I wish there was a coordinated public service campaign around "Hang up, Look up, Call back". I feel like if we could really ingrain those 6 words that it would go a long way to blocking these types of phishing scams.
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.
I had a call from my bank, and they before the they could even tell me what it was about, they asked me to answer some security questions. When I pointed out out how ridiculous that was, and I asked them to prove their identity first, they didn't even have process for it. Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
I was unable to get back in touch with them, and a week later someone else called from the bank trying to do the same, and the same thing happened again. I refused to answer their security questions and they had no way to prove their identity.
The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since. I wonder if I'm flagged in their database as someone who shouldn't be asked security questions.
It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
> Calling back was also impossible since apparently there was no way to get connecter back to the person with whom I was speaking.
You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
> The next time they called, they didn't ask for the security questions anymore and just got to the point immediately. They have never asked for it since.
This does not look like success to me. It looks like failure. What your bank should be doing is sending you a message via some known channel--like the message center on their website, where you can see messages for you when you log in--telling you that there is an issue that you need to call them about. If you're giving information to someone who calls you out of the blue and says they're from your bank, you're setting yourself up to be scammed.
> It looks like you didn't even try it. In order to do what the GP described, when your bank calls you, you say nothing and answer nothing. You hang up and call back on a number you know.
I did do exactly that. I asked them for a reference that I could give when I call back. They couldn't give me that. I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
> If the bank can't answer that question, it's time to find another bank.
Thankfully, that's not my normal bank. This was the bank that has by car loan. That's my only interaction with them. It's unlikely I'll have more business with them.
> This does not look like success to me. It looks like failure.
Absolutely. This along with the other issues suggests that they value convenience over security. Also, this is not a small bank we're talking about.
I have never seen issues this bad with other banks, but the problem is that when there are banks that get away with this, that suggests people in general do not make a fuss about it and simply accepts whatever people tell them on the phone. If nothing else, it proves why phone scams work.
If the bank didn't even have an answer when I asked them to authenticate themselves, that suggests very few people even ask.
Asked who? The people who called you out of the blue and you weren't sure it was legit? I wasn't recommending that at all. I said, explicitly, that you say nothing and answer nothing when you are the recipient of the call. You only say or ask anything when you are the one who initiated the call, to a number that you already know via some other information channel belongs to the bank.
> I then did try to call them back, and said "someone called me about something just now, what was it?" and they were not able to tell me.
Did they say there was any issue with your account? If there wasn't, then that would indicate that the previous call you got out of the blue was not legit. If they weren't even able to tell you that, then yes, this sounds like a really incompetent bank.
> You don't have to. You just ask the bank when you call them back: did someone just call me a little bit ago? What about?
> If the bank can't answer that question, it's time to find another bank. Any reputable bank will be able to look at your file and see that a call was made to you and what the issue was.
That won't help: all the phisher has to do is make a call at around the same time that the legit employee called you. The person you called back would probably not be able to tell you what the call should be about anyway.
The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
> The idea is to call the institution back, often customer service, or log in to your account and check for alerts or messages. If customer support knows nothing about the contact attempt, I presume it's not legitimate.
And I'm saying that even if the customer support knows about the call, that doesn't mean that the next call you get in 2m from the bank is legitimate.
In all cases, anyone reaching out to you from your bank should be treated as not legitimate. The only way to do this is to call the bank yourself, and get put through to the person who wants to talk to you.
Any other way including the way you said you'd do it is vulnerable to phishing.
You don't call the bank, check whether it's legitimate, then wait for them to call you again. You call, confirm that they were attempting to contact you, then complete the issue on that same call.
You're not wrong about the incoming calls, but I can't figure out who you're replying to. Nobody above you in the thread seems to be suggesting that the bank ever call you. And certainly not call again in a short time.
> I'm saying that checking with the bank doesn't indicate that a call was legitimate
If you call the bank, using a customer service number that's already known to you, either they will say there's an issue with your account or they won't. So calling them does tell you, indirectly, whether the previous call (that you hung up on and gave no information to) was legitimate or not. But more importantly, it tells you, regardless of the status of the previous call, whether or not there is an issue with your account, and that's what you care about.
Note that you never have the bank call you back in this scenario. You call them, and that's it. You don't call them and ask them to call you back.
They wanted to tell me that I hadn't made my loan payment. They were right about it. I did miss it. I had made a larger payment a few months earlier, and I hadn't resumed regular payments.
Most banks have separate customer facing departments and back office departments that process paperwork. In the full evolution of this setup the customer facing departments are basically useless, and answer your questions by putting you on hold while calling up a back office department. Getting the actual details of some issue is like pulling teeth with these arrangements, because the front end has no domain knowledge. But every so often a person from the back office will call you to ask a question and you'll get to speak to a real human who can intelligently tell you the status of an issue. And so when you get calls like that, your choice is to either just roll with their insecure process where they want to verify you but you don't verify them, or give up getting that additional visibility and ultimately spend more time on the phone working through the front end.
The issue I imagine here is that calling the bank can be costly both in hold time and in phone fees. If banks were able to remove this disincentive to call by ensuring that their phone lines have zero wait time, and offering to immediately call back to avoid billed-by-the-minute phone charges (or in the case that they already offer this, by making it clear to customers), then I think there’s be a larger uptake of the idea of “hang up, look up, call back”.
As it stands, I’d be afraid of needing to wait 30 minutes in hold, and getting billed 30 minutes of call time by the phone company for the privilege. I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
A citibank security call I received impressed me, they seemed to completely understand me wanting to call back and gave me instructions to get back to them through the phone menu of the corporate line (that I looked up). Iirc it included a case id that got you right back to the same security team.
On that note, I should name and shame T-Mobile USA. They called me back after my line got disconnected and proceeded to ask security questions to verify me and pretended to not understand my concern when I said how do I know you are who you say you are. They were calling me on my T-Mobile line.
While that's a real problem in general, I would think that for this particular group of people it might be less of an issue.
We are well paid, and as such majority of HN'ers should qualify for premier banking. One of the advantages in that is that you get access to quality in-house customer service, and may be able to call them directly from the banking app. (A really nice feature.) They tend to have good availability too. The plural of anecdote is not data, but I've never had to wait for longer than five minutes when I do have a problem that requires CS's involvement.
