I nearly got taken by a scammer because Amazon transferred me to one. I purchased a set of Reolink cameras on Amazon, (they've been great) one of them failed a couple months in. I contacted Amazon customer support (via my Amazon login and in their interface) and they wanted to troubleshoot with their technical team. Eventually the (very helpful) Amazon technician suggested contacting Reolink for support and started a 3-way call. The "Reolink" technician got my phone number and then said they wanted to call me back.
They called me back a minute later (now without Amazon recording the conversation) and asked me for my NVR's serial number so they could connect to my NVR. I was shocked they had a backdoor into my NVR but I figured I'd let it play out. A minute later the technician said that he was having trouble connecting because "an internet virus is corrupting my firewall". I was extremely confused and thought it must be a translation problem. Until he kept insisting it was a problem and became belligerent and angry. He said I needed to pay $300 to have an on-site technician troubleshoot the problem. I got angry because he was making some weird excuse for their camera not working, and wanting to charge me rather than just ship me a replacement. I refused and he started mocking me. I demanded his manager and he ignored me. Eventually I hung up and called Amazon back.
The Amazon technician was helpful and shipped me a replacement. I contacted Reolink via email to complain about their technician. They responded that they have no on-site technicians and that it was a scam!
I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...
> I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...
1) Amazon is complicit in shady behavior on their platform, whether it's inventory commingling, sketchy sellers repurposing existing, well-reviewed listings for a totally different product or those bribing customers to leave good reviews with gift cards or free stuff.
2) The tech support number could very well be provided by the seller, and you could've bought the camera from a listing from said seller instead of the real Reolink (if the "real" Reolink even sells on Amazon to begin with). Maybe tech support scammers are now using this as a new lead-generation tactic ("legitimately" sell a high-maintenance product but scam anyone that calls for support?).
It’s pretty shocking but most IP cameras can be accessed with nothing more than their serial number. Here’s a somewhat recent DefCon talk about it: https://m.youtube.com/watch?v=Z_gKEF76oMM
I use Reolink cameras, in the admin interface there’s an option called UID. Turning that off (theoretically) disables the backdoor. I have my cameras and NVR (which is actually just a python script on an old laptop that uses ffmpeg to capture streams) on their own airgapped lan so I don’t have to worry about blackhats or the ccp using backdoors to watch my kids.
Well, most IP cameras cannot be accessed this way when you look at the global pool of IP cameras. However many on them on Amazon, particularly from OEM companies like Reolink that are more of a custom relabeller vs. a real camera manufacturer have all kinds of backdoor access methods.
Best practice is to put your IP cameras on a separate isolated network, connected to a dual-NIC recorder/PC running trusted software (eg: not some random DVR/NVR on Amazon) for recording and viewing. This is not a perfect solution, but it at least takes you far away from the path-of-least-resistance pool of devices with weak cybersecurity that are prone to various exploits.
Yes, of course. Though most people who understand that are already doing things to mitigate exposing these devices to open internet access. My comment was targeted more towards anyone who might not have considered the risks, or might not be comfortable with virtual segmentation vs. physical segmentation.
And this is why my reolink cameras are on a subnet without access to the internet. The only thing it can reach is my home assistant and open source NVR.
Best practice is to remember that intelligence means optimizing for some state of the world. If you have a "smart" product, it may not be optimizing for your preferred state of the world. Most commonly, it's not even optimizing for its manufacturer or vendor's preferred state of the world, because we don't truly know how to design a specific intelligence yet.
Our best efforts are just kind of putting in some objectives and hoping they don't get goodharted too badly.
> Amazon is complicit in shady behavior on their platform
Bought some wireless earbuds a while back, they sent me a horrible knock off. Contacted the store, he said the delivery guy made the switch, took forever but sent me new ones. Left a review stating all of this and warning users not to buy from this sketchy store, my review never saw the light of day.
Amazon filter out those sort of reviews "because theyre not about the product but the supplier". Of course, they don't make it easy to report the supplier.
I've bought ssr relays rated at 40A, with the actual picture of the real product shown. What I got was a fake that was literally an electrical fire waiting to happen. Maybe my complaint to support actually made it to the supplier, because they Photoshop blurred the product picture listing so the real brand name was obscured. Still had phony specs though.
At this point I only really buy things from Amazon that are essentially fungible. Cables, adapters, toiletries, tools, none of these matter enough to me to care about exactly what I get, as long as it’s roughly what’s in the picture, and to be honest they’re not even worth counterfeiting.
For everything else there’s rarely a reason to not buy directly from brands or niche specialist retailers. Customer support is typically better, warranties are often better, repair processes are better, and that’s not to mention the issue of counterfeiting.
These are things that don't really matter to me, the point is that I don't really care if they get switched for "cut rate", I'm practically buying the cut-rate version already. That's what Amazon is good for.
I got bitten by this bundle of reviews thing. Amazon was made available in my country some time ago.
I went on there to buy video capture device to help convert my parents old tapes to video.
I found the device listing I was looking for, with good reviews. Placed my order.
Then a counterfeit showed up, completely different from the spec sheet and the image on the listing.
I filed a complaint, but they wouldn't give me my money back unless I paid to ship it back to half way across the continent, where they sent it from. Despite them just sending me a piece of electronic waste rather than the real product. Nor would they do anything about the listing.
Disputing the transaction with your card issuer is the only answer companies will understand. The company wins as long as more users eat the losses (essentially giving Amazon free money) than those actively fighting for their money back.
