Almost scammed

[fosterscik]

I got a text from "Fidelity" this morning about a suspected fraudulent credit card purchase attempt. It looked identical to others I have received in the past and ask me to reply YES or NO to "did you make this charge".

I dutifully answered No and then received a phone call from a toll-free number. The caller asked about this $250 charge, asked about other authorized users and all the other usual info. He then told me I would receive a text with an authorization code to confirm my identity.

I received the 2FA code and he asked me to read it back to him....

Then I got suspicious and told him no I hadn't called him. He then told me my correct DOB and SSN (and obviously knew my phone number). I still refused, so he said OK well I'm going to lock your accounts and you'll have to go to a Fidelity office to reopen them. At that point I hung up.

I called Fidelity directly and got transferred to the fraud department. They at least congratulated me for avoiding this phishing scam, but I was amazed that they also sent me a 2FA code by text and asked me to read it back to them!

The wording of the two 2FA texts was very similar - both were clearly generated by Fidelity (the scammer was probably at his computer trying to log into my account). The only difference was the fraud department's text added "Only give this code to a rep if you called us"

Be cautious out there....

 

[erkevin]

"Only give this code to a rep if you called us"

That still is not 100% safe. There are many fake Google business sites (i.e. you Google Boogerbutt Industries and a fake listing comes up) with phony phone numbers. You call, talk with a scammer and Boom.

 

[Koolau]

Yep. Only communication you can (probably) trust is one you initiated.

 

[fosterscik]

"Only give this code to a rep if you called us"

That still is not 100% safe. There are many fake Google business sites (i.e. you Google Boogerbutt Industries and a fake listing comes up) with phony phone numbers. You call, talk with a scammer and Boom.

I was surprised by this too. I have Fidelity voice recognition enabled and given I was on a call with them I think they could have verified me in another way, but I was was just calling to make sure all was OK at their end. If I was trying to set up a transfer hopefully they would have used another procedure.

 

[easysurfer]

Did the caller have a foreign accent? That may be a tip off too.

Recently, I was traveling and did a pre-check in after getting a text. Wasn't a scam but still I was sending very personal data to register. Namely, my DL and credit card info. Next time, think I will do an older fashioned check in in front of a real person instead.

 

[GrayHare]

I can imagine people getting scammed via that method. I assume the incoming call was about a Fido credit card. That's why I'm nervous about having one.

 

[fosterscik]

I can imagine people getting scammed via that method. I assume the incoming call was about a Fido credit card. That's why I'm nervous about having one.

Yes it referred to a Fidelity card. I can easily see someone being scammed this way. The authorization code was generated by Fidelity and had I told the scammer that number he could have logged on and changed my password immediately. Hopefully Fidelity would have reimbursed my account if it was drained immediately afterwards, but I'd prefer not to go that route

 

[frayne]

That's a pretty sophisticated scam and scary.

 

[braumeister]

Yes it referred to a Fidelity card. I can easily see someone being scammed this way. The authorization code was generated by Fidelity and had I told the scammer that number he could have logged on and changed my password immediately

Exactly right. This is a relatively common scam and has been working for years.
You can't be too careful.

 

[GenXguy]

Yep. Only communication you can (probably) trust is one you initiated.

Yeah, I wouldn't have answered the call. I get scammy emails all the time and just delete them.

This sounds like a routine / common scam easy to avoid.

 

[aja8888]

I never answer what appears to be Schwab calls, I only initiate them if necessary.

 

[Flyfish1]

I literally never respond to anything like that. I always go the website and look at my accounts and then if necessary call the institution directly.

 

[frayne]

I don't understand though how both 2FA could have been sent by Fidelity unless the scammer had your username and password in order to generate the initial 2FA text??

 

[scrabbler1]

I don't understand though how both 2FA could have been sent by Fidelity unless the scammer had your username and password in order to generate the initial 2FA text??

Fidelity also has a "forgot username" feature which the scammer may be able to use to get that piece of info.

 

[easysurfer]

Scammer had the OP on the hook. Good thing OP was able to wiggle away after dislodging the hook .

 

[FREE866]

that is really scary

 

[fosterscik]

Fidelity also has a "forgot username" feature which the scammer may be able to use to get that piece of info.

Yes. If you go to Fidelity and click on "forgot user name or password" it puts up a form asking for your name, date of birth and last 4 digits of your SSN. Then away you (or an imposter) go. Luckily they need 2FA authorization in addition to confirm your identity

Given all the recent data breaches it's not surprising that scammers are trying this route. Fidelity security said I didn't need to change my user name or password; the scammer didn't have it or need it.

I did change my password nonetheless.

 

[audreyh1]

Wow, that was close!

I hoped you immediately changed your password.

Did they somehow spoof the Fidelity texting number?

 

[fosterscik]

The text came from an 848 area code and I've had identical texts from Fidelity (and other bank) credit cards. It seems to be standard industry practice to ask about purchases and their validity. I assumed all was kosher and texted back NO and away we went.
The number, FWIW, was 848 326 7050. I didn't check to see if it was a legitimate Fidelity security department number, but I'm not sure how I would do that.

 

[audreyh1]

I think a recent time I was texted about a charge and answered no, I checked my account online and called the Fidelity credit card fraud department company directly (I keep the numbers). It’s been several years though. The Fidelity credit card is issued by Elan Financial.

Thanks for sharing!

 

[Jerry1]

Now that we’re aware of this problem, maybe a best practice is to not respond to any texts and immediately call the number on the back of the card instead.

 

[Original Wally]

"Only give this code to a rep if you called us"

That still is not 100% safe. There are many fake Google business sites (i.e. you Google Boogerbutt Industries and a fake listing comes up) with phony phone numbers. You call, talk with a scammer and Boom.

WAIT! Boogerbutt Industries is fake? Oh! Carp!!

 

[Koolau]

Yeah, they're tying to make you think they are really Burgerbutt Industries. Easy to get scammed on that one!

 

[ShadowBloom]

I've always thought it's a bad practice that Fidelity (and maybe other co's) ask you to read back a code to them. Even if you've initiated the call with them, it undermines the anti-scam training to never share the authorization code.

 

[Jerry1]

I've always thought it's a bad practice that Fidelity (and maybe other co's) ask you to read back a code to them. Even if you've initiated the call with them, it undermines the anti-scam training to never share the authorization code.

I agree. I get the same thing from healthcare providers. They call me and then ask me to verify myself with information that includes my birthday. Very frustrating given that I really have no way to ensure that they are actually my provider. Legitimate entities shouldn’t be asking you to violate a best practice when it comes to security.