October 1, 2018

Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

Matt Haughey is the creator of the community Weblog MetaFilter and a writer at Slack. Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses.

Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out.

Haughey told the lady that he would need a replacement card immediately because he was about to travel out of state to California. Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California.

This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip? It was the first time the voice inside his head spoke up and said, “Something isn’t right, Matt.” But, he figured, the customer service person at the credit union was trying to be helpful: She was doing him a favor, he reasoned.

The caller then read his entire home address to double check it was the correct destination to send a new card at the conclusion of his trip. Then the caller said she needed to verify his mother’s maiden name. The voice in his head spoke out in protest again, but then banks had asked for this in the past. He provided it.

Next she asked him to verify the three digit security code printed on the back of his card. Once more, the voice of caution in his brain was silenced: He’d given this code out previously in the few times he’d used his card to pay for something over the phone.

Then she asked him for his current card PIN, just so she could apply that same PIN to the new card being mailed out, she assured him. Ding, ding, ding went the alarm bells in his head. Haughey hesitated, then asked the lady to repeat the question. When she did, he gave her the PIN, and she assured him she’d make sure his existing PIN also served as the PIN for his new card.

Haughey said after hanging up he felt fairly certain the entire transaction was legitimate, although the part about her requesting the PIN kept nagging at him.

“I balked at challenging her because everything lined up,” he said in an interview with KrebsOnSecurity. “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.'”

Now more concerned, Haughey visited his credit union to make sure his travel arrangements were set. When he began telling the bank employee what had transpired, he could tell by the look on her face that his friend was right.

A review of his account showed that there were indeed two fraudulent charges on his account from earlier that day totaling $3,400, but neither charge was from Ohio. Rather, someone used a counterfeit copy of his debit card to spend more than $2,900 at a Kroger near Atlanta, and to withdraw almost $500 from an ATM in the same area. After the unauthorized charges, he had just $300 remaining in his account.

“People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,” Haughey said.

Fraudsters can use a variety of open-source and free tools to fake or “spoof” the number displayed as the caller ID, lending legitimacy to phone phishing schemes. Often, just sprinkling in a little foreknowledge of the target’s personal details — SSNs, dates of birth, addresses and other information that can be purchased for a nominal fee from any one of several underground sites that sell such data — adds enough detail to the call to make it seem legitimate.

A CLOSE CALL

Cabel Sasser is founder of a Mac and iOS software company called Panic Inc. Sasser said he almost got scammed recently after receiving a call that appeared to be the same number as the one displayed on the back of his Wells Fargo ATM card.

“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” Sasser recalled in a tweet about the experience.

What Sasser didn’t mention in his tweet was that his corporate debit card had just been hit with two instances of fraud: Someone had charged $10,000 worth of metal air ducts to his card. When he disputed the charge, his bank sent a replacement card.

“I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” Sasser recalled in an interview with KrebsOnSecurity. “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”

And so the card-replacement dance began.

“Is the card in your possession?,” the caller asked. It was. The agent then asked him to read the three-digit CVV code printed on the back of his card.

After verifying the CVV, the agent offered to expedite a replacement, Sasser said. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”

That made Sasser pause. Wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?

“It’s just to confirm the change,” the caller told him. “I can’t see what you enter.”

“But…you’re the bank,” he countered. “You have my PIN, and you can see what I enter…”

The caller had a snappy reply for this retort as well.

“Only the IVR [interactive voice response] system can see it,” the caller assured him. “Hey, if it helps, I have all of your account info up…to confirm, the last four digits of your Social Security number are XXXX, right?”

Sure enough, that was correct. But something still seemed off. At this point, Sasser said he told the agent he would call back by dialing the number printed on his ATM card — the same number his mobile phone was already displaying as the source of the call. After doing just that, the representative who answered said there had been no such fraud detected on his account.

“I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser recalled. A visit to the local Wells Fargo branch before his trip confirmed that he’d dodged a bullet.

“The Wells person was super surprised that I bailed out when I did, and said most people are 100 percent taken by this scam,” Sasser said.

HUMAN, ROBOT OR HYBRID?

In Sasser’s case, the scammer was a live person, but some equally convincing voice phishing schemes — sometimes called “vishing” — use a combination of humans and automation. Consider the following vishing attempt, reported to KrebsOnSecurity in August by “Curt,” a longtime reader from Canada.