This is quite a jump to conclusions. The alternative theory of the customer service rep googling a phone number and getting the wrong one is far more likely. Or, it's possible that the company's own seller login was compromised and a scammer changed their contact number.
The idea that a wildly successful multi-billion dollar company would actually set up such an easily-noticed system where they "get a cut" of phishing scams is outlandish.
I don't think the "cut" implies they are in on some phishing scam. It's saying they take a cut of all volume, so even volume that's harmful to consumers is hardly worth Amazon's attention (as is evidenced by the obviously massive economy of systematic scamming that happens via Amazon, all of which, again, they get a cut of).
> The alternative theory of the customer service rep googling a phone number and getting the wrong one is far more likely.
Their support staff is that reckless and Amazon has no training and other systems in place to prevent that? Your theory doesn’t paint them in any better light.
it's far more believable than amazon being in cahoots with scammers. whether you think this is "better" or "worse" wasn't really part of the discussion
Haha no, when I picked it I had no idea of the connection. I just like Dr. Steve Brule (“Tim and Eric Awesome Show, Great Job!” and “Check it Out! With Dr. Steve Brule”
If you watch Jim Browning or some of the other people that investigate such scams you'll realize that it's not just a couple of idiots in a boiler room; those operations have all the hallmarks of a legitimate company including layers of management, offices, them having meetings to discuss new scam strategies/etc and the scammers being actual "employees" on a standard (low) wage + commission, so I definitely wouldn't be surprised if something like this would happen especially if they've already got a network of local accomplices to launder the stolen money that can easily be repurposed to sell products at cost (in fact that could also be used to launder money, win-win situation right there!).
It's really hard recognizing the image Amazon have in the US compared to my personal experience with amazon.de . The service is stellar, shipping both ways is free as long as you buy products covered by prime. Refunds are with no questions asked (as long as you don't start abusing it i guess). As soon as you go into 3rd party sellers the experience gets muddled, though I've had plenty of good experiences with those as well. There's simply nothing here in Europe that gets even close to what Amazon offers. I really really hope it will never be like the horror stories i see here on HN.
As a prime member in the US, your description more closely matches my experience with Amazon than the negative reviews here. I don't know if it's the way I shop or maybe I'm easier to please, but I really don't get it when people complain about counterfeits or poor quality experience with Amazon.
I only purchase items that have prime shipping, and that have free returns in case something is wrong. 99% of the time their delivery estimation is accurate, usually within 48 hours of my order or less. If something is broken or I simply don't like it, I return it for free at any one of several places within a 10 minute drive of my house: Whole foods, ups store, or Kohl's. And there's no rush - I have a full month to return the items and the refund is issued before I even get back home after dropping off the item.
I think it's selection bias. People with a bad experience with Amazon are more likely to dive into it here. And dive they do, nearly any time Amazon is mentioned. Even in a thread about Wells Fargo we somehow get sidetracked into "Amazon just sells counterfeit garbage".
Out of the thousands of items I've bought through Amazon, I think maybe one set of Henckels steak knives might be counterfeit (I've ordered two sets of the same knives and they were noticeably different - both seem high quality though).
Using this logic, you could quickly dismiss all criticisms of any company. It's not a very compelling argument, especially because no one is arguing that individual, atomic, anecdotal comments describing negative experiences with Amazon represent a statistically significant evaluation of Amazon as a company.
I try my best to not buy from third party sellers. Then I occasionally get surprised that I am buying from a third party seller. So I simply stopped because the perceived risk is too high. Amazon is overpriced anyway so why bother buying from them?
If you buy Amazon basic brand items you don’t have to worry. And the Amazon basic products are generally really high quality, from clothes and more high end niche items to daily necessities, Amazon basics items are best in class. People who complain about Amazon are usually buying crappy items from dodgy vendors, and then they idiotically blame Amazon.
Except it's almost impossible for the majority of customers to distinguish between the 'good' sellers and the 'bad' sellers, and we shouldn't pretend this isn't a deliberate effort on Amazon's behalf. Not only do Amazon often make it onerous to find out who is in fact selling an item, they also:
1) Co-mingle the inventory of multiple sellers in their distribution centers, so even if you buy from a good vendor you've used in the past, you still might end up with garbage from a shady vendor.
2) Allow widespread and rampant review manipulation / botting across every product category on the site, making it even more difficult to distinguish 'dodgy vendors' from so-called good ones.
3) Allow vendors to BRIBE customers with things like free items or amazon credits for 'organic' reviews, again, making it a Sisyphean task for most customers to find reputable vendors.
> and then they idiotically blame Amazon
This a callous and inane assertion. If a customer buys something from Amazon's website, and pays Amazon, and Amazon emails them a receipt, and Amazon delivers the product, the customer has every right to blame Amazon if the product they receive is crap. I'm frankly flabbergasted that you somehow think it is the fault of the customer.
> And the Amazon basic products are generally really high quality, from clothes and more high end niche items to daily necessities, Amazon basics items are best in class.
This reads like ad copy to me -- Amazon basic products are fine, but they certainly are not 'best in class' or 'very high quality'. Amazon doesn't even go that far (they items are literally called 'Basics'.). Furthermore, if the only thing a customer can feel confident purchasing on Amazon is a Amazon Basic items, it kind of defeats the point, doesn't it? There are not Amazon Basics versions for most product categories on the site, and the allure of Amazon is that you can get anything you want from one vendor, delivered quickly (A to Z).