> I’m not from the US, so it’s possible that your banks are doing this part better than the local ones, but that’s always the worry with the phone for me.
Since the person is asking about what it’s like here I’m providing that perspective. In Canada banks also provide 1800 numbers so it should generally be free. I thought Canada has mostly unlimited plans but I haven’t had a Canadian phone plan in over a decade.
> The issue I imagine here is that calling the bank can be costly both in hold time
The solution to the time wastage problem is for the bank to have a better method of sending you information than random calls out of the blue. Most banks have a message center on their website, where you can see any messages waiting for you when you log in and can send messages in reply.
this is why I have a credit union with multiple locations nearby and they only have 1 phone number for customer service and I know it by heart, good luck scamming me over email or txt, at least when it comes to my bank account :)
Obviously if your bank asks you to "verify" yourself after they've called you, it is 99% chance of being a scam and you just tell them you're going to call back and if they get desperate sounding it is 100% a scam.
It immediately eliminates anyone not thinking to spoof-call GPs small credit union. Given that most of the scammy calls I receive are about accounts with places that I don't have accounts, I don't think that level of targeting is the norm.
I have absolutely been called by Bank of America, both by an automated "did you really do this?" sort of fraud detection, and by a human calling to tell me my card number was known to be stolen and make arrangements.
Heck, I'm pretty sure I've gotten sales calls from them as well, though I never stay on the line long enough with those to be sure.
Same here. I also have a BoA account for most of my day-to-day stuff.
I use credit cards (in particular, an Apple Card) for almost every transaction. In fact, I seldom carry cash, which has been a problem, from time to time.
I won’t use Venmo, or PayPal with direct bank account connection. It has earned me scorn, but you really only need to have a problem once, to learn religion. I don’t use credit cards for Venmo or PayPal for cash transactions, because cash advance fees.
I always pay my account in full, every month. It also means I get Apple Cash, for a slush fund.
I do use direct bank account connection for a few things like utility bills, but that is a fairly primitive setup process, where there is no doubt about the other end. Even so, many outfits now allow bill pay, via credit card.
I've been called by Chase and at least one other for fraud alerts. If I recall correctly, the Chase message instructed me to call back using the number on my credit card.
It is not correct that banks will never call you in the US.
However, a bank should not ask you to verify your identity when they call you. This is the missing piece. If anyone calls me, I should not give them any information they don't already have. If they are the fraud department, they already know everything.
What are they calling about? Just curious - it seems like I’m wrong. Also maybe there is opportunity to develop some service for them so they do not need to call.
I think it will work way better when companies will plain stop calling customers at all.
As it stands now I receive ‘legitimate’ calls from a credit card company to open new options on my account. Or from my phone company to switch my plan. And the interesting part is that as it is ultimately to improve the caller’s monthly numbers, they won’t offer the same conditions online or through mail, I tried. And calling back the same person is a royal PITA. So in some cases, it costs me to not deal with transactions on the phone, inbound, from a person I need to trust to be what they say they are.
Most cyber criminals have a script. They don't deviate from the script unless they think they have a potential home run. Even then, going from this to sending out fake mail correspondence... That's a whole different toolbox. 99%+ of the time they will not even consider it. Especially since it's not scalable.
I remember that scammers got in touch with my wife, trying to get personal info. It was fairly elaborate. She got a call from a man that she said had “a golden voice,” followed by official-looking mail correspondence (very quickly, which was suspicious, in itself -it can take many days for my bank to get me correspondence). They had our home phone number, her name (not mine), and address; either through public records, or via a breach (which is why “they didn’t get customer credit card info” is a worthless reassurance).
It was “Synchrony Bank,” telling her she was victim of a fraud. I contacted the real Synchrony Bank, and let them know about the fraud. The contacts stopped.
Unfortunately financial companies act outside of the best practices that make it impossible for the consumer to distinguish.
After being transferred during after hours, American Express asked me for some unnecessary information and I hung up. I called back and got someone different with a local US accent and I told them what I encountered and they said that's normal (facepalm).
I called back during normal business hours and the more expected experience occurred.
You can hardly teach a large part of the population how to drive a car and use the indicators when switching lanes. How can you expect to be able to teach them security processes?
The only working approach would be to make a law that phone companies must ensure that caller numbers cannot be spoofed in any way and make them responsible for loses due to spoofed numbers.
And require that banks publish which phone numbers they call customers from (like spf is for email), and do so in a format that mobiles can use. So the mobile can show the customer "this is really your bank" or "unknown caller".
has there been a breach of credentials associated with clicking on a link and having firefox or chrome fill in your password saved from the site? i am pretty paranoid but if firefox says it's able to fill in a saved cred from this site i assume it's probably the right site. now i am paranoid enough that i don't do this for sites with a lot of downside like banking or the like... those are a strict "i'm calling the number on the back of the card or lookup the number from their website" kinda things.
Firefox/Chrome will link the saved credential to the domain name, so unless your bank lost control of its domain name, that's an unlikely attack vector. To be safe you can confirm that you're on the right site by manually looking up the domain name.
Yeah that I get but I am curious if there is a more subtle hack or technique that would bypass that somehow. like a MitM attack or something more clever.
I recently heard about an incident where hanging up turned out to be more difficult than it should have been. Stay calm. Call from another phone perhaps?
If you don't have another phone would it be safe to first call some other known number and see if that goes through?
If it does, then you should be able to infer that the previous inbound call has (probably [1]) hung up, and it is now safe to call your bank.
[1] A sophisticated enough scammer could hold the line, give a fake dial tone, detect that the number you are dialing is not the bank number they expected you to dial, dial that number themselves on a different line, and relay between that line and yours to convince you that you really did have a clear line, and then keep holding the line when you then hang up and try to call the bank.
The tricky bit is I know some legitimate departments of my bank follow this policy -- so if they make an outbound call to me, they will trust what I say on the phone, but if I hang up and call them back, they will take down my number and call me back later.
I tried to buy something, but it was a large amount - over my normal usage. I had to call the bank, and they said "we're sending a code to your phone..." and the text message said "DO NOT share this code. We will NEVER call you or text you for it. Code xxxxxx. Reply HELP if you didn't request it."
So... they then say "what is the code?" that specifically says "DO NOT share this code". I know what's going on, mostly, but it was still confusing.