“I’m both a TD customer and Rogers phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,” Curt wrote. “At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”

The caller said her name was Jen Hansen, and began the call with what Curt described as “over-the-top courtesy.”

“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recalled. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”

Ms. Hansen proceeded to tell Curt that TD Bank was offering a credit monitoring service free for one month, and that he could cancel at any time. To enroll, he only needed to confirm his home mailing address.

“I’m mega paranoid (I read krebsonsecurity.com daily) and asked her to tell me what address I had on their file, knowing full well my home address can be found in a variety of ways,” Curt wrote in an email to this author. “She said, ‘One moment while I access that information.'”

After a short pause, a new voice came on the line.

“And here’s where I realized I was finally talking to a real human — a female with a slight French accent — who read me my correct address,” Curt recalled.

After another pause, Ms. Hansen’s voice came back on the line. While she was explaining that part of the package included free antivirus and anti-keylogging software, Curt asked her if he could opt-in to receive his credit reports while opting-out of installing the software.

“I’m sorry, can you repeat that?” the voice identifying itself as Ms. Hansen replied. Curt repeated himself. After another, “I’m sorry, can you repeat that,” Curt asked Ms. Hansen where she was from.

The voice confirmed what was indicated by the number displayed on his caller ID: That she was calling from Barrie, Ontario. Trying to throw the robot voice further off-script, Curt asked what the weather was like in Barrie, Ontario. Another Long pause. The voice continued describing the offered service.

“I asked again about the weather, and she said, ‘I’m sorry, I don’t have that information. Would you like me to transfer you to someone that does?’ I said yes and again the real person with a French accent started speaking, ignoring my question about the weather and saying that if I’d like to continue with the offer I needed to provide my date of birth. This is when I hung up and immediately called TD Bank.” No one from TD had called him, they assured him.

FULLY AUTOMATED PHONE PHISHING

And then there are the fully-automated voice phishing scams, which can be be equally convincing. Last week I heard from “Jon,” a cybersecurity professional with more than 30 years of experience under his belt (Jon asked to leave his last name out of this story).

Answering a call on his mobile device from a phone number in Missouri, Jon was greeted with the familiar four-note AT&T jingle, followed by a recorded voice saying AT&T was calling to prevent his phone service from being suspended for non-payment.

“It then prompted me to enter my security PIN to be connected to a billing department representative,” Jon said. “My number was originally an AT&T number (it reports as Cingular Wireless) but I have been on T-Mobile for several years, so clearly a scam if I had any doubt. However, I suspect that the average Joe would fall for it.”

WHAT CAN YOU DO?

Just as you would never give out personal information if asked to do so via email, never give out any information about yourself in response to an unsolicited phone call.

Like email scams, phone phishing usually invokes an element of urgency in a bid to get people to let their guard down. If a call has you worried that there might be something wrong and you wish to call them back, don’t call the number offered to you by the caller. If you want to reach your bank, call the number on the back of your card. If it’s another company you do business with, go to the company’s site and look up their main customer support number.

Unfortunately, this may take a little work. It’s not just banks and phone companies that are being impersonated by fraudsters. Reports on social media suggest many consumers also are receiving voice phishing scams that spoof customer support numbers at Apple, Amazon and other big-name tech companies. In many cases, the scammers are polluting top search engine results with phony 800-numbers for customer support lines that lead directly to fraudsters.

These days, scam calls happen on my mobile so often that I almost never answer my phone unless it appears to come from someone in my contacts list. The Federal Trade Commission’s do-not-call list does not appear to have done anything to block scam callers, and the major wireless carriers seem to be pretty useless in blocking incessant robocalls, even when the scammers are impersonating the carriers themselves, as in Jon’s case above.

I suspect people my age (mid-40s) and younger also generally let most unrecognized calls go to voicemail. It seems to be a very different reality for folks from an older generation, many of whom still primarily call friends and family using land lines, and who will always answer a ringing phone whenever it is humanly possible to do so.

It’s a good idea to advise your loved ones to ignore calls unless they appear to come from a friend or family member, and to just hang up the moment the caller starts asking for personal information.


