23
Apr 20

When in Doubt: Hang Up, Look Up, & Call Back

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Today’s lesson in how not to get scammed comes from “Mitch,” the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry — having worked in security for several years at a fairly major cloud-based service — so he’s understandably embarrassed that he got taken in by this confidence scheme.

On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card.

But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn’t ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they’d be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up.

The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.

Now confident he was speaking with a representative from his bank and not some fraudster, Mitch read back the code that appeared via text message shortly thereafter. After more assurances that any additional phony charges would be credited to his account and that he’d be receiving a new card soon, Mitch was annoyed but otherwise satisfied. He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity.

That is, until the following Monday, when Mitch once again logged in and saw that a $9,800 outgoing wire transfer had been posted to his account. At that point, it dawned on Mitch that both the Friday and Saturday calls he received had likely been from scammers — not from his bank.

Another call to his financial institution and some escalation to its fraud department confirmed that suspicion: The investigator said another man had called in on Saturday posing as Mitch, had provided a one-time code the bank texted to the phone number on file for Mitch’s account — the same code the real Mitch had been tricked into giving up — and then initiated an outgoing wire transfer.

It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.

Mitch said he and his bank now believe that at some point his debit card and PIN were stolen, most likely by a skimming device planted at a compromised point-of-sale terminal, gas pump or ATM he’d used in the past few weeks. Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

To make matters worse, the fraud investigator said the $9,800 wire transfer had been sent to an account at an online-only bank that also was in Mitch’s name. Mitch said he didn’t open that account, but that this may have helped the fraudsters sidestep any fraud flags for the unauthorized wire transfer, since from the bank’s perspective Mitch was merely wiring money to another one of his accounts. Now, he’s facing the arduous task of getting identity theft (new account fraud) cleaned up at the online-only bank.

Mitch said that in retrospect, there were several oddities that should have been additional red flags. For one thing, on his outbound call to the bank on Saturday while he had the fraudsters on hold, the customer service rep asked if he was visiting family in Florida.

Mitch replied that no, he didn’t have any family members living there. But when he spoke with the bank’s fraud department the following Monday, the investigator said the fraudsters posing as Mitch had succeeded in adding a phony “travel notice” to his account — essentially notifying the bank that he was traveling to Florida and that it should disregard any geographic-based fraud alerts created by card-present transactions in that region. That would explain why his bank didn’t see anything strange about their California customer suddenly using his card in Florida.

Also, when the fake customer support rep called him, she stumbled a bit when Mitch turned the tables on her. As part of her phony customer verification script, she asked Mitch to state his physical address.

“I told her, ‘You tell me,’ and she read me the address of the house I grew up in,” Mitch recalled. “So she was going through some public records she’d found, apparently, because they knew my previous employers and addresses. And she said, ‘Sir, I’m in a call center and there’s cameras over my head. I’m just doing my job.’ I just figured she was just new or shitty at her job, but who knows maybe she was telling the truth. Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”

Mitch’s bank managed to reverse the unauthorized wire transfer before it could complete, and they’ve since put all the stolen funds back into his account and issued a new card. But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

What else could have made it more difficult for fraudsters to get one over on Mitch? He could have enabled mobile alerts to receive text messages anytime a new transaction posts to his account. Barring that, he could have kept a closer eye on his bank account balance.

If Mitch had previously placed a security freeze on his credit file with the three major consumer credit bureaus, the fraudsters likely would not have been able to open a new online checking account in his name with which to receive the $9,800 wire transfer (although they might have still been able to wire the money to another account they controlled).

As Mitch’s experience shows, many security-conscious people tend to focus on protecting their online selves, while perhaps discounting the threat from less technically sophisticated phone-based scams. In this case, Mitch and his bank determined that his assailants never once tried to log in to his account online.

“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” Mitch said. “I absolutely should have hung up and initiated the call myself. And as a security professional, that’s part of the shame that I will bear for a long time.”

Further reading:

Voice Phishing Scams are Getting More Clever
Why Phone Numbers Stink as Identity Proof
Apple Phone Phishing Scams Getting Better
SMS Phishing + Cardless ATM = Profit

144 comments

  1. I have two VoIP lines. One is given to everybody I don’t know and scammers. Any calls go to voicemail or are blocked. It never rings. The other line is with OOMA and allows me to direct all calls to voicemail that are not on my contacts list. The contacts list is everybody I know or expect calls from. My phone never rings from telemarketers or scammers. Let them waste their time trying to call me. Nobody here will answer them or fall for their scams.