(Not to mention, I've seen a lot of cases where Amazon Basic items are clones/knock offs of well-reviewed, high volume products designed and manufactured by third party companies. Amazon then copies these products and promotes its own listings, which isn't exactly the most ethical practice IMO)
“Amazon then copies these products and promotes its own listings”
…for the consumer’s benefit. It’s a win/win.
They are one our best companies. From the climate change perspective alone, think of how much better off we are, as a planet, thanks to Amazon. People are appallingly ungrateful. And the criticism is typically something along the lines that he allows too much freedom (“they let anyone sell stuff, even chinese vendors gasp) or oddly, they complain about logistical efficiency (“eww commingling! I would never!” as they clutch their pearls), when it’s acthually exactly what other retailers do. If people were so worried about their packets commingling we wouldn’t have the internet, the us postal service would stop functioning if mail didn’t get commingled. Commingling is good, progressive.
Amazon US used to be as you describe. But now its mostly just cheap knockoff stuff. I hardly purchase there anymore. Its really sad because they used to have such a wide selection.
Everything I've seen on AliExpress has a 30-60 day delivery window. Amazon gets it there within a couple days. I don't mind paying a couple extra bucks to get something in 2 days vs 60. And that's not really drop shipping anyway.
I dislike Amazon but yes, my experience in what you have outlined is that it's generally amazing.
The parts that aren't amazing is getting items that aren't representative of what I ordered. But refunding is always a breeze when that occurs.
My problem is that it shouldn't be a thing that happens so often (to me). I shouldn't be shipped shoes of the wrong size 3 times before I get shoes of the size I ordered. I shouldn't be buying open box items without being told it's open box. I shouldn't be buying things with the completely wrong thing in them.
Now, all of these can be problems with big box retailers. But the sheer frequency it happens to me on Amazon - it's never happened at this frequency to anyone I know when we would shop in store. Yes, my friend once bought a graphics card at Fry's that just contained a box of rocks. But that was one friend, one time. I've had more of these issues on Amazon, the last ~7 years, than I have for all shopping experiences everywhere else that I've ever shopped combined.
My US based Amazon experience is like yours with fast shipping and easy refunds/exchanges, so don't lose hope. I guess with 100e6 or so customers, there are bound to be some bad experiences.
>" The service is stellar, shipping both ways is free as long as you buy products covered by prime. Refunds are with no questions asked"
This is my exact experience in Canada so far. But they did something else weird. I wanted to buy Google Store gift card from Amazon and as soon as I made the purchase my account was suspended. It had taken me few hours including lengthy phone call to sort things out. I was told that gift cards are widely used in fraud. Sure, whatever but then why FFS they sell those?
shipping both ways is 100% not free in canada. I went to price match a power supply I had just purchased and they said they don't price match. I said no worries since it's unopened I'll return it and buy it again and they quoted me $30 shipping to return it. I had prime and it was a prime item.
I've also reported businesses who sneak 'give us a 5 star review and we'll give you $30' cards into their parcels and amazon did absolutely nothing.
Amazon is amazing until you realize it isn't. I got rid of prime and suddenly I found myself spending less money on junk because I wasn't incentivized to get junk by the prime membership. If I have to wait to have enough stuff for free shipping minimums I can wait enough to look locally and 1/2 the time I can find it locally for similar cost and the other 1/2 it turns out I never needed it just wanted it.
Highly recommend getting rid of prime and taking a couple months off ordering anything from them - you'll find out not only is amazon not worth it, they're easily replaced.
>"suddenly I found myself spending less money on junk"
I do not buy "junk" just what I really need (mostly for business), so do not have this problem. I buy some things locally as well but it is not my goal to favor either.
>"Highly recommend getting rid of prime"
I am very service averse person and am trying to use as little as possible. My phone for example does not even have data plan. If I do use some however (Amazon in this case) it means I need it as it saves me money / time whatever.
Maybe that, to some degree. But amazon.de has a lot of problems, too.
There are a lot of fishy listings, but it's also often quite easy to detect those fishy offers, because the German text is usually full of grammar and spelling errors, and often obviously a result from Google translate, and often not even fully translated, with larger parts still in (shoddy) English. Outright counterfeit products seem to be somewhat rare still, at least from what I observed, but there is quite a number of low quality knockoffs.
Or e.g. multiple journalists reported on review-rigging operations - usually organized through whatsapp, and using regular folks for a few bucks as "mules", to get some coveted "verified buyer" reviews. Or bait-and-switch listings, where they had an original listing which gathered some good/ok reviews, and then they repurpose that listing for another product, while keeping their stars.
Or e.g. there was a report about one guy who got like 10 - 20 packets a day with junk he never ordered, every day, over months. Apparently some shady sellers got hold of his info, and were using him as a "garbage bin" for excess stock[0]. While he wasn't charged for any of the products or shipping, he still ended up in a situation where his door bell rang a few times a day, and he ended up throwing away most of the stuff, having to properly dispose of it. And when contacted, amazon just told him to throw away the stuff he doesn't want. It's unlikely he was the only involuntary garbage bin victim.
[0] It wasn't clear why they did that. Maybe to inflate sales numbers to get higher ranked in the amazon search? Or because just shipping it through amazon to some random people might be cheaper than just keeping that stuff in the amazon warehouse or disposing of it properly?