It’s worth pointing out that if you are not the one initiating the call, then this is a legitimate attack vector, and not just via SMS text message or email two factor but also any type of OTP. The attack goes like this: (1) given that the whole point of two-factor auth is to prevent access to your account in the event that your primary authentication tokens (usually a username and password) are compromised, let’s assume for this attack that a bad actor already knows your username and password. (2) the attacker calls you up and says “this is <your bank>”, then (3) the attacker logs into your account with the username and password they already know (4) this either triggers an email or text message with the second factor, or if you use a hardware token or an app then the code is available there. Either way, the attacker requests you to read back the code over the phone (5) the attacker uses this secondary code to gain access to your account, and can then take any action including changing your password and 2nd factor setup. I think this is the reason security teams set up these messages to say things like “NEVER share this code!” and the like.
It was definitely poorly written. It's correct, since they never called you, it was you who called them. But it does raise the question as to how to teach people that who initiates the contact is very important and completely changes the security analysis.
The message should have read "You were speaking to one of our agents who indicated in the last minute or so they would send you a confirmation code. The code is XXXXX. Do not give this to anyone unless you initiated contact with our bank." Or... something closer to the actual scenario as it was playing out.
It's so strange to read this is still happening in US. I live in Europe - 95% of such attacks are prevented by something called Strong Customer Authentication, which anybody serving or providing access to an account (cards including) must implement. Basically, that's 2FA implemented in myriad different ways. So, this Zelle thing wouldn't be possible at all: Zelle would have to ask for a SCA verification from the customer, just to connect/use his/her account in the first place. That would eliminate ground for such scamming messages ever appearing (if the customers knew and were accustomed to SCA).
Though to be fair, scamming is still present here, typically involving calling older people and trying to persuade them to reveal bank access codes during a phone call. There two differences with US banks here:
- banks are required never to ask for access credentials over insecure channel (phone/email) (though SMS is also not perfect in this regard);
- banks are required to educate customers that they never ask for such credentials, educate about fraud scenarios, etc. And they do (at least the reputable ones)
Seems that the PSD2 regulation (including SCA) are really making payments much safer in Europe when you compare to rest of the world.
Also, to admit: I'm a head of financial institution here, quite knowledgeable of the field, both on regulatory and on technical level.
> Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”
In the UK, banks have put in quite a lot of messaging around the fact that they'll never ask for a password -- so the above line from the article ought to set off alarm bells in most customers' minds.
Of course, there are people, particularly older or vulnerable users, who are impacted by this as they might not be aware. Phone scams to get 2FA codes aren't going away anytime soon, sadly.
Also, as an industry, I wish we could move away from SMS-based 2FA. It's kind of amazing that SMSes these days are a barren wasteland -- mostly automated messages, scams, ... and two-factor codes. And some institutions still use SMSes to deliver two factor codes ... including Paypal in the UK.
In Europe, regulation prevents or at least places strong barriers on SIM card theft, which makes SMS 2FA pretty secure. You can't just go and transfer a phone number in a matter of minutes to someone else - it is always a multiple days long process involving numerous SMS notifications prior to the actual transfer.
Every time I read post-mortems on hacks and scams in the US, my mind is a bit blown on just how easy most could have been prevented by tiny bits of government regulation that we Europeans take for granted.
> You can't just go and transfer a phone number in a matter of minutes to someone else - it is always a multiple days long process involving numerous SMS notifications prior to the actual transfer.
I was a phone store monkey working on close to minimum wage a few years back in the UK. I could absolutely swap someone's SIM with no problems what-so-ever and it typically took only a few minutes for the new one to become active and start receiving SMSes (the old one will still have signal - though no more traffic - for a few hours making detection difficult unless you actively try to place an outbound call).
While we're supposed to verify someone's identity, a dedicated fraudster could absolutely trick us and we were never given any proper identity verification solutions, nor enough training, and frankly not being paid enough to care anyway (which also exposes us to bribery/insider threats).
SMS 2FA will absolutely not be secure as long as minimum wage employees hold the keys to the kingdom, and I'm only talking about in-store employees making UK minimum wage. I'm sure the situation is much worse in offshore call centres.
The technical term for this is “insider risk” and it’s not just confined to phone store workers. Ops People working in mobile phone companies in NOCs and so forth have a lot of power too. Lucky they don’t have any bad apples, right… right? Or a bad actor wouldn’t seek to join them for a contracting job or seek to subvert an existing employee?
The reality is, mobile phone companies never started out to be identity providers. App developers did that.
We mostly need to sue the hell out of companies that don’t identify correctly their customers when making important changes to their account (like transfering a phone number)!
SMS is not, and never has been, a secure means of communication.
Do not hold the carriers responsible for shit we've done.
Hold the carriers and ISPs responsible for their actual crimes, like selling our data to the government and marketing companies like the world is about to end.
> Of course, there are people, particularly older or vulnerable users, who are impacted by this as they might not be aware.
It always fascinates me how poorly people understand the nature of scamming and confidence fraudsters. The banks could have every customer recite on video that they have heard and understood the message - many of them will still be vulnerable.
Each small step along the pathway is only a little more wrong than the last - so by the time the guy on the phone says "and we need you to confirm this code with is" on the phone... yeah. The victim isn't really objective anymore. They are not considering this in isolation, but as part of a relationship the scammer has been building for hours if not days.
It isn't that the messaging is pointless, but it simply cannot and will not protect people from their own fallibility.
Honestly, it is a terribly hard problem - and I actively do not know the right way to manage it without simultaneously restricting access to peoples own resources
I have the feeling there is no interest in fixing these things in the US. Too many people making money of certain outdated services. From printing paper checks to minting pennies.
Like everything, it will require a gigantic scandal before anything is fixed/changed and it will open the door for new issues.
It will change when it becomes the economically rational choice for banks.
I won’t bore with details, but I’m a lawyer who primarily sues banks for customers. And I’ve seen the lawsuits I file lead/contribute to changes in bank behavior and policy.
The regulatory protections are there. Now lawyers need to punch banks on the nose until they decide they want to do more to stop the fraud in the first instance.
