several phony charges on the account they told him that his account had been compromised and that they would have a new card sent out to him via fedex. In order to validate his identity/transaction they asked him to repeat a code they'd send him via text.

The text came through from his bank and he repeated the number back to them. They confirmed it and said they'd ship a new card immediately.

Once my colleague came home he checked his account - his password did not work anymore. He reset the password thinking that it was part of the fraudulent charges. He set a new password and got the double verification text from his bank and noticed that a few thousand dollars had been withdrawn via wire earlier in the evening.

Apparently their "verification" for sending a new card was for the forgotten password link verification on the website for setting up a new password. Once logged in they started transactions out of the account, starting in $100 increments and then $1,000 transactions.

He was immediately refunded half of the amount but is now working with the bank to get the rest back.

I thought that the text verification was a pretty secure alternative, but as the scammers get more and more sophisticated this could become a large problem. Especially for older folks...

 

[pb4uski]

You are right.... that is a scary one... I can see people easily falling for that one... possibly even me.

 

[COcheesehead]

I set up email alerts on transactions in my account. I would have gotten an email as soon as the first transaction took place.

 

[ExFlyBoy5]

I set up email alerts on transactions in my account. I would have gotten an email as soon as the first transaction took place.

Same here, but for a wire to have gone through...wow. That could create quite the pain.

The last few wires I have done, I have had to speak to someone on the phone to do the verification and it seems like the process to do so was fairly secure.

Nonetheless, thanks for the heads up...that is pretty sophisticated.

 

[COcheesehead]

Same here, but for a wire to have gone through...wow. That could create quite the pain.

The last few wires I have done, I have had to speak to someone on the phone to do the verification and it seems like the process to do so was fairly secure.

Nonetheless, thanks for the heads up...that is pretty sophisticated.

I need to wire funds for a RE transaction soon. My broker said to do everything verbally. He said if you communicate routing numbers, etc in an email, hackers will catch it and change the destination numbers so that you could end up wiring money to the bad guys. He says he has seen it at least twice.

 

[DatumPoint5]

The OP's description made me think it was related to the SS7 hack on text message systems. This type of Multi-Factor authentication is no longer "secure" since the SS7 Network was hacked a few years ago.

Known as the SS7 network, the SS7 network is shared by every telecom provider to manage calls and texts between phone numbers. There are a number of well known SS7 vulnerabilities.

Click on this link to read the full story of this hack.
SS7 Hack

.

 

[GrayHare]

There's no hacking needed for this scam to work. I'd explain how but that would teach more scammers.

 

[Tadpole]

It struck me that this is exactly the procedure Bank of America has used in the past when they wanted to change my credit card number to forestall a breach when they believed my name was part of a stolen data base. They called and told us to expect a new card in the mail. My husband doesn't remember if they asked for a verification but I imagine that they do today since they now use verification codes on their logins. My husband keeps the phone they would call and he would have just assumed it was the same as a couple of times in the past. I read the OP's post to him.

 

[audreyh1]

Wow that is tricky! I probably would have fallen for it with a spoofed number. I’ve been called about fraudulent charges before, but never asked for a code!

It seems you would need someone talking to the bank at the same time another talked to the victim. Coordinated, next to each other or texting.

It’s phishing, not hacking, if they already had the username. They just needed that verification code sent by the bank. And this was a clever way to get the victim to give it to them.

 

[Omalley]

A good reminder to thank the 'helpful' caller for the information and letting them know that you will call your bank/credit card/brokerage directly to verify the issue.

I will share this latest scam warning with DW and kids.

 

[NgineER]

Wow that is tricky! I probably would have fallen for it with a spoofed number. I’ve been called about fraudulent charges before, but never asked for a code!

It seems you would need someone talking to the bank at the same time another talked to the victim. Coordinated, next to each other or texting.

It’s phishing, not hacking, if they already had the username. They just needed that verification code sent by the bank.

No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.

 

[REWahoo]

The last time I got one of these notifications of possible CC fraud from my bank it was a text message asking me to verify a charge. This incident tells me if I get a future notification by phone or text I should always call the bank myself, using a number I know is correct.

 

[audreyh1]

No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.

Well that’s true.

 

[kaneohe]

No-you they don't need to talk to someone at the bank - they just hit the forgot password button and the request for verification via text was sent automatically to my colleagues phone to verify his identity. He then told the scammer the code and they used it to reset the password and start withdrawing money.