218 thoughts on “Voice Phishing Scams Are Getting More Clever

  1. Larry Denenberg

    In the old days, there was something called “Call Trace” that you could use after a harassing or threatening or fraudulent call: After hanging up, you picked up again and entered some sequence, *57 or the like, which caused The Phone Company (there was only one) to save the caller’s details to some special place. You then called the police, or maybe the phone company, or maybe they were the same and I never realized it, to see if further action could be taken.

    I presume this doesn’t work any longer, or someone would have suggested it. Can’t we revive something similar? There would be fewer such scams if each call had at least some potential of negative consequences. Would it be even the slightest disincentive, or do they just move faster than any possible retaliatory action?

  2. Bob

    There should be more outrage about phone number spoofing. How is this being done and are the telcos doing anything about it???

    1. stine

      No, the telco’s aren’t doing anything about it because doing so would impact their billable minutes.

      1. Readership1

        Look up common carrier definition, then revise your statement.

        They don’t block, because they must not block.

  3. mike

    My landline phone answering machine has an announcement “out of area”, but the display sometimes shows my local area code. At that point I KNOW that the number is spoofed. Those calls go the to the bit bucket.

  4. Bob

    I use a voicemail service (youmail) that lets me use different vm announcements for different contacts. Anybody in my contact list gets a normal vm announcement.

    If you’re not in my contacts, my “announcement” is actually a recording of an (annoyingly loud) FAX answering sequence, repeated ad nauseam. There’s no FAX service, just a recording of the sound 🙂

    1. Jackie

      That is a great idea! Can I get this for a landline too?

  5. Matthew P Clements

    I susbscribe to NoMoRobo service on my cell phone and it has cut Robocalling by 95% as my phone was ringing off the hook. Best $18 I spent this year.

  6. Genpool

    Since we know that the “real” banks and phone companies have our pin numbers and know all about us, I have adverted many Vishing-phising calls by always giving incorrect pin # at first request. I want them to tell me that this is incorrect. This has worked for me for many years. Scammers will take the data as real, and I am just happy to for them to have incorrect information. I hope they sell it to others. I am worried about scammers who can test my pin on a purchase real-time and feed this back to me.

    I would like your feedback, I am sure there are holes in this idea but..
    It seams that we need an app that interacts with our phone and connects to institutions to inform them of their incoming calls. Maybe my bank would have this feature built into their app, as button that informs them that “they are calling me”. So when I get a call from my bank/phone co./ISP etc, I open the company’s app and touch the “verify incoming call” service. This would allow them to reply and add authentication, verification without any transactions occurring. Hack away at the idea! Please

    1. Clay_T

      I like this idea!

      Give them a fake PIN, tell them “I just moved, here’s my new address” (1060 W Addison St, Chicago, IL..)

      Giving them bogus information and having them try and use it at point of sale locations might just stir things up enough to get some of them caught.

      1. William Miles

        If you do that, make sure the address goes no where. Like an empty lot, or on a street that doesn’t exist in that zip code. These are criminals. While it’s unlikely, you could be sending criminals to some unsuspecting innocent persons house.

  7. Bruce

    This scam would not work for us (wife & I). We bank at a small Credit Union & have never set up electronic banking & we do not have a debit card or charge card linked to our bank account. We still have a Landline phone; we have Google fiber & our spam calls have almost been eliminated; from 6+ per day prior to fiber to maybe 4 per week now. We generally do not answer the phone & only reply if they leave a message & we know who the call is from. My wife has a Trac phone but very seldom turns it on & I have never received a spam call on my Nexus phone on Verizon; I wouldn’t answer anyway if the call was from someone I did not know.

    1. Readership1

      Brian has covered that topic before.

      Either switch to a tiny bank that does not offer electronic banking, have your existing bank lock out that feature, or set up the system your bank uses to prevent someone else from setting it up in your absence.

  8. Mark

    We all have around 5 main contacts that we select a ringtone for them. On my droid I created two tones, OK to answer and Unknown caller. All the other folks (other than the main 5) in my contacts get the – OK to answer. The default ringtone for the phone is now – Unknown caller. Great when you are driving and you get the spam calls. No need to look at the phone. When watching college football and the phone is on the counter. Again, no need to get up when you hear – Unknown caller.
    I prefer these over ring tones. Ok… I lied… my 5 main contacts are not tones, they are: Your son is calling, your wife is calling, your brother… blah blah blah. Just spitballing guys and gals.