I don't agree. It's extremely obvious when a listing on Amazon.de is sketchy because the German used is quite bad compared to normal listings.
I'm also quite skeptical of most positive reviews, because it's a known problem in Germany too. I don't think most people are aware of that though and still believe high ratings still mean anything.
Not an isolated incident. My mother was transferred to an Amazon employee who tried to scam her as well. This was years ago, and I reported it to Amazon. No idea what eventually happened, but I was shocked that they'd be so brazen about committing fraud as an actual employee.
Amazon today is a street side flea market. You really don't know what you'll get. I've started ordering more stuff from traditional retailers. Their online operations these days are really good, and at most a few dollars more than Amazon. Clothes from macys.com, home goods from homedepot.com and target.com, and so on. You're not flooded with choices with these stores that are mostly garbage, instead you get only 1-3 choices that are reputable.
I think ordering on amazon has become a little like getting your car towed.
Towing companies appear to be a large shell game where your $200 tow is handled my one or more middlemen who eventually get some poor independent towtruck driver to tow you for $75
Amazon should do something that would allow partnering with decent brands. Customers would be happy, brands could keep their reputation, amazon could get a reasonable cut, and they would still sell stuff via flea-market brands and the made up word-salad amazon brands
You might enjoy “The Market for Lemons” by the economist George Ackerlof [0]. It fits people’s descriptions of what’s happening with Amazon.
His idea was: buyers don’t know if a car is good and the risk of getting “a lemon” (a bad car) reduces how much they’re willing to pay. That means sellers reduce the quality of what they’re selling or leave the market. After a while the quality degrades so much that buyers notice and want to pay even less. Eventually the market is 100% lemons.
The paper was controversial when it was published in the 1970s, but helped kick start research into “information asymmetry” and the potential for market failure.
This sounds familiar to my used car shopping experience a few years back. Went to see at least 20 private party sellers over a period of a few weeks and most were junk, bought by shady dealers at used car auctions. And their prices were well above the blue book for excellent condition, despite the cars being fair at best. I did manage to find some actual private sellers, and ended up with something I like and still drive now, but it required a lot of time and determination. I can understand why some people would just go to a lot and drive off a couple hours later
Your regular reminder that theoretical free market assumes perfectly rational and informed consumer, no lies and no misleading or withholding information
In other news a car has infinute milage on a frictionless surface in a vacuum
I'd say it's working just fine, by causing people to switch away from using Amazon. Amazon continued to lower their brand's quality and as the name becomes less and less trusted, their products are worth less and less.
Is that actually happening though? I know there's lots of anecdotes around here, but there are still many people using Amazon frequently. I wonder if their numbers have actually gone down
I mean, roughly, there's no such thing as an ideal free market, and in all real markets all the ways in which it's not an ideal free market are being exploited by people to collect the margin. The concept of an ideal free market is promulgated by the same people who are making money off those margins.
As far as what you can do about it, you could start with preventing those people from interacting with markets. I leave the mechanism as an exercise for the reader.
A free market would first require getting rid of all forms of power and so far there have been people who thought about minimizing the most impactful sources of power and pretty much all economists ignore them.
What we are doing is the equivalent of looking at a warped mirror e.g. a non free market and declaring that the reflections are not distorted e.g. a free market.
A lot of people are scared of living on the streets or feel shame from living off welfare. There is no way these people are going to make long term decisions if their short term needs haven't been met or there is a constant risk that they won't be met tomorrow.
This is actually one of the more disgusting parts of Austrian economics. Where a low time preference is basically considered the equivalent of a high IQ. If you have a high time preference you must be some dumb consumerist animal, when the truth is that you barely earn enough money to meet your living expenses which means 100% of your spending must go to consumption. Thirst is more urgent than hunger which is more urgent than shelter which is more urgent than social needs and so on. At some point you are not longer hungry or homeless. The urgency is gone. It would be more accurate to say that time preference is a function of wealth and having your needs met, rather than some intellectual jerk off competition where stupid people are filtered out and smart people end up with all the wealth.
I honestly just see a regular capitalistic market, where a company is trying to make money at the expense of other companies. By that I don't mean Amazon is outcompeting retailers and pushing them out the market. I mean Amazon is actively causing damage to well known brands by letting scammers sell those branded products to promote their own AmazonBasics brand which is free of scammers.
Even if the scams are unintended, there is no profit incentive to get rid of them.
The only time I had my car towed was in Devon, SW England, in 2020. I hit a pothole and blew out a tyre. The company that towed my car took it to their workshop, and took me to my hotel. The next day I spoke to them to organize getting a pair of new tyres. That was a challenge because I had winter tyres on as I was intending to return to Norway before the spring and no one stocks winter tyres in Southern England. It took them another two days to get the tyres. They charged me for the tyres and fitting and that was it, no charge for the ten mile tow.
This seems to be the classic underdog problem. The traditional retailers that you like today will become third party marketplaces tomorrow if they grow. So the issue is that we only get good service from underdogs and it is destined to fail once the underdog is not an underdog anymore.
Except Amazon started as a third-party marketplace. This isn't *new*, some of us just have really short memories. For the first several years the only first-party sales they did were in books (and not all books on the store even at the beginning). They've expanded into other first-party categories, but there are much fewer first-party categories than people assume. (And always have been.)