But it’s strange, clients have almost like a Stockholm syndrome with the banks. Their rational is often something like “I don’t want to sue them and make them mad, because that might mean I won’t get my money back”
But you’re not going to get your money back unless you sue. Meanwhile deadlines pass and then you’re screwed (and embarrassed)
I’d say there are three main fact scenarios I bring claims for:
1. Credit account are closed without a specific reason being given. (Banks have an obligation to give you a reason).
2. Debit card/checking account fraud. There’s a federal law specifically protecting consumers in those cases.
3. Credit card/. Again, a specific federal law for these cases.
What’s noteworthy for each one of these violations, or, more accurately, for each one of these causes of action, is that there is a right to recover attorneys fees. And whenever you have that, then the consumer has an opportunity to find a lawyer who will forgo any payment unless, and until, there is a recovery. That’s how I pursue the vast majority of my cases. I even cover the filing fee for the consumer.
So when I say consumers need to sue their banks, and they get this response of “well they can’t afford a lawyer,“ i’m pretty sure they can afford free. but this pessimistic mindset seems to have taken hold. And I’d like to try and undo it.
The actual transaction then has another 2fa, seperate from the logging in. In one of my banks this is approving the sum of the transfer in an app after logging in with a password(you can't transfer the app to another device easily), in another it's approving by using an authenticator-like app + a seperate pin, in a bank before that it included a whole seperate device for me to put my debit card in. In neither case would simply logging in or getting my account password be enough.
Interesting. The attack seems to be primarily on people who don't already have Zelle so in the analogous case in Europe wouldn't the attacker just be able to setup the app as the victim and authorize the transfer themselves?
You can't just install the app on another device with the login details, you need to talk to the bank and go through a whole process when changing a device (in one of my banks it can only be done in person even).
For what it’s worth, a consumer is pretty well protected after the fact by regulatory protections.
But I’ll include the PSA I posted on the article as well:
Attorney here (not legal advice).
Please be aware that there is a short deadline required for Regulatory disputes (approximately 60 days). That could have an effect on your claim. Time is of the essence.
And depending on how soon you notify the institution before the deadline, you can be stuck losing up to $500.
Again, please just know time is of the essence and you want to reach to an experienced attorney ASAP if you suffer fraud.
In the EU it is a year, and you may loose up to 150€.
Good luck to the bank which would like to enforce this. One tried, I told them I am leaving, they said it is a misunderstanding and that of course they did not mean to make me pay these 150€.
In the EU this is a EU regulation, so all banks have the same rules.
I just checked, it is now 50€ only, and only if the payment was done with a PIN or SMS/app confirmation. This is the maximum amount (so if you had, say 3 times 300€ of fraudulent transactions, you would pay a max of 50€ total - and like I said it is not likely that the bank will make you pay anyway)
Something I've been curious about (not asking for legal advice). If the deadline to report is 60 days from the statement/notification of the transaction, what about accounts that only issue statements quarterly or monthly? Is it really still workable to contest a transaction say 10 months after it occurred, if the bank has only just issued you a statement?
Sorry I missed this yesterday. Accounts have to be monthly unless there’s no transactions. That’s when you get quarterly statements. So if you’re getting quarterly statements, then there’s no transaction to dispute — I believe the theory goes.
> Though to be fair, scamming is still present here, typically involving calling older people and trying to persuade them to reveal bank access codes during a phone call. There two differences with US banks here: - banks are required never to ask for access credentials over insecure channel (phone/email) (though SMS is also not perfect in this regard); - banks are required to educate customers that they never ask for such credentials, educate about fraud scenarios, etc. And they do (at least the reputable ones)
This has happened many times in Sweden in the last few years. Banks almost always tried to talk their way out of any sort of responsibility even though scammers took advantage of their pretty bad processes. The banks processes as well as the apps' designs have improved, but I think the point is that essentially nothing of what happened there in the US wasn't happening in Sweden as well. I presume it's the same with the rest of Europe.
This quote from the article is key:
> “Consumers — many who never ever realized they had a Zelle account – then call their banks, expecting they’ll be covered by credit-card-like protections, only to face disappointment and in some cases, financial ruin,” Sullivan wrote in a recent Substack post. “Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.”
Good to see US regulators aren't letting banks off the hook. They should furthermore come down very hard on any bank that even acts like they might not be responsible since that's essentially fraud.
At the end of the day it's an issue of securing human processes as well as regulators holding banks feet to the fire for problems their processes create.
SCA will not do a thing. SMSes are hackable, and SS7 network is routinely exploited.
Google has made things worse by making confirmation SMSes very easily identifiable, and interceptable at scale with their SMS verification service which is now being pushed down developer's throats. (Google yr66t3YYkAe that's a Google 2FA ID of some bank, seemingly already actively exploited)
Adding confirmation links inside SMSes is what some money transfer companies did responding to the threat of SMS interception, but I think this made it even worse, at least on Android. It's trivial to coax dozens of popular apps into opening a link in the browser, or webview using Android's "intents," thus completely negating any CSFR protection.
PSD2 only took effect in 2019, and for many countries the enforcement was delayed for card payments up to a full year due to lack of issuer readiness.
2FA is absolutely the future and I believe globally payments should move in this direction… I’m just pointing out that even in Europe, this has not been the standard for all that long. That said I hope other countries/regions follow the example — the EEA seems to lead the charge on major online issues, e.g. payments and privacy.
On top of all that, most banks here allow you to create an unlimited number of free virtual credit cards which draw funds from your real credit card or a debit account.
Cards can be created to suit most cases such as one-time transactions, monthly subscriptions and "pre-paid" type cards with a defined total which are tied to one merchant. All multiple use cards are valid for a max of 12 months.
Weird, just about every bank here in Portugal allows for that. The virtual "visa" card creation/management is handled through SIBS, the company that does all national card transactions.
I assumed due to convenience and safety that virtual cards were more widespread in Europe, not least because of the requirements such as 3DS for card payments.
At least fintech companies like Revolut and N26 should be available for most Europeans and they offer virtual cards, though with other limitations/costs.
Ah, this is interesting - you have a centralized entity that handles the transactions? This is indeed what must be the reason for the widespread of the availability.
In France I know that Fortuneo gives that possibility, but for instance Boursorama or Credit Mutuel do not.
It is funny how the banking is different between countries in the EU. France is slowly making its way though the 90's while Poland uses a phone based transaction system (BLIK). I always saw Portugal as bing very modern in that way (you had chips on your identity cards for years, we just got them this year, with the new credit-card format of id cards)
Yeah, basically the only major attack surface is one the SIM itself, but I have the feeling telcos learned their lesson and verify the identity of the person asking for a SIM replacement in a more strict way.