  9. Daniel

    I know that it’s not their responsibility, but there should be some kind of policy that if someone is coming in to buy $2,000+ worth of merchandise from a Kroger, a manager should be involved.

    I’m assuming the $2k was mainly gift card purchases, too. Should be a major red flag.

    1. Anon E Moose

      Soooo, once they know the red flag amount they just send three people in for things totalling amounts just under red flag amount. Now there are a whole bunch of $1999 fraudulent charges.

      1. Ashole

        This all the way. Doesn’t matter what precautions you put in place, they always come back with ways to get around it. If the bank blocks transactions at certain merchants in certain states over certain amounts, they move. They structrure. It’s a never ending game of cat and mouse.

  10. Pm

    Whatever became of the 2013 “Robocall Challenge”, 2014 “Zapping Rachel” and 2015 DetectaRobo contests from the FTC? We got RoboKiller and NoMoRobo and a couple other apps, but it’s 3 years later and the problem is worse, not better. Apple and Google “joined forces” in 2016, but what came of that?

    The innovators have innovated, but have the Telcos just continued to sit on their hands?

    1. SkunkWerks

      Well, I am using one of the results- nomorobo, and I have to say- it’s better than nothing, but it is far from perfect, and I ~do~ feel like the Telcos are sitting on their damn hands.

      There’s other parties sitting on their hands too, though. Think of your credit card company, your bank, your insurance company… all important institutions.

      How hard is it to get a person from one of these institutions on the phone these days? How much do these companies attempt to deflect any potential calls to them?

      So, aside from the convenience of having been called, the bar for hanging up and calling the number is pretty high.

      How long will you be on hold? How many stupid phone trees will you have to go through till your corralled into the correct “bucket” the company you’re trying to reach before perhaps you can get to talk to a person?

      It’s all fine and well to say “hang up and call back the number on your card”, but realistically, how many people will subject themselves to all this?

      Seems to me a LOT of companies involved in this ecosystem need to behave more responsibly, and maybe even more ~responsively~.

  11. Rick

    I had an instance a while back where my bank (Chase) called to notify me of possible fraud, and after reading me the charge, and me confirming it was bad THEY told me to call the number on the back of the card, stating specifically that it was to avoid customers giving information to an inbound caller. This is just good practice. If they call you, don’t give them any info.

  12. Brian

    I find the fact that IT professionals could be taken in by these phone scams as incredible. I am not an IT professional but I am 71 (so in theory should be an easy target) yet even I know never to take what people say over the phone at face value. I live in the UK and for years the advice has always been to ring back on a number you can confirm as being genuine. We are also told to use a different phone if possible or to wait at least 10 minutes to make sure the first call has been disconnected.

    1. SkunkWerks

      As a person in the profession, there’s an advantage in “platform-independent” methods.

      In this case: most of these scams eschew anything overly-technical and instead rely on the age-old art of the con- getting a ~person~ to buy the story you’re telling, and then maneuvering them into doing whatever it is you need them to do.

      Input formats change, new operating systems emerge, new trends in computing come and go, but the ~Human~ “operating system” still responds to most of the same input.

      Fear, the promise of convenience, and even politeness are still excellent “command lines” into our brains.

  13. Bob Brown

    My experience has been that fraud departments at banks or credit card companies ask two questions: “Did you just charge $xxx at location yyy?” and “Do you have the card in your possession?”

    If they want to know ANYTHING else, do as Rick says Chase does; say, “I’ll call you right back,” disconnect, and call the number on the card.

    1. Markus Wandel

      Even that can be scammed. A well-known technique that works on landlines is for the scammer to simply keep the line open and play dialtone. The call isn’t taken down until about 30 seconds after the callee hung up, if the caller stayed offhook. You can easily try this out if you and someone you can call still have landlines; the callee can pick up again within those 30 seconds and still be connected to you.

      So you pick up again, hear dialtone, dial the fraud prevention number, get a convincing audible ring and answer and so on, and you’re still talking to the scammer.

  14. vb

    Just one nit…this sounds more like social engineering than phishing. This is live, or mostly live, impersonation. I thought that phishing was limited to email or malicious websites.

  15. NS

    Almost the EXACT same thing happened to me last week. So eerily similar, in fact, I wonder if there’s a large-scale ring at work here.