The big thing that changed isn't the third-party marketplace on Amazon, it's that they increasingly and intentionally blurred the lines between "third-party" and "second-party" marketplaces. Any third-party that uses "Fulfilled by Amazon" logistics (warehouses, shipping) just about gets automatically upgraded in the Amazon user experience to "second-party" even if Amazon has no deeper working relationship with the third-party than "Fulfilled by Amazon".
Some of that intentional blurring of the lines is also questionably Dark Patterns intentionally designed to confuse consumers in just exactly what categories Amazon supports directly (first-party) and which ones are third-party, and more importantly which ones are first-party usually versus third-party today (such as sold out goods). They want to give consumers the illusion of an "everything store" that is never out of stock. That's never the practical reality, and the illusion may be evil from the perspective of shadily pushing consumers to unvetted third parties due to Dark Patterns that back that illusion.
That doesn't follow. Just because an online retailer grows it doesn't mean they have to start allowing third-party sellers. In fact, seeing what is happening to Amazon's reputation, that seems like a bad long term move.
Short termisum might win out, but it is not a foregone conclusion.
The mechanism is the managers that take over at companies who focus on the short term bottom line (trimming support today, to juice profits tomorrow, to lose credibility years down the road after the bonuses have long landed in their bank account).
And the problem is that Amazon's growth profile (retail-side anyway) is going to be pretty constrained going forwards because they own too much of the available pie right now. So the result is that managers are going to have to look for other ways to trim costs to make numbers.
If you're starting from 0.001% of the retail market and trying to grow 10x it is much easier to do that just by having really good customer service.
This comment is peak short-termism! It is comically absurd to refer to 25 years as a long time!
There are companies that have been around for 300 years, in fact prior to rise of venture capital moat companies were multi-generational family business and you would consider how a decision would reflect on your children.
> Just because an online retailer grows it doesn’t mean they have to start allowing third-party sellers.
Why do you believe this? Not one of the top 10 online retailers in the US doesn’t have third party sellers. It appears to be the case in practice that growing does require opening the doors to anyone and everyone, which obviously increases the scale of business a retailer can offer. There are both reasons and evidence to suggest third party sales are what it takes to grow to even one hundredth the size of Amazon.
> seeing what is happening to Amazon’s reputation, that seems like a bad long term move.
This seems like a big assumption. There is a very long list of corporations and monopolies with relatively bad reputations that are doing just fine and have for a long time. Reputation isn’t a good measure for the success or future prospects of a company, once it gets large enough.
I agree it's not a foregone conclusion, but it's also not far fetched. That's what happened to newegg. They tried to turn into an amazon and now I have a hard time trusting them.
Ordered some things from walmart.com, half of it was third-party sellers. They were sort of transparent about it, though, and the quality was at least what I'd expect from inside a Walmart.
Yep. I've been ordering from Target, Best Buy, and Walmart much more often these days. I just assume the product descriptions and reviews on Amazon are all lies.
Target and Wal-Mart also sell third party shit. It's easier for me to just buy directly from brands I like, or to shop for them on a couple outlet sites I trust (so far) to sell legit (overstocked or lightly damaged) top-quality stuff and not lower-quality second- or third-tier versions (as some outlet stores do), than figure out how to avoid or disable displaying third party sellers on a bunch of different sites.
By the time you factor in the time and frustration for that, any savings (which isn't even guaranteed) doesn't look like great ROI anyway. Plus, even Amazon often won't carry the full range of a brand's products, so I get more options shopping this way.
Best buy is filled with 3rd party sellers too but it's at least very easy to filter them out. If I could do the same on Amazon I wouldn't have any problem with 3rd party sellers, but they instead make it almost impossible to know even if you check manually.
That and Amazon commingles their inventory with 3rd party inventory, which can sometimes be counterfeit. And Amazon doesn't care if the counterfeit products are mixed in with the genuine products in their warehouses. As far as I know, Best Buy/Target/Walmart don't commingle their inventory with 3rd parties because they have physical stores that they can pull from.
True. But stores like Target also let you see inventory in physical stores, so it's easier to purchase an item you know is coming from a Target store/warehouse than a 3rd party.
Do they still allow listing different products on the same page, with the same reviews?
You can read reviews for a whole different model of headphones or kettle, for example, but what you get is another, (usually) cheaper model/revision. Which is insane!
Negative reviews are silenced. I ordered a machine with missing parts such that it couldn't be assembled. I gave a 1-star review and it never appeared on the seller's page.
Target and Walmart take online returns at their stores, which no one in the supply chain likes. They will take bad suppliers to the woodshed if too many returns of an item. Hence they have skin in the game to carry quality products
I didn't say I trust reviews on Target. Paid reviews exist everywhere. But if I have to choose, I'd trust Target's first. Amazon's extensive 3rd party marketplace is set up in a way that encourages vendors to game their system. Amazon does nothing about it because it's good for business.
And I trust Target's products are genuine and what you receive is what's in the product description, because they sell them in stores.
Agreed. Last example was LED grow light I purchased and description said had a grounded plug. When it arrived there was only a 2 prong plug. I’m weary of everything I buy there now and try find a manufacturer direct order when possible. Fulfilled by Amazon should read as a warning sign.
> Amazon today is a street side flea market. You really don't know what you'll get.
There are two time when I will use Amazon nowadays:
1) If there is an official store there
Anker is a good example of this. It seems like Amazon doesn't commingle inventory if there is an official store.
2) If I want something faster than Alibaba/Aliexpress
Quite often I can find the exact Chinesium equivalent on Amazon and I get the benefit of returnability if what is advertised is completely out of whack.