I fell for this, and I have never fallen for a computer scam in my life, nor even had so much as a virus in the last two decades.
However, it is very sophisticated. They somehow managed to actually get a fraudulent charge on my card. When I got the spoofed message from "my bank", the first thing I did was log onto my legitimate account. Sure enough, there was a charge I did not recognize.
The rest was just a series of unfortunate "rookie" mistakes on my part. But the person who called me was highly professional, easily could have been a real customer support representative and spoke English perfectly with no accent.
They took the max, $5,000. My bank thankfully refunded it.
If we know the bank will refund through insurance than there's a second level fraud where the victim is in on it for a cut of the profits.
Essentially the theatrics of fraud is done and then victim is refunded by the bank and then secretly compensated by the "fraudster" for their participation.
I may be convinced of that kind of scam. Everyone wants to feel like they're outsmarting the system. There's so many unknowns. Will I get the partial compensation? Will the bank reimburse me? I don't know, but I can see myself doing it. That's a problem
You can't dispute a charge until it's posted (at least with two of my banks) and it can take up to 2-3days before a charge is posted. A charge will almost always show up immediately on my bank's website as pending.
Can't dispute until posted, and the way the scam works is they get you on the phone as quickly as they can in order to continue to the scam.
Obviously, in hindsight the correct way to handle this is to call the bank yourself. The way the scam works is they spoof your bank's caller ID, and you get a standard "do you recognize this charge? Press YES if you recognize, NO if not".
When you type NO, you get a message stating "our fraud team will be reaching out to you momentarily to resolve this issue", followed immediately by a call from a very convincing "customer support" person, again coming in as a caller ID from your bank.
At this point, I made some "rookie" mistakes as I'd mentioned, but hindsight is 20/20 in these cases where they are trying to keep you on your toes.
I always thought there was an underserved market if scammers are just filtering for gullible people. So, about time to see more sophisticated scammers casting a broader net.
Any telco people here that can explain the technicals of how or why it’s still possible to spoof a phone number? Is this just how the whole system works?
When I use Twilio, I have to prove to them that I control a phone number before I can use Twilio make outbound calls or send SMS messages that appear to originate from my number. This suggests to me that the system is built with assumed trust, like email was originally. Is everything too ingrained at this point to add some type of authentication that would prevent this type of spoofing? Something similar to a CAA record, where the owner of a phone number could say “legitimate calls from this number will only originate from $TELCO and $SMS_PROVIDER” would be nice.
If there was ever a public service job where I could receive scam reports, and trace every single scam text and call back to its source and take action against the gateway carriers allowing these scams to enter domestic copper, I would apply immediately. So much time, needless worry and anguish imposed on innocent people who simply want to trust a communication protocol that should be trustworthy.
Funny you mention that. I'd say based on personal recollection that in "public service" you'll likely find people in on the scams.
Former congressman from NOLA, Bill Jefferson, orchestrated scams involving securing minority-preferred business loans to found rural phone companies. Those rural phone companies would then pay him back by getting pre-arranged contracts from African countries like our phone scammer friends in Nigeria.
When hurricane Katrina hit, they found $90,000 in cash in his freezer. Was pretty close to the $100,000 in cash that the DOJ had videotaped him receiving from the Nigerian government's vice president a few days before.
SS7 and TDM may be phased out but phone numbers and phone calls will still exist. It seems like the replacement protocols (SIP?) are still copying SS7 security flaws exactly, with STIR/SHAKEN as a bandaid on top instead of a fundamental fix.
Not telco, so I hope there will be better answers.
Phone numbers are basically identical to IP numbers in their use, and they are declared by the emitting party. Just as you can spoof IPs in the packet headers, you can spoof the telephone number at the tranport level.
We could upgrade to more secure connections, but the whole point of using the telephone network is because of the legacy. I can't imagine a telco putting significant money into improving the network when no customer will pay more for that (right now arguably, spammers are their first class customers ).
The big difference is that if you send a packet with a spoofed source IP, the reply won't get to you. The phone system allows you to set up a full two-way channel without the receiving party ever needing the correct identifier for the caller.
that doesnct work for publicly available services and the initial routwr passes the traffic. This is how things like dbs and ntp amplification attacks work: you spoof your origin ip and have the server generate traffic to the targwt/spoofed ip address.
"A gracious hello. Here at the Phone Company, we handle eighty-four billion calls a year. Serving everyone from presidents and kings to the scum of the earth. So, we realize that, every so often, you can’t get an operator, or for no apparent reason your phone goes out of order, or perhaps you get charged for a call you didn’t make. We don’t care!"
The authentication you’re talking about is called STIR/SHAKEN and it’s an ongoing retrofit. I will describe the status quo based on my brief time in a business VoIP form.
The concept of a “phone line” with a fixed number belongs to residential service. Pretty much any business premise has a PBX on it, and that PBX is connected to the PSTN by a bundle of circuits including some voice channels and some signaling channels. Some number of inbound numbers may be routed there. Or not! But that has nothing to do with the signaling on outbound calls.
Now for a small business it would probably be sensible to limit outgoing caller IDs to the inbound numbers routed there. In a larger business, PBXes at different sites are connected to each other by an enterprise network, and to the PSTN through different telecoms in different regions. You may have branch offices that only receive calls via the enterprise network, but make outbound calls on local transit. You may route a call from elsewhere on the enterprise network to exit to the PSTN via that branch office, for cost or redundancy reasons. That’s how Twilio itself works. Lots of IT departments have internal Twilios, in that sense.
The upshot is that you need a fairly sophisticated cross-telecom standard for establishing authorization to present a number on caller ID, and no one got around to building or driving adoption of that until pretty recently.
SS7 was not really designed with any security. It assumed only telcos would be using it and that stopped being true in the 1980's/90's as the bar to entry for getting your own SS7 link was lowered. Even if SS7 were retrofitted to support this type of validation it would be negated by the fact that numbers are portable. A number can legally originate from anywhere. Validation will have to occur out of band by some other means or by replacing or deprecating the telco network entirely.
Agreed. The joke is ultimately on them, though, as a new generation of people grow up and their only experience with the pstn is that every incoming call is fraudulent. What good is having a phone number at that point? It’s just a liability.