    • Exactly this — 0nly allow calls to ring through if they are in your contacts. Everything else goes to voice mail and you can call them back if you want.

      Until the carriers and phone makers (Apple seems to not know they are a phone company) figure out spam calling, this is the only option. I have had no luck with spam blocking apps on iOS.

      • But yet Apple does allow only numbers in your contacts to ring through. How much more can they do not being a carrier?

    • I do nearly the same thing. I had my old land line ported to VOIPO for thirty six dollars per year. VOIPO forwards my calls to Google Voice which is free and allows me to block callers. I give out my old land line number to everyone except medical professionals, friends, family, etc. I wind up blocking nearly 100% of the calls to my old land line.

      If a caller isn’t in my iPhone Contacts list, the call goes to voicemail. If the caller to my cellphone doesn’t leave a message, I check the number online to see if it is an unsolicited call. If it is an unsolicited call, I block it. My outgoing message essentially says to leave a message or be blocked. I meticulously either block or add numbers to my cell phone contact list for people or business I want calls from.

      I NEVER give callers any personal information over the phone. If I get a credit card fraud call, I politely terminate the call and call back using the number on the back of my credit card.

      My credit review agency accounts are frozen and cannot be compromised. I NEVER give out my credit card number over the telephone. I use 2 different credit cards. One of them is for the slide card readers that can be skimmed and for any charge that can be compromised. The other is for places that have my credit card on file like utilities, medical care, and handful of trusted vendors. Since I have been using 2 credit cards, I haven’t had to change the credit card number on file except when it expires.

      As far as I can tell I tell I am completely shielded from fraud. But I am on guard. You never know what clever criminals are going to come up with next.

    • But that would not have likely helped in this case. Sure, the 1st call would go to voicemail, about actual/real fraudulent charges. Most folks would check their account, see there is a problem, and it call back the number left, or even call their bank back. All that was fine, as the 1st call was just bait/setup to build trust for the larger 2nd phone based MITM attack for the larger wire-transfer.

      After that, the 2nd call (also would have gone to voicemail in your case), but assuming they gave some different number for a call back, and given the 1st call’s info about actual fraud, most folks would call back to see what is the new issue. That’s where the more “important” info for the larger wire transfer was happening.

      The key failing here, is the MITM attack, where they get a OTP to then change the instructions to the bank to allow the wire-txfr.

      This is fairly elaborate, somewhat real-time based on a phone and even a Yubi-key or other OTP device would be problematic, given it’s all just MITM over the phone while the attacker also has an open channel to the bank, with an “valid” initial call to setup trust.

      My only thoughts around prevention are daily checks on the accounts (or ATM usage alerts), to start interaction with the bank, to change PINs, etc. for the initial fraud – before the attackers could get setup (new wire-transfer account) for the 2nd part of the attack. Basically, since the 1st call is valid, you have to move faster then they do.

      Also, moving to chip and PIN, versus mag-stripe would help with the larger card skimming issues (that allowed the initial setup of the attack), but that’s a longer term discussion for another day

    • Many scammers and telemarketers make robocalls to every possible telephone number. How do you avoid those calls?

    • Have you got some hints on how to get started with this? Sounds like a great idea

  2. > Mitch decided to use another phone to place a call to his bank’s customer service department

    This seems to be correct – what did he miss: by calling the number sent to his phone instead of the main number from the back of his card?

    • He should have hung up with the person who called him. He didn’t. He kept them on the line for some reason while he made the call to his bank.

    • The truth is he didn’t call his bank the second time. The number sent to his phone was the attackers’ number. If he would have called the number on the back of the card he would have had a much higher chance of actually reaching his bank.

  3. It’s an easy game. Whenever the person on the other end want you to read out the code they’ve sent you to your device make them read it first to confirm they are the ones who sent it. They can easily sent as many codes to you as they wish but if they don’t know them then they’re not who they pretend to be. If they read aloud the correct code they can resend another one for you to do the same and validate your own identity.