This has to be costing Amazon money, but, it's their funeral.
Well this initiated a rant, not directly related to ads, but Google in general. This is an internet literacy issue I’ve noticed more and more. People will refer to Google listings as an authoritative source even if the data comes from some third party.
“Is this Jordan’s Tiles?”
“No. This is Patrick. You have the wrong number.”
“It says on their website this is the number!”
“Their website is wrong, this isn’t Jordan’s Tiles.”
more argument with me just hanging up because they’re clueless (someone even had the audacity to ask me what the number was for Jordan’s Tiles like I’m their personal assistant)
And finally I went on Google and searched for Jordan’s Tiles. There my number was on the listing and on a third party source. The right number was on the lower ranking Jordan’s Tiles website. They were so argumentative about being so wrong, it was outside of their ability to understand that the internet can and does give you the wrong information.
Wrong opening hours on Google is a niggle for me.
And having been on the other side of the equation, changing the hours Google says a business is open is not always straightforward.
Not sure if you're joking, but the etymology of this word does not appear to be racist. According to [0], it derives from the same root as "niggardly", which according to [1], is unrelated to the racial epithet.
Yeah, you hear about this with the people who get taken in by Grubhub or whoever that's spoofing a restaurant's phone number/ordering site. I would never take a third-party source as authoritative, but apparently people do it.
I never take restaurant phone numbers directly off of Google, I always check their (hopefully existent) website before calling, or at least crosscheck it against other sources. There is no way Grubhub or any of the other mediating greedholes will get even Caller ID data from me if I can help it.
Related. Finding real locksmiths has become so difficult that I have resorted to calling a business across the street and asking them to tell me if there is, in fact, a locksmith at the purported location.
Maybe there is a business in physically verifying a given business is the actually the real thing.
KeyMe are one of the perpetrators of this shady practice. They have vending machines for keys and put them all over the place and then their machines show up when you search for a locksmith. If you call the number their rep will act as middleman to connect you with an actual locksmith and they take a cut.
I've decided I will do my searches through https://www.findalocksmith.com/ which is from the associated locksmiths of America
When a small guy does something like this it's called fraud and heavily punished. When a VC-funded company does this it's called "growth hacking" and applauded.
Honestly, how do you know what the right number is though? Everybody outsources their stuff. The real website is at jordans-eatery.outsourcedsite.com. Or maybe the guy at jordans-eatery.seo.com is taking calls and placing orders to the real site at a markup. Or maybe the real number is on jordans-eatery.com. Or maybe it's none of those.
Easy, go to the restaurant in person and order takeout or dine in if you want. On your way out ask them what their official website and phone number are. Then you can put them on your "safe to order from' list
I order all the time from a restaurant with a distinctive name and menu near me. They might have their own website, but their real website is one of these outsourced menu ordering things.
Last time I went to order, I looked up their name, went to the page by that name on the known third party menu site, ordered my usual order from their usual menu, only to discover after the charge went through that a scammer had copied their name and entire menu onto a new restaurant on the same site.
Called immediately to cancel the order (why doesn't the site have that option??) and the woman on the phone feigned ignorance. A few minutes later a gruff man called me back and told me I wouldn't be getting a refund. Not sure what I said to convince him, but maybe enough threats and he decided to change his tune.
Apple Maps from my experience is quite bad about this. I know of one city where it happily provides the locations of four DHL counter locations even though there is only one. Numerous other store locations on Apple Maps also often do not exist, so however they are sourcing their data is full of errors or outdated information.
I've had that happen to me as well - person finds a wrong number online someplace, calls me, and then is mad at me that I am not who they are looking for...go figure.
Had this happen to me when I was in IT. I got a cold transfer of an angry customer who wanted to talk to a guy who had a very similar name. I told the customer that they wanted the other guy, I was in the wrong department, and they wouldn’t believe me. They said “I know it’s you from yesterday, I recognize your voice!” How was I supposed to argue against that?? Eventually I convinced them and did a warm transfer to the correct guy. We do have similar voices…
I think this might just be a people thing? I've had the same experience (some one calling for the YMCA, I inform they have the wrong number, they proceed to argue and berate me) but they probably just misdialed.
Not that I don't also feel like Google search results have gone down hill.
My friend booked one international flight with departure and destination having 12+ hours timezones difference. The email listed the departure time & duration of journey and arrival time, all in local times (as expected). Gmail auto creates an event about flights and hotel bookings, and thus shows the correct departure time, duration & then that AI simply added that duration to departure, and showed departure city's time flight lands. Wrong. My friend, no blame, believed it; until I pointed it out.
i'm confused, what's wrong there? event starts at departure time and goes for duration. the arrival time is correct, and can be reported in any time zone.
Sorry for not being detailed in my comment. Or i might have butchered. I will simply explain with numbers.
Email said, flight departs 31st March 9pm.
Flight duration 15 hours.
Flight reaches Apr 1st. 9pm. No indication of timezones, but as super common in flights, all times are local. Both cities have about 12 hour difference.
Google thought Departure 31st March (correct);
Duration 15 hours (correct).
Arrival Apr 2nd, 12pm. (Not correct, it added 15 hours duration to Arrival city time. Apr 1 9pm + 15 hours = this).
The SEO thing sucks, I notice it like if you're trying to find a tow truck, it'll be some call center that then directs you to an actual tow truck nearby with their cut added to your cost.