Most likely the only reason a young person will ever have to interact with the phone system is to call 911 for emergency services. Ultimately the spam problem will kill the pstn as we know it.
> Any telco people here that can explain the technicals of how or why it’s still possible to spoof a phone number?
Because couriers offer spoof calling as an under-the-table service to spam caller organizations.
I have no proof of this, but at this point in time my opinion of telcos is so low that I will assume it is happening until I find out explicitly that it’s not.
These gateway providers, in addition to simply spoofing the outgoing number, will also sell blocks of legitimate domestic numbers to the scammers- knowingly- to use for callback numbers. Truly disgusting
Like many scams, it depends on the victims being polite, perhaps more much than them being naive.
The fraudulent message asks for a yes or no reply but does not care about the answer spefically; only that there was an answer. So the victims are the people who couldn't ignore the message and had to say no. Most likely the people who say yes are still taken into account , because they confirmed there was a person behind the number. They'll get a new scam later on.
But the people saying no are the target.
A lot of people feel bad if they don't answer the phone, or a message, or the doorbell. So you prey on their niceness.
How to fight back? Don't. The way to defeat the scam is to not acknowledge it.
Ignore whatever primal urge you have to get involved, or teach them whippersnappers a lesson, and cast it into the void.
I'd be really curious to know how many people actually answer calls they aren't expecting, on their personal phones (e.g., non-work phones where you must answer customers).
I bet that graph is U-shaped of % of people that answer unknown messages vs. age. Kids want to be social, and old people don't know any better. With salty Gen-Xers in the middle.
99.99% of the time I let it go to voicemail. I have since the days of cassette-tape answering machines. The only time I don't is if some just texted and said they are calling. Even when my insurance company hold line asks if I want a callback, I'm too paranoid that a scammer could have infiltrated the callback process.
I don't answer a single call unless I'm told to expect it, or I can antipate one coming (e.g. I ordered takeout and the delivery driver is gonna ping me, or I asked a recruiter to call me at X time).
If the call comes out of nowhere, or if it's from a hidden number, then I'll silence it rather than declining (i.e. hit the power button rather than actually acknowledging the call, so it carries on ringing in silence until they give up instead of being told I'm busy). If it's important they'll leave voicemail or send an email.
>I'd be really curious to know how many people actually answer calls they aren't expecting
What do you do when your counterpart won't answer their phone?
I answer calls I'm not expecting when I'm expecting a call. Like from a plumber, a recruiter, a paving company, etc.
If I don't, at best I get to play phone tag, and at worst, the other person gets ticked off and I lose an opportunity. I don't like leaving voice mail, particularly the second or third time.
It would be nice if everyone legit had their main number show up to identify them, and it would be nice if they all answered their phone all day, but they don't.
I'm a Paramedic here in Northern California and we recently went on a welfare check to an apartment - us, fire dept, and law enforcement - for a family that could not get ahold of their grandmother.
Grandma was fine, fortunately, and she simply turned her phone off because it was ringing constantly with scam phone calls. She was sick of the auto warranty spam all the time, so she unplugged entirely.
The elderly are the ones that still have landlines and cell phones too, so they often get hit multiple times. It's harder for them to disconnect the landline due to things like Life Alert requiring a landline.
It was...erm...remarkable in its high production values.
Even compared to the auto warranty ones, which I don't get often, but every now and then.
I also got a "hello...hello...hello" call, and seven hangup/no message calls the same afternoon.
I assume the call I answered was a scammer, but a few months ago, I got one just like that and it turned out it was from my physician's office, and I had some trouble getting ahold of them.
> What do you do when your counterpart won't answer their phone?
I'm not sure what you mean. Like I said, if someone texts me and tells me they are calling then i'll pick up. Or if I get a voicemail saying, "duh, pick up dingus"... then i'll pick up the next buzz.
That never happens because almost no one I care about uses the phone anyway. Exvept that 0.01%.
I don't live in a big city or even in a super-internet-embracing country like for example South Korea - but even in my neck of the woods, dentists, doctors, vets, barber shops, car mechanics, contractors, etc. all have shifted to messaging instead of calling. Unfortunately most are using WhatsApp because of peer pressure. But I'll even swallow that bitter Zuckerberg pill because it's so much more convenient than doing appointments over the phone.
In my region of the US, people with appointments to come to me will sometimes text that they're on the way, which is nice.
And plenty of people have websites, but on the whole, most local business interactions start with a phone call, and usually it goes to voicemail or a receptionist, so I have to answer when they call me.
Even small time businesses have websites, but they don't do anything usually so it's clear you have to call.
Also, sometimes they try to embrace the Internet, and then they get hacked...
My primary care doctor had a patient data breach by their accountant. A different practice failed to set permissions propertly on the patient information on their portal, and never said anything to me, but silently scrapped it. A plumber that I had over once had all their client information stolen about six months later and vigorously spammed/phished.
Nobody has ever suggested WhatsApp to me. But I gather it's disproportionately popular in some countries.
I think WhatsApp is especially popular in countries where SMS messaging was the number one means to communicate before smartphones. No idea why WhatsApp in particular won the messenger race, I don't like it and think it's a bad piece of software even before Facebook bought it, but it seems to be "fun" enough for non-savvy people to try to get into it.
And it's the same here - operating their own website and handling email is too challenging for most small businesses, doctors, or contractors. But for some reason they all manage to operate WhatsApp.
It's not about niceness. When you get a text about a potential scam there's an urgency to reply. And you can't just ignore it. All major banks send out official text messages to confirm large transactions. This has happened to me multiple times with Chase, and just recently I blocked a fraudulent ATM withdrawal using exactly the method outlined in the article (someone skimmed my debit card when abroad, I got a text from Chase when they tried to use it, I replied no, got a call from the customer service rep). Only thing missing was reading out the OTP, obviously, which I would not have done.
Last week I had to call Wells Fargo to change my home address. They texted me a code to read it back to them to confirm my identity.
Their standard text messages for auth codes say: Wells Fargo will NEVER call or text you for this code. DON'T share it. Enter code 123456 online to send $1.00.
Their verification text said: Free Msg: Use Wells Fargo verification code 123456 to verify your identity. Reply STOP to stop msgs. Call 1-800-869-3557 if you didn't request this code.