    I received a phone call this past Thursday (1) afternoon from a toll-free number. I attempted to answer but heard no voice on the other end, so I disconnected. The number immediately called me back (2), so I answered again. The caller identified himself as a member of the fraud prevention department at USAA (where I bank personally) and said he had questions about some activity on my account. He asked if I was traveling at the time (3) as he said the activity was from out of state, and he then proceeded to list charges about which there was concern. The first two items he described – a WalMart charge in California in excess of $360, and another at a Game Stop (also in CA) for just under $80 – I said were illegitimate, and then he identified a third charge at a local gas station which I could confirm as a transaction that I had made (4). He told me that all of the charges/attempts were made with my debit card (not my wife’s) and gave me the last four digits of the card (5). Agreeing that the card should be cancelled and replaced, he read out my address and asked me to confirm it to be the mailing location for the new card (6). But then he did something that gave me pause – he asked me for my PIN code. Now, USAA’s automated systems do require the entry of the PIN to authenticate a caller, but never do I recall someone verbally asking me for it. I objected, but he said that was understandable and told me I could enter the PIN via my keypad (7). Still suspicious (but not entirely – he had personal details and some knowledge of my recent legitimate transactions), I entered a fake PIN. When he thanked me and asked me to enter it again, I hung up. I called the number back (from the caller ID), and it rang to USAA. However, instead of corroborating the information I was given, they said they (a) showed no record of anyone from USAA calling me, (b) showed no record of the alleged questionable WalMart and Game Stop charges, and (c) did see about ten attempts to use my card at a Wells Fargo ATM in Humble, TX, (300+ miles away from my location) within the past several minutes (8,9), all denied due to an incorrect PIN code. In the end, I had them cancel my card, change my PIN, etc., as well as add a two-factor authentication method for any phone interactions.

    Here are my observations regarding the sophistication level of this attack:

    (1) The attacker knew and used the outgoing number associated with USAA’s customer service department, masking his own telephone number completely.
    (2) The attacker behaved like the legitimate representative he claimed to be. He was persistent, even calling me back three more times after I was on the phone with the real USAA representative and once offering to hold while I confirmed his identity!
    (3) Again, this is the normal behavior and language someone in the fraud prevention would employ in the course of an actual investigation – it was well-rehearsed.
    (4) He had specific knowledge of at least one legitimate transaction on my account – where I had purchased fuel earlier that day and for how much. (This suggests to me that a card skimmer is installed on the fuel pump I used – I’m trying to contact that store now to report it.)
    (5) He had specific knowledge about my debit card – at least the last four digits, as well as…
    (6) …my full mailing address and mobile telephone number.
    (7) The attacker had the ability to capture DTMF tones, enabling them to capture the “PIN code” I provided by dialing it from my phone’s keypad.
    (8) They were poised to act on the information they captured immediately, as they made at least eight attempts to pull money from an ATM within 10 minutes of having learned what they thought was my PIN code.
    (9) They had to have been able to generate a clone of my card in order to attempt an ATM withdrawal.

    It’s a scary world, and I feel for the less prepared members of the public when they encounter such criminals.

    1. Beeker25

      You were smart enough to provide them with a fake PIN for them to think is real. The level of sophistication is surprising.

    2. Doug

      Was the data quoted during the phishing attempt typical of that during the Equifax breach?

  16. Beeker25

    This is an example of social engineering with the express purpose of obtaining your information with a phone number that spoofs the bank’s number. At this point they already have your card # and calling to confirm your CVV or PIN so they can move quickly. People fell for it.

    It should be noted that “real” banks do not call you to ask for those information and the same can be for the IRS.

  17. Cmotts

    This happened to me in June. It was a Saturday afternoon and a familiar number — I’d definitely seen it before — kept calling my cell phone. I googled it and realized it’s the number for Citizens Bank. And it called maybe 3 times before I answered (I figured, well, if they keep calling it must be important).

    Looking back, from the moment the man started speaking, I should’ve known it wasn’t actually the bank. He explained there were 2 fraudulent charges that he wanted to check with me. I had just traveled so I thought oh! Did something happen to my card while I was traveling? When I said that I had not made those purchases, he said that we’d go through the steps to get them off my account.