Lots of call centers get targeted with this type of scam. I think it's because call center employees are so poorly treated and compensated that it's appealing to join the scam. I've seen the same exact thing happen with QuickBooks support. The actual agent you're speaking with gives your contact info to the scammer who calls you back.
I've never seen this before but I imagine the call center employee has a lot more to lose being a part of fraud than the scammer who isn't legitimately employed and can't be found. Doesn't seem likely.
Stuff in person costs 2X the price though. Especially bike parts.
It's often cheaper to buy from Amazon but never go through troubleshooting support. Always return or replace.
If that doesn't work, give a 1 star review, wait for the seller to come chasing you with a gift card in return for 5 stars. Change it to 5 stars, spend the gift card, and then change it back to 1 star.
As someone why buys a lot of cycling parts online, there are many mom/pop bike shops with web storefronts, that are very reasonably priced and often include "free" shipping. Stop giving bezos your money, you have no excuse.
Yeah.. lots of people keep repeating "but its expensive out of amazon!" and they never tried. Sure, you can find cheaper products on Amazon, but once you start looking around, it's definitely not always the case. But people are lazy, they get multiple amazon packages a week, and love to complain about Bezos but do nothing about it.
I bought a book on Amazon in 2005, it came (weeks) late, i complained, got sent another, ended up receiving 2 books. It was my last purchase from Amazon. Since then, the only time i see Amazon is on the backend of a scammer. Amazon in my opinion, in every sense, a scam itself.
First off, its just morphed from a book store into a upper class ebay. Alibabba became the chinese ebay. I'll pay that drop shipper the money, i got no problem with the conveince they give but realistically whats the point of going through 3 middle men when i can wait an extra week and limit that to 0 or 1.
Your local shop isn't the only option. The first online retailer (above Amazon in my Google search result) is €3 cheaper than Amazon, shipping included.
Ah okay, I though it was because these particular tires are in fact made in Germany ;)
But yes I think in Europe small businesses are much more of a thing. In the US it's very hard to get a better deal than from Amazon and these big companies, especially because they can super-optimize the supply chains across such a big country. Same is true in China.
Amazon is expensive. I once got an Amazon gift card and the first thing I told the person that gave me the card is that I will spend 20-30€ more on Amazon than on any other site.
As someone in Europe, Amazon would be the last place for me to look for bike parts. We have so many great options, including huge online retailers (Bike24, bike-components, bike-discounts, just to mention a few), all of which I've ordered many times from, and was pretty much always happy. Local bike shops may be more expensive, but then you support your folks, which might come in handy later, when you need servicing for something that you don't have the tools for...
The thing with bikes and bike parts is, details matter, two seemingly similar looking parts might be completely different, and there are many small parts that have many options (length, material, color, thread type etc). So unless you really know what you are doing, it's very easy to mix things up - that is true for the consumer too, of course :) Any non-bike-specific webshop is doomed for this reason, except for some special items, eg. eletronics.
One thing I noticed is that these days there are more and more small shops that are legit online, they may not be offering small parts, but I bought a bike from one such shop 2 years ago, and it was heavily discounted, the bike was exactly what they said it would be, it was in stock and was shipped within a week to another EU country no problems.
The reason I buy on Amazon is that finding anything you wouldn't see in a typical department store from somewhere else online takes a bit of effort; and it's an additional effort to gain some confidence that the "somewhere else" won't scam me, sign me up for even more spam, etc.
If there were some reliable meta-shopping site that aggregated trustworthy vendors, I would use that--but I can't see how to build one that wouldn't have all the problems of Amazon in the best case; and all the problems of wish.com in the more likely case.
Do you know if the original order was from Reolink? If I had to guess, that may have been a questionable reseller, I've seen several cases in which it looks like you're ordering from SomeCorp as fulfilled by Amazon but once you get into the actual order process it shows up as some other seller that was in the "Buying Options" list.
Definitely sketchy behavior on Amazon's part, never dealt with the selling side there so no idea if this is sellers gaming Amazon or just awful market platform in general.
The question reduces to one of incentives. Scams are extremely easy to initiate, cheap to scale, and once they're sniffed out, extremely easy to replicate with a small variation in location/product/approach. In other words, they're like good software.
So...what might curtail the proliferation of scams (besides cruel and unusual punishments)? Decentralization? More factors of authentication?
Slightly OT but I swore off Reolink because as late as two years ago they still required a Flash plugin before you could view camera captures in a web browser. I think they've finally fixed that, but the utter cluelessness of requiring Flash in 2020 left a bad taste in my mouth.
Given how many fake products amazon sells and intermingles with legitimate products, it isn’t at all surprising that they forwarded you to a scammer. They just don’t care about protecting their customers, apparently.
It sounds like you bought a product not sold by Amazon and got transferred to the company in question.
Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.
NOTE: This applies to prime items as well. Amazon's vetting services for 3rd party sellers is nonexistent. I could literally sell you dog shit right now; with no verification I even exist. I've had a seller account for over a decade, and I've not sold a single item. The Amazon Marketplace is an anonymous Craigslist. Please don't forget that.
>Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.
So buy Amazon Basics and nothing else?
Also I tried to avoid buying from third party sellers but the Amazon website is so deceptive that you are bound to buy something from a third party seller at some point. There is obviously no option to hide third party sellers because that would solve the problem and Amazon's opinion is the problem shouldn't be solved.