    • The devil is in the details. If you were talking to a scammer, who [has an accomplice that] is talking to your bank, and you ask the scammer to read you the first code, they’d just echo that request to your bank, and give you whatever answer the bank gives them. If the bank reads the code to the scammer and then sends you a second code, the scammer will correctly read the first code to you, and ask you to read the second one to them, which they’ll read to the bank, after which both you and the bank probably are happy with your “mutual verification”, unaware of the person(s) in the middle.

      Sure, the “middle person(s)” will cause slight delays, but if they’re any good, the one pretending to be your bank will smooth-talk you, saying their IT systems are a bit slow today, and maybe bang a bit on a keyboard to make it sound like they’re trying to get something to work, while the person pretending to you, will tell your bank the cellphone network is a bit slow, and might have a sampled SMS signal (or similar) to play in the background when they “received” the code. Both excuses are plausible and probably whouldn’t raise any suspicion on their own, if done skillfully.

      • Yes, the main point is, the code bank sends you is known to the person in advance (or at least the moment they send it). They have to see it on their display in front of them so they can confirm it. So anything they tell you after a delay should be considered invalid. They send the code, thus the delay can only happen in GMS network delivery so they must know the code even before your device receives it in form of an SMS or e-mail delayed by the network.

        • getting ones phone number is easy,
          so by having the bank to read a number that is sent by SMS from a spoofed phonenumber proves what exactly?

          I do not believe there is a solid identification method that protects against a man in the middle, otherwise calling the bank telephone number printed on the debit/credit card (then getting forwarded to the right department managing the case)

          • Can a phone call that you make over cable be intercepted and the other end of the conversation spoofed? Too many people seem to be digging underground.

      • Every SMS from the bank should have date and time of creation in it. It is inserted the moment the other person sends the request so it does not have anything to do with processing delays in any equipment involved. If it does not match the time the person on the other end of the line says he/she is sending the code I would be naturally suspicious.

        The only other option to prevent any man-in-the-middle is to perform some sort of encryption where both you and the bank only know some secret you use to modify the SMS in a way that both you and the bank can confirm the SMS is valid without exchanging the secret over the phone like we do it in SSL/TLS.

    • This will not work if the bank takes security seriously. What should happen is only you will get the code and know it until you share it with the rep. They enter the code and can only confirm that you gave them the right code or the wrong one. They shouldn’t know the code ahead of time as that opens things up to someone calling to impersonate you, then blustering the rep on the phone into entering the code, bypassing the security of sending you the code in the first place.

      • Robert Russell

        You are correct that a properly designed OTP system will only allow verification of the OTP by customers or a company representative.

    • This is a brilliant idea. 3 step authentication without nearly as much trouble implementing as the second step was.

  4. To me this reinforces something I tell my users when they fall for a scam email or call. Sooner or later everyone falls for something, even the most experienced and savvy security professionals. So don’t be ashamed to report what happened. The key is to have resilient and recoverable systems in place for those times. Security pros often forget the recoverability, reversability, robustness, whatever you want to call it, is a valuable and powerful tool for risk reduction.

  5. I am really liking the subscription to Krebs on Security. I always watch for new events that might relate to my use of the internet for many sites I visit, but Krebs has some of the most unique findings and explains the situations well enough for me to benefit from the knowledge. This article is really powerful as I learned several things I did not know and I plan to print this article out so I can read it again more closely. Then I will explain it to my family members so we can all learn from it. Thank you Krebs!!

  6. There is a free web site that will provide anyone that enters a name an state with a target’s previous addresses. it also provides links to that target’s likely relatives. The web site was reported in several national news outlets a couple years ago as being a concern for law enforcement. None of the reporters at the time pointed out that the previous addresses and current address are used as security questions for financial service companies.

    https://www.washingtonpost.com/news/the-intersect/wp/2017/01/12/youve-probably-never-heard-of-this-creepy-genealogy-site-but-its-heard-all-about-you/

  7. I recently had fraudulent charges on my credit card including someone who signed up for Netflix with automatic renewal.
    I notified the CC company and got a new card, The next month, there was the Netflix charge. I called the CC company again and they said they had transferred the Netflix account to my new card as a courtesy, so I wouldn’t have to miss a single day of Netflix.