    Lots of pauses and awkward silences, and sometimes he didn’t sound clear so I had him repeat what he was saying. He said he was sending me a text with a code and I should repeat it back.
    Lots of alarm bells were going off but honestly, the moment you think ‘holy crap fraud’, you’re just not in the right state of mind to question it. You just want to do what you can to rectify the situation. He asked for my mom’s maiden name and I thought hmmm. Okay.

    After he had me on hold another few minutes, I was like hey, I can check to see what these purchases are in my online account. So I tried to log in. I couldn’t. The password had been changed. That’s when I knew. I hung up on him and I called the # on the back of my debit card (which was oddly a different number than I remembered it being). I’m freaking out to the actual Citizens Bank person and he’s telling me it will be okay and he will reset everything so I can get back in. At the same time, the scammer is calling me over and over. Turns out, he had hacked my online account and tried to send himself (or someone) a payment through Zelle, the stupid online payment thing Citizens Bank touts as being so amazing.

    Luckily I figured it out before the Zelle payment went through. But because this guy had essentially seen everything, my acct. info etc., Citizens had to freeze my online access and my accounts until I got completely new ones. I spent the next two weeks at 2 bank branches trying to fix everything. It took 3 weeks before I could get my online access back. The problem perpetuated as I had online payments and direct withdrawals/deposits that needed to be switched over but some of them couldn’t be switched right away so some accounts had to stay open and while that happened, the online banking people would not let me back in.

    So yes, don’t answer the phone. Ever. If they really need to get in touch with you, they’ll say ‘call us back at the # on the back of your card’.

    1. vb

      Zelle payments are through the ACH system. Those payments are reversible in most instances. So even if the Zelle payment had been made, you would have stood a very good chance of getting your funds back.

  18. Annette

    I am 69, and receive several calls, emails, and text messages everyday. I do not answer them, if they know me, then they can leave a message.

  19. vb

    My solution to this is not using a debit card, and not accepting an ATM that is integrated with a debit card. My ATM card is only an ATM card.

  20. Bart

    We have been getting calls like below for several weeks:

    “Hello, this is [a common first name of either sex] I am a [a common profession like housing or travel advisor] calling on a recorded line.”

    That’s about as far as we have ever let them run on. It seems to be a live person.

  21. BobF

    Beginning several weeks ago, my caller ID at both work and home (landline, which I never answer, but keep for cost savings reasons) have been displaying “SPAM?” as a prefix to the calling number. Both home and work are using the Verizon network for calls.

    Is this something new that VZ has implemented? An industry thing? I thought it was me until a couple of other people mentioned that they also noticed the change. They were also VZ customers.

  22. Mark Withers

    three weeks ago I got a text “security alert” from M & T Bank asking me to cal 888-883-8034 where an automated system advised that my card had been de-activated and to get re-activated I needed to provide information and now it prompted me to enter my account number, pin, expiration, balance, zip code, security code, etc. since I don’t have an M & T account, I knew it was fraud. Took four days after I called the bank that the phony number was taken down! No idea if the bank did it or not.

  23. JoeJJohnsonII

    Something I have done on these scam calls is to conference in the customer support number for my bank. When they asked for my information I said, “Hold on, my wife handles the finances. Can I conference her in?”. I called up the customer service number, gave a brief explanation as to whats going on and then connected the two calls. The bank usually asks what the callers name and extension is or asks for their email address so they can send a verification email. Of the 3 calls I have received all of them ended with the caller hanging up. The last one devolved into a shouting match between the two phone calls and ended with the original caller threatening to close my account. Fun times.

  24. Susan Tuttle

    I never answer calls unless they’re in my contacts list. I get so many 800 and 888 numbers calling, probably 3-4 a day, I let them all go to voice mail. And they never leave a voice mail. And I never answer any questions, I simply say I’ll call back, then contact the supposed source (bank, phone co, etc) directly myself. It’s never anything real, so I just ignore all those out there who want what little I have in my bank account. When I see numbers I don’t recognize, I just chant to myself, “Ignore, ignore, ignore.” Works great.

  25. Sean W

    What I’m curious about with this article… is this fallout from the Equifax breach? I mean, have we seen that information in the wild yet? It seems like there’s a lot of data there that you’d get from something like a credit file.

    1. BrianKrebs Post author

      No. I spend a lot of time in the underground, and I can say I have seen zero evidence that the Equifax data is being sold. Most people I’ve spoken to believe it was the work of a nation state (i.e. China) and that it will never be sold. More to the point: the Equifax breach was a distraction from the fact that most of this data was for sale already on a significant portion of Americans and has been for years.