I was wondering how a real code could be sent by the scammer.......so I guess the bold above is the heart of the matter which perhaps you should emphasize in the future. Yes, thanks for posting.

 

[Cut-Throat]

Texting is for 14 year olds ...... avoid it.


I know, 'It's so easy and convenient and fast' ..... And you're right, especially for the scammers....

 

[ivinsfan]

So my rule for this is don't talk to anybody about anything financial in a crowd or while driving or when trying to multitask.....it's too easy to make a mistake.

Hang up and call the financial institution in question...there's no downside to doing this. In my case I use a regional/local bank and have for 40 years I probably know just about everyone working there.... ..it's too bad it's come to this level of paranoia.. but it pays to be paranoid....

and I conduct all my financial business on my at home desktop...it's another level of security. Went I got my last desktop and logged on to the bank I deliberately did not check the "remember this computer" button and answer a different challenge question every time I log on to my account. the only alerts I have sent to my phone are activity alerts...and just to be really careful I don't use a debit card, I don't even have one activated. It's not that hard to use CC and printed checks once in awhile.

 

[Bir48die]

I got a call like this. Hung up.

 

[jazz4cash]

It struck me that this is exactly the procedure Bank of America has used in the past when they wanted to change my credit card number to forestall a breach when they believed my name was part of a stolen data base. They called and told us to expect a new card in the mail. My husband doesn't remember if they asked for a verification but I imagine that they do today since they now use verification codes on their logins. My husband keeps the phone they would call and he would have just assumed it was the same as a couple of times in the past. I read the OP's post to him.

When my BOA debit card was hacked, they called, texted, and emailed. The call was a request to contact their fraud Dept.

 

[JoeWras]

That's pretty novel, and I can see how it works.

Lesson here is when "the bank" calls, call them back. If you are in the car or restaurant, don't rush. Tell them to lock your card/account, and call back with a clear head without distractions.

I've been called by my credit card company when this happened, and the first thing they said was my account was already locked based on suspicion of fraud, so I didn't have to ask them that step. I had the ability to log in and check the transactions and work with them. I cannot tell you I called back, I don't remember. However, in the future I sure will and won't let them drive the bus.

 

[MichaelB]

Lesson here is when "the bank" calls, call them back. If you are in the car or restaurant, don't rush. Tell them to lock your card/account, and call back with a clear head without distractions.

This is what I do. When the CC company calls me and then says “we need to verify your identity” my response is “you called me, I’ve been identified but you haven’t”. I hang up and call back at the main contact number. It adds a bit of hassle but there is no way I’m giving any security or identity validation info to anyone without first confirming they are legit.

 

[gwraigty]

Thanks for posting this. If a card is compromised, they send a replacement to the address on file. There should be no need for anyone to prove their identity over the phone at that moment, or to get a new card sent.

 

[audreyh1]

This is what I do. When the CC company calls me and then says “we need to verify your identity” my response is “you called me, I’ve been identified but you haven’t”. I hang up and call back at the main contact number. It adds a bit of hassle but there is no way I’m giving any security or identity validation info to anyone without first confirming they are legit.

I did have that happen once before when a bank called me and started asking me questions to verify my identity. I said - you called me. I called them back. I think it was legit - just stupid on their part.

I have never been asked for a verification code to have new cards sent to my address. Nor have I been asked to read a verification code verbally on the phone. I will certainly never do that unless I made the call.

 

[gayl]

I just got a funny 1. I didn't recognize the phone number out of Texas so I let it go to voicemail. They need me to call back immediately because there's been fraudulent action on my social security number. Unless I call them immediately they are going to take legal steps against me. Well the weird thing is if I was a victim social security would not take action against me. I wonder how many people fall for this and call back.

 

[EarlyBirdly]

There's no hacking needed for this scam to work. I'd explain how but that would teach more scammers.

It is elegant in it's simplicity though... Isn't it?

 

[rk911]

the best defense is not to tell anyone anything or confirm anything if a call is reveived. i received a call like that from my credit card company a few years back advising me of a possible compromise of our card. they did not ask for any information. i politely thanked them and hung up. i then called the CC issuer and verified the information. it was a legit call. trust nobody on the phone.