  8. This works most of the time but my father recently fell victim to these folks: https://canon.com-ijsetup.com/download-driver

    He claims to have gotten there by following links from Canon’s website while setting up a new printer.

    Fortunately he realized something was amiss part way through the call and contacted me before giving the scammers remote access to his computer and allowing them to bill him $200/year for a “SonicWall firewall”.

  9. The one part I don’t understand is the existing fraudulent charges on his account. Did the scammers already have access to the account and make those charges over several months as part of a really long con? Or did they just get lucky and call someone who actually had fraudulent charges on their account and go forward from there?

    • They probably didn’t get lucky, they probably already had his banking and related details. So they ran through those fraudulent charges in order to test if his cards were good in preparation. Since they kept being able to make those charges they knew he wasn’t closely monitoring his account, which let them go forward with their next step. While they could make small fraudulent charges, they didn’t have authorization to initiate a large wire transfer, which is what these calls were all about.

    • I had someone withdraw very small amounts, form $1.00 to $10, from my account over a period of a few days. I called the bank when I noticed, and they gave me the information. I told them I didn’t authorize any of those. They told me that often those charges are a way to see if they’ll clear or be contested before a larger charge is made. They closed my account, and gave me a new card.

      Always monitor your accounts and trust no one who calls out of the blue.

  10. I don’t carry my ATM cart with me unless I am on my way to the bank during regular banking hours to withdraw cash from the ATM that sits before the information desk. I use apps to buy gas and never swipe a card.

    I use Apple Pay wherever possible, which, of the places I usually go, I think there is one left where I am stuck using the chip. Wherever possible, e.g. Home Depot, I will order the things I need online and go pull it from a locker in the doorway of the store.

    Like an earlier commenter, I also separate my business VOIP from my personal VOIP and never answer the business VOIP unless I recognize the number.

    If someone like Mitch isn’t doing these same things, and I am not a security pro, I have to wonder which of us is doing life wrong? Maybe I have a false sense of security?

    • A different Matt

      Like all security, there is a cost to every security measure you implement. That could be money, time, attention, convenience, or even “DOSing” yourself.

      At some point the cost of recovery is cheaper than the cost of prevention. Part of being a security professional is working out where that line is.

      Or you could be like one of those internet securitards who keep all their secrets encrypted by a key stored on a USB stick stored next to a hammer and acid bath. And then destroy it when a pizza delivery guy turns up at your door by mistake cause you thought it was the police come to raid you.

  11. DelilahTheSober

    I just got this email from my bank and I thought this specific paragraph was interesting and relevant.

    How to recognize valid communications:

    Spot a phishing email by verifying the sender email address. Scammers will misspell, add characters, etc., to email addresses and domain names.

    Text messages from (name of bank) typically don’t show a complete phone number as the sender of the text. We normally use shorter codes of 5 or 6 digits that are displayed with or without dashes.

    During an online session or while speaking with Customer Service, (name of bank) may send you a one-time passcode to verify your identity. If you receive a code without having initiated one, please be wary of someone calling you to provide that number. We won’t call you to request the code. When we send a text or an email with links, the link will always take you to our site and will include “nameofwebsitedotcom” or “nameofwebsite”. As a best practice, you can hover over a link or copy & paste it into a browser to view the URL it is directing you towards. If you receive a suspicious text or email message that appears to be from (name of bank), you can login to (website removed by me) to view your account status.

  12. Wow that is quite elaborate… What’s bad is that a lot of people think the pinnacle of phone-scams is some guy with a thick Indian accent calling you and telling you that you have to pay $20k in taxes with bitcoin, or an automated message saying you won a cruise that requires a deposit.

    Some of these are downright terrifying, such as this or some of the other elaborate phone scams involving technology. I can definitely see a high percentage of people falling victim to this.