I agree with your point about not acknowledging these scam attempts. Just wanted to point out the "fight back" bit of the story was advice for people who've already been victimized and are being told their bank won't cover the loss.
I don't think the issue is people being polite. It's that these messages look similar to the legitimate fraud alerts that credit card companies and banks send.
What happens if you don't respond to those? Presumably, the transaction will be blocked -- but can you be sure? It would cause me a lot of anxiety not to resolve the issue right away.
In some cases, banks have trained us not to panic instead of taking time to understand what's happening.
A while ago, I scheduled a wire transfer through Chase to go through the next day.
While asleep, I got an automated call from Chase asking me to confirm that the wire transfer was placed by me.
By the time I had woken up, my online banking and my bank cards had been shut off.
This is not consumers fault. Everyone is used to banks not being completely impatient and expecting immediate responses. For some other example, by law, you only have two days after a transaction to respond to fraud, or else you could be looking at $500 lost instead of $50. Not immediately answering the phone could make a difference of $450!
> “In the background, they’re using the username with the forgot password feature, and that’s going to generate one of these two-factor authentication passcodes,” Otsuka said. “Then the fraudster will say, ‘I’m going to send you the password and you’re going to read it back to me over the phone.'”
It seems like a simple mitigation on the bank's end would be to add warning text to the 2 factor authentication.
"You have requested to change your password via our web portal at yourbank.com. If you did not request to change your password via the web portal, or if someone asked you to give them this number, then it is possible that someone pretending to be a bank representative is attempting to hack your account. The code to change your password is ..... Do not share this code with anyone."
The 2FA messages I get from my bank are already something like "Your security code is 0123456. Do not share with anyone. We will never call to ask for this code." But it wouldn't surprise me if victims are too scared to read it properly, so some improvement could be helpful. It doesn't help that other banks regularly ask for SMS codes over the phone, entraining into people to do it without thinking.
I would personally feel a lot better if every bank had the ability to only allow 2FA via OTP, or only physical key, or even email. My bank uses a "Security Word" which is crazy to me.
The scammers get you panicked and hold you in that state so that you're stressed out and not thinking rationally.
They also exploit a small slip up and escalate it into a catastrophic one. For example the scam might start with the assumption that caller ID is accurate, or the assumption that because there is fraud on your account the person is actually from the "fraud department", or the assumption that hanging up a landline terminates the call.
Each of those are small slipups, but they get people bought into the fiction, and then as the scam escalates they don't stop and think through the sequence and realise that the initial assumption was flawed.
Note that, in this case, the SMS code is not a second factor. It is a single factor that is enough to get full control of the account.
Besides that, I think you are right. Binding 'signatures' to what you are authorizing is one of the ways to prevent your authorization from being re-used. There are parallels in cryptography where you sign not just data but also what it will be used for.
Otherwise an attacker might reuse your signature.
Whenever I log into my mobile account I get the following texts 2 minutes apart, doesn't matter if I'm doing a SIM swap or just checking the bill.
"SECURITY WARNING The one-time code you requested will arrive shortly. DO NOT give this code to anyone. If someone's calling you and asking for a code, they DO NOT work for O2. Call us on 202 if you suspect fraud so we can protect your account."
"Be alert to fraud NEVER share this code, including with O2 staff. Help us protect your O2 account. To swap your sim, enter code 123456."
> Consumers who suffer unauthorized transactions are entitled to Regulation E protection, and banks are required to refund the stolen money. This isn’t a controversial opinion, and it was recently affirmed by the CFPB here [0]. If you are reading this story and fighting with your bank, start by providing that link to the financial institution.
Props for including this in the article! All too often the basic legal situation is never explained, leaving victims to believe that blatantly illegal crap is "just the way it is". For example, "identity theft" and fraudulent medical bills.
My girlfriend got hit with this one. According to her the scammer was very convincing on the phone. American accent. Empathetic tone. "Don't worry, we'll get your money back, we just need to make sure it's really you not the person trying to steal your money."
Luckily her credit union was quick to restore the funds with minimal hassle.
I recently had a weird issue: some random dude sent me $1.xx over PayPal. Naturally I refunded it and thought matter closed.
Then, some days later I got 3 more payments in similar $1.xx amounts. I refunded 2, but for the 3rd one PayPal wanted to charge some fees. At which point I just blocked the dude.
No idea if this was a genuine mistake or a scam. Anyone knows??
I had a similarly weird thing happen to me with an even weirder outcome:
I was in the Dominican Republic last year and I got a notification that someone had sent me $100 via CashApp. It wasn't a person I recognized, she looked clearly Dominican in her photo, and I presumed it was a similar sort of scam. (I assumed someone saw I had whatever "send to someone nearby" setting turned on, saw I was a foreigner, and decided to try for an easy mark).
I didn't refund it, I didn't cancel it - I just did nothing. And you know what happened?
Absolutely nothing. I waited for the phone call asking me to send the charge back. Nada. I waited for a text explaining it was a mistake. Nada.
It was over a year ago and I still have the $100. So.....maybe it was an actual, genuine mistake?
I once panicked that someone was getting ready to withdraw funds from my account because I saw those two <$1.00 auth charges. I called my bank, and they panicked, and immediately created a new account, moved the money into it, and closed the other one. Like within 5 minutes.
Turns out I forgot I told a friend to reimburse me for beers we had a few weeks before that, and his payment service was verifying my account.
Online banking and all of this digital access to my monies makes me nervous as heck. Double-edged sword. (Yes, I have 2TF hard tokens on all major accounts.)
Those are called micro deposits and are only used to verify ownership of an account you own. Your friend was incorrectly setting up an external transfer account via ACH. Next time they should use a check, zelle, etc etc.
Not sure but I think what they want is for you to pay them $1.xx back (rather than refund). Then they can try and initiate a refund on their end, which allows them to pocket the amount you gave them for free.
I saw the same thing with Venmo. Someone was sending money to someone else in smallish amounts $25>. But it was being labeled as me so I would get emails of "You sent $20 to SomeBody". I told Venmo, they didn't seem to care, but I was curious about how their scheme worked. I ended up creating a Trash rule for such emails.
I used to deal with some online merchant facilities. I used to see loads of $1.xx charges on clients that were not careful with their merchant details.