      Consider this: It’s super easy to go on any number of dozen different sites that sell stolen “dumps” — basically data from the magnetic stripe on millions of cards that are used at retailers and restaurants etc that have been hacked. This data can be used to clone a card. It is sold for about $10-$50 per dump. A good portion of them are debit cards. Meaning, if you have the PIN, you can then use them at an ATM and withdraw cash.

      So, the simplest explanation is you have a boiler room that is set up to turn these dumps into dumps + PIN, which means instead of trying to use a card to buy merchandise you have to then resell for cash, you can use the cards to pull cash straight out of an ATM.

  26. Alister Cameron

    Could there not be a two-way passphrase regime? Could I not give my bank a secret word or phrase which they need to say to me, so I can prove it’s really them?

    It used to be that I needed to prove I was me to them… but now they need to prove they’re them to me (!). So… why not a passphrase they have to authenticate with me?!

    In that scenario, the first thing you’d always ask the caller/scammer would be, “What’s the secret phrase please?”

    There could even be a 2FA app of some sort where both you and the bank/company need to speak codes out to each other which match both ways.

    I don’t think it’s an impossibility to solve…

    A

    1. Jobani

      Sure! You can give a bank a passphrase they would use to identify themselves when calling you. You just gotta ask.

    2. Readership1

      “Alister, we have a concern regarding your account. Please call us at the number on the back of your card or account passbook.”

      Any call that deviates from that is a scam or an example of a financial company unworthy of your business.

      Codes and countercodes, land of absurdity.

  27. George

    These calls are definitely becoming more pervasive and the scammers are continually innovating. I got a call last week, right in the middle of a very busy work day, that came up as ‘Home’ on my personal cell phone. Below where it displayed Home it listed the random 1800 number the scammers were using. I nearly fell for answering it based on my first glimpse. Be careful out there people.

  28. Steve K Pittman

    The guy at the beginning of the article is an idiot. This is a slightly more clever scam than most, but not at all beyond the capacity of the average person to catch. There are 5 things wrong with this call that are pretty easy to spot, and they all stem from deviations in the usual pattern of how banks operate:

    1) A bank would never call you repeatedly like that. They call once, leave a voice mail if they don’t get an answer, maybe also send an email if it’s urgent. Unless the person calling knows you personally, this is sketchy and should immediately make you skeptical of everything that follows.

    2) Fraudulent charges, but keep the card active anyway? The bank will normally turn the old card off immediately and send you a new one. This is very sketchy.

    3) Customer service will ask you to read them your address, not read it to you. This smacks of someone trying too hard to convince you that they are who they say they are. If #2 didn’t convince you, you should by this point be thinking that something’s up.

    4) Asking for the CVV# is shady as hell. It’s only ever used when making purchases with the card, which a bank is not going to be doing, and thus shouldn’t be asking you for it. This is very probably a scam, especially in light of #2.

    5) Anyone who asks for your PIN is not a bank. Every bank I’ve ever done business with says up front: We will never ask you for your PIN, do not give your PIN to anyone, ever. If all of the previous inconsistencies failed convinced you, this one should all on its own — it’s a huge red flag. So, if the alarm bells are going off, why the hell would you give them what they’re asking for? And then think it was legit afterward?

    People say there’s no way they’d fall for that because what this guy fell for sent up a lot of red flags including just about the biggest one there is in such situations (asking for your PIN.) If you’re ever even slightly in doubt it costs you nothing to just hang up and call the bank directly.

  29. RoseMary Leddy

    I got tired of having to run to the phone to see who was calling., letting it go to voice mail if I didn’t answer it and then having to take the time to delete all those hangups. I bought a call blocker with a big red button to block any future calls from that number. The blocker has 5000 pre-entered numbers that it automatically blocks and my robo calls and telemarketing calls are down to two or three a week, and those get the red button. Best $85 I ever spent, No more “Hi Grandma, I’m in jail—-send money!”

  30. Jobani

    One way to avoid falling for these fake callers claiming to be your financial institution is to set up withdrawal alerts. That way, you don’t have to wonder if the call is legitimate because you would already have received an alert the second the charge was made and would have called your bank if need be.

Comments are closed.