  13. Wow, I just checked my bank balance.
    Still intact for now.
    This was helpful.

  14. Phone Scams in lots of case are from current phone companies outsourcing their service support to 3rd world countries. With disclosure of confidence all company info is protected and not given. When the last trainer closes the door behind them leaving the new support center. New support people open the books setup un-used DNs (directory numbers) too Scam groups and allow them use for few days for $$$’s – using the high tech against the countries and peoples its too support. CEO greed and in a bet this is a plan all the way to allow country tech used against them to cause chaos. Works pretty good. Why are the CEOs not accountable for their company tech and its integrity when these things are being performed around their knowledge and side stepping truth of hack. Bring back all outsourced tech and teach those to learn for themselves – in many a case will prevent such. One primary! – if you do not know the number leave it to voice mail. If the call is important a VM would be left. Review and then consider a call back. 90% of time calling the number back you will find no translations for incoming calls number is not in service and or only 1 network ring to dead air. Any banking with online only – is a 50:50 risk for users. That being hacks can steal a company DB(database) and make havoc on its customers. IT admins have to be totally diligent to protect #1 asset. The Companies Access and protocol procedures to business. Never trust anyone. Prove it and or walk into your bank and perform face to face checks on any unknown activities and or requests. Get the callers name their id. Their bosses name and hassle back some. Ask them where they are sitting right then. Whats the weather – ask a little Questions can also help in determining due process. Don’t use online only banking or only process very small purchase guidelines. With minimal account balances. Learn by these examples to toughen up.

  15. You can have wide-band knowledge in many areas but no one can truly be ready for everything that will come your way.

    Your humility is refreshing.

    You might like a book called Sleights of Mind: What the Neuroscience of Magic Reveals about Our Everyday Deceptions by neuroscientists Stephen Macknik and Susana Martinez-Conde, with science writer Sandra Blakeslee.

  16. I use this for all my voicemail and calls, the Jolly Roger Phone company.
    https://jollyrogertelephone.com
    It makes people go through a series of pressing 1 if they are not whitelisted, prove they are a person. You can also have those calls go to Bots to wasted their time. You can whitelist and black list callers. The service is $12 a year. It is totally worth it.

  17. Rule #1: do not EVER use your ATM/debit card anywhere other than a bank’s own ATM
    Rule #2: see rule #1

    • This. I’ve gone so far as to downgrade my bank debit card to an ATM card that only works at ATMs for withdrawing cash. I use a charge card for all payment card purchases, ideally via a mobile wallet so it’s further obfuscated, giving me a layer of protection between my fake money (credit) and my real money (my bank account).

      Getting spend notifications via a mobile wallet, like Apple Pay, is more secure than receiving text or email notifications. Even bank apps provide more secure means of notifying its users of activity than text/email.

  18. Measure for Measure

    I got a call from my bank the other day, asking me for security information because the check I used had been issued by them many years ago. I told them I couldn’t do that, but that I could call them back.

    No fraud occured. The process did take me a good 30 minutes.

    • sort_of_knowledgeable

      If they knew the name and amount on the check, I would probably consider it sufficient identify verification and the without having to call the bank back. If they have that level of a knowledge of peoples accounts they probably have bigger targets than me.

  19. Phone call scammers can take control of your phone such as to make the victim believe that their call to, say, their bank has been successful whereas they were speaking to the scammers all the time.

    In that situation, I would call a different number so as to expose the scammers for what they are. In the UK, the British Telecomm test number 17070 is very handy for these things, option 2 Quiet Line Test being especially so.

  20. Never, NEVER, NEVER, NEVER, NEVER, NEVER, NEVER, NEVER, EVER, EVER, EVER answer a phone call from an unknown number. And even if the number is spoofed as one you do recognize, tell them “I’ll call you back”, then call the REAL number. Banks, credit card issuers and other financial entities will NEVER initiate a call to their customers to get “more information” in order to get you to reveal sensitive information. Always check, recheck and verify.

  21. This was certainly helpful. It is always safe to never give away any personal details over the phone and terminate the call asking for card details.

  22. I get calls all day long at work and it is insane how comfortable these callers feel asking for all kinds of personal information. Most of the time it is just telemarketers looking to talk to the department director. But no, I will not give you the phone number and email of our IT director…. Thanks for a great article Brian, some of this info inspired me to post my own article https://securingninja.com/types-of-cyber-attacks

  23. And people wonder why elderly people do stupid things. Criminals get creative.

    It interesting to hear that people still use ATM cards. Since I rarely use cash, I can live off of $100 for 6 months at times.

    I often glance at the subjects, from email addresses on emails in one of my rarely used (for anything important) accounts.

    As I try to tell others, if in doubt call in to the bank, although right now the hold times can be crazy. I’m trying to cancel a credit card via a secure message (no interest on waiting on hold just to cancel a card) and also to dispute a charge on another card.