My parents just got hit for a couple thousand dollars. Somehow someone got ahold of their online banking info, pulled money from a savings account to a debit card, and send the money God knows where through "Remitly", a services I've never heard of until tonight. Their bank is contacting Remitly, but they have to nuke all of their accounts and cards and start over, and they're out the cash until the bank comes through. It's really awful to see.
What's wild is my parents aren't the phishing victim types. They know about not reusing passwords, not sending passwords, not trusting phone calls, all of that good stuff. I'm really curious how they got got.
This isn’t really helpful, I know, but Remitly is a real company and I’ve met someone who worked there — it sounded pretty legit. But like with Western Union, pretty much anything that lets you transfer money internationally is prone to misuse. It sounds really stressful what your family us going through and I hope they get their money back.
Yeah, from what I could tell there wasn't much Remitly could have done to prevent this outside of like checking citizenship documents and contacting the bank. They seem legit enough.
Would it help if the text message included the reason for the code?
“This is <bank>, you requested a password reset. Your code for this is 123456. Using this code will change your password. Call us if that’s not what you want.”
Or something along those lines.
Yeah it’s still a fundamentally flawed process, but until they replace the entire process with something better, a slight change in wording would help save some people.
One of my banks actually sends two SMSes, a generic warning one, with the actual code following a minute later (the website tells you this will happen). Annoying when you're short of time, but I suspect it's very successful at countering this sort of social engineering. You open the message the scammers tell you they've sent, and it just tells you to beware of people ringing you up and asking for codes. Probably you don't stay on the line waiting for the actual security code.
Don't these sorts of emails already say things like "nobody legitimate, including our employees, will ever ask you to tell them this code"? I'm not sure how to stop scams that are already only possible because of people's lack of reading.
Major ones have it, but there are thousands of banks in the US and I'd wager almost all of them provide some form of online banking experience. Outside the larger ones security isn't really up to par.
> Ally: As Security measure, we will never ask for this number over the phone. Security code: xxyyzz. Call 1-877-247-2559 if you did not request a code.
Cap1 does this:
“Capital One won't call you for this code. The temporary code you requested to sign-in is 091657. Please use this code to complete your request.”
IIRC, there was one time I did have to verify a code over the phone, and the message that came with it was completely different.
Circle that bit of advice around Regulation E folks. (Not a lawyer but I have had a lot of experience citing Regulation E on behalf of various folks. It, unsurprisingly, works the way that regulators say it does.)
"many credit unions offer it by default as part of online banking"
I remember I had to opt-in to get zelle transfers activated. Information, terms of the service, and separate activation of email/phone were done at that time just for zelle. I suppose nowadays it's streamlined... which is not so good if customers don't even know what zelle is.
I’m confused about this. What’s the target here? It’s shady/weird to want to use Zelle, but couldn’t this have been a legit person wanting to use Zelle?
Yes. But if they have the cash and bank hours are open, why not just get the cash out?
I even offered to meet them at the bank. They were scamming.
The target is the unaware seller, who has no recourse when the funds magically disappear from their account. They are out whatever goods they had for sale.
It is not typical to take down the license plate or copy the drivers license of someone buying something from you.
There was another one that came in between them that felt the same (language that I think of as "conversational robotese"), but appeared to be VPN phishing.
This may sound very simplistic but I block all calls that are not in my contacts list on my iPhone.
It directly goes to voicemail and they can leave a message if it's important. Should the message involves anything that I might consider important, I simply call my bank and ask for a follow up.
If it's an absolutely critical matter and I don't call or follow up, the bank will send a letter instead which I can then either call or go to the bank for further inquiries
I do the same thing if I get a suspicious email / text from my bank.
Finally, I never really click the links in the emails because I have my bank's website as a bookmark so I'll just use that.
If the bank's phone number can't be "spoofed" then it can only have 1 outgoing call at a time, otherwise, each agent will have an independent line and a unique number.
I love how the article omitted an important fact: zelle has a daily and monthly transfer limits. The max this scam can make is ~1k. After the first zelle send - these scammers reset your password, you are sent an email your password is reset, so! you most likely will login to see what happened etc. It is an interesting scam but nothing compared to wiring money.
> the victim has never even heard of Zelle, nor did they realize they could move money that way.
Financial institutions do not take security seriously, and they don’t take their customers time seriously.
The onus is always on the consumer to protect their accounts. When institutions decide to change their features the customer is not at the table, they’re on the menu.
Well, my opinion is that a ridiculous root cause of all this is the lack of a central, government-supervised, secure, instantaneous, free, direct payments system. Such that all these stupid private bank-based services are attempting to fill that void and don't get it right when they do it.
Not to say that such a service would not also have vulnerabilities. But you hear about all the bounced check / advance fee / text message validation scams going on now, and you would think that the banks would want to get this liability off their hands and into a central service that they can just be rid of the responsibility. (ok, on the other hand, having an irrevocable transfer system might introduce new problems as well, but still...)
I find it unfathomable why we continue to saddle ourselves with one of the most ancient check-writing based systems in the world that people in other countries laugh at us for (or ask in puzzlement, "what is that?"), and have to make all these terrible workarounds to deal with.
This scam doesn't seem to have anything to do with actual Zelle aside from using it to enhance the social aspect of the phishing. If Zelle didn't exist, they'd use some other service that gave their scam a patina of truth.
You know — they could have fixed it by just saying in the text message: “Someone is trying to log in as you. Do NOT provide this login code if someone asks you, regardless of the reason: ABCDE”
Simply describe the action being taken and its significance. Not just a random code message.
Can we just address the fact that the PSTN is a completely insecure, Wild West tier, broken mess? Number spoofing, delayed disconnect, SIM hijacking, wtf?
The fact that banks use that as a second authentication factor is beyond baffling, and all liability should land on them.
Is asking for the texted passcode really necessary? Can't they just SS7 hack that part since all SMS is vulnerable to this? Or is it really necessary to just carry the conversation flow forward by asking the victim themselves.
I have had a crazy theory for awhile now. It goes like this…
Scammers have a do not call list. The only people on it are violent drug lords and members of congress. The first will kill them, the second will kill their business (by fixing the phone system).
Number one thing I tell folks in my security training is to never respond or click a link on an inbound message. Instead, look up your bank or service provider and make an outbound call (or direct URL navigation) to them.