    And outsourcing stuff doesn’t always work well as we are learning in multiple ways now.

  24. is this story from some 3rd world country because it sure looks like.
    i live in a 2nd world country and my bank sends me a sms with a pin on EVERY transaction i make more than 20 euro online. Even if i withdraw from an ATM money the bank app sends a push notification too so this thing happening in USA in 2020 is really laughable.

    • A different Matt

      Well the bank did sent the SMS with the PIN. The scammers socially engineered it out of him during that second call. What was missing was an explanation of what the PIN is authorizing. If the SMS said “this PIN is to authorize a payment of $9700 to Mitch”, then the scam would have died right there.

      But yes the US is quite backward when it comes to banking. I found the same in parts of Europe.

      Less developed countries often have a more modern system as theirs came later. Developed countries have older legacy systems which take time to change.

  25. Thank you for another wonderful, eye-opening useful article. I have been attacked for years by a known group of hackers, stalkers, doxers, swatters, fraudsters. It is impossible to comprehend the long list of things this group has done. I have learned and observed quite a few things. I’d like to pass along some of the most useful:

    1) Many people who call themselves “Infosec” and who seek and get jobs in that field have been involved in fraud and/or hacking. Companies should really search the social media, associations, and backgrounds before they hire.

    2) Fraudsters may try to cut their fraud target out of the picture by convincing the target’s phone company to forward the target’s calls to the fraudster’s number. Just about the only thing that will prevent this from happening is if your particular phone company has you choose a pin number that is required for all transactions and service requests.

    3) Be aware if you start to get emails from an investment account you never opened. Since companies like this are generally non-responsive, you might need to file a complaint with the Federal Trade Commission and the police or FBI.

    4) Never click on any link in an email.

    5) Never, never ever answer your phone unless it is from a known caller.

    6) If a call comes from one number and they leave a voicemail telling you to return the call at a different number, never return this call.

    7) If someone calls you and leaves a voicemail saying to return their call, and says they are with a bank, school, company, FBI, government agency, etc., go online or to known paperwork and look up the real number. Only return calls to real, verified numbers.

    8) I had a situation where a supposed IT person in San Jose, CA, who is a known stalker and extortionist, bought up domains and emails in my name and the name of my business. He used those to further stalk me, impersonate me with many others, to use to open accounts in my name, and to attempt extortion. If someone is buying up domains and emails in your name, you MUST report it to the FBI! They may not arrest the person forthwith, but you can bet they will have that person on their radar. People who do these kinds of things try to bully their victims into thinking there is no action they can take to protect themselves or that taking action will bring worse trouble upon themselves. Quietly report it to the FBI and keep reporting with each incidence.

    9) Let your local police and FBI know if you are likely to be a target of swatting. This can save your life or the lives of others. If you have already been a victim of swatting, you are very likely to be a victim again.

    10) If you are a target of stalking, fraud, or swatting, Do not publicly post photos of your home, family, belongings, car, or anything else that can be used to locate you. Do not post any photos where efix metadata are intact. Twitter and facebook automatically remove efix. Check to see what other sites do before you post.

  26. Remember when “Hello?” was enough?

  27. FYI: The webform rejected my comment, I came back and the form fields were blank.

    How common is it for a human employed by a financial institution to REFUSE to enable textmsg notification of transactions, for a customer who doesn’t trust online banking?

  28. When in doubt???????
    NEVER respond to billing, emergency or urgent emails. No mater what email is received, ignore them and ONLY contact companies directly.

  29. Honestly, I know the guy is embarrassed given his professional background, but for me, that’s what kept me reading the article, so in a way, I’m glad it happened to someone so knowledgeable about fraud? I like to think that I, too, am extremely savvy about fraudsters and originally was going to breeze past this article and chalk it up to another gullible person falling for an obvious trap. Once I read that the victim used to work in internet security, that’s what peaked my interest enough to keep reading. Holy heck. I would have fallen prey to the same scam, had it been me. It’s a scary world out there. Thanks for the story.

  30. There is no shame in that Mitch, it’s a learning process, and see good has come from it, you are able to give others info we didn’t have before, you have saved hundreds of people from this happening to them, thanks