There's one easy rule that could have avoided all of this - never give out any info on incoming calls. If I get a call or text about fraudulent transactions, I'll keep them on hold while I log into the bank website. If I get a call about a late payment, I'll thank them for the info and ask them to stay on while I pay online. If I get an inbound call with a more complex request, I'll ask them for their employee info and call back the official service number. It annoys the caller sometimes, despite always treating them professionally, but I keep that a hardline rule no matter how real it feels.
I heard this from a security guy and was under the impression it was one of the sacred laws of security. If it's not, it should be - it's a rule of thumb that would stop 90% of social engineering attacks I hear about.
This is good advice, despite it being a pain sometimes! I once got a voicemail from the fraud department at my bank, with a number to call back. I googled the number and all that came up were stories about being scammed. So I was 95% sure it was a scam, but called my bank directly just in case. The person who answered assured me they hadn't contacted me, and it was indeed a scam. I later got a follow-up voicemail from the "fraud department", from the same supposed scam number, which I ignored.
Then, the next time I went to use my card, it was blocked. I called the bank again and spoke to someone new, who informed me that the original calls had been legitimate - they had the same reference number and everything - and the card had been blocked due to lack of response!
Obviously a false positive on the scam detector is less of a problem than a false negative, but was still pretty incredible. No idea what was with all the people talking about being scammed from that number online; I can only assume that they (like the first rep) assumed it was a scam, since if the bank needs to call you, they should tell you to call back using the number on your card, not some random number they give you. But apparently that's exactly what they did.
This has a similarity to the original story here, in that the original sounded like: "They behaved a lot like a scammer would, but I also totally expect my real bank to behave like a scammer would".
Many years ago, I have worked in a call centre for a bank and the process for calling customers was exactly what you’d expect from a scammer.
In the standard/credit card section (not, for example, credit card debt collections), it was rare to have to make outbound calls, but when they were needed, no information could be given out until the customer answered security questions. Some customers questioned this because it was exactly what they’d been told never to do. They were told that of course it was right to be cautious, and they could call back, but that they would need to wait in the queue and likely speak to a different person. This was all before they could even be told what they were being called about.
Perhaps half the people questioned the process upon receiving the call (“you called me, and you want ME to prove who I am?”, but very few hung up and called back.
From memory, this was mostly improved later on - no security questions needed unless some sort of action needed to be taken on the account.
This happened to me with Bank of America’s fraud department. I had a charge that tripped the fraud detector on a relatively new card. I don’t recall the sequence of events, but I believe I was prompted to request a callback from the fraud department. When they called back I had to answer a bunch of PII questions, and then they pushed a 2FA code to me and asked me to read it back over the phone. I told him, the 2FA message literally says to never give this number out to anyone, but they insisted it was necessary to continue. I was shocked that the banks fraud department would be so cavalier.
Many banks today have communications preferences options and I've told all of my banks that do to never call me directly. If I receive any sort of legitimate call from them I immediately follow up with a strongly worded letter that they should not have called me and violated their own security policies.
The only thing we can do about "bank behaviors make it easier for scammers" is to change bank behaviors. It's not an easy process, but unfortunately it is a necessary process.
One of the wonders of the world is how much unnecessary data they collect - just because they can demand it - with nary a thought of how much of a liability that is.
Guess it will take a few years of getting slapped for it to filter down.
He is looking for a definite red flag that it's a scammer. This is a terrible strategy and he should know better. One suspicious act and you should hang up and call the number on the back of the card. Really you should just not take calls from the bank ever and call back on the number on the card.
I had something similar. One time I got a phone call from a "Scam Likely" and decided to answer it. And it was an automated message from my bank asking if some purchases in another state were real or fraudulent. At this point I began to second guess if it was a scam or not, but had to assume it still was. I ended up logging into my account and seeing the same fraudulent purchases that it listed over the phone. So I called the number on my card and had it all settled. I found it weird that the original call was a false positive though.
Probably because the phone number is calling about a scam (fradulant charge), and then when they hang up, people report the phone number as a scam because they don't understand the difference.
STIR/SHAKEN has been the law in NA (where the GP) is for a year or two, so it should no longer be easy. It's a problem a lot of countries are tackling.
Some scammers are making fraudulent charges, then calling victims as the bank to “fix” them. Skips over a bunch of red flags because the bank has every reason to be calling.
Calling on the official number is a good rule. But my neighbour followed that and was still scammed for tens of thousands.
The critical extra step that they missed was to check that the line was disconnected before calling out. They were using a landline.
The scammers called them, but didn't hang up. Then, when my neighbour called out to their bank, they pretended to be answering that call - going through security, etc.
My neighbour then did whatever the scammers said - because they couldn't possibly be scammers.
For the people who are confused: this is a fairly common thing on landlines in some countries, where the telephone exchange doesn't drop the connection until both ends have hung up, or in some cases when the caller hangs up but not the callee. So it's possible to put your own phone down, but when you pick it up again your phone is still connected to the scammer's telephone. If they play a convincing dial tone, then change to a ring tone when they hear DTMF, you'd be none the wiser.
The workaround to this is to use another phone (e.g. switch to mobile), or if that's not possible, apparently you can wait several minutes until the exchange times out the connection.
I accidentally won a radio contest many years ago in this way. I heard "you are caller 2" and then the DJ hung up. I stayed on because I was confused and then a few seconds later he picked up again and said you are "caller 4". So I just stayed on and eventually said I was caller 10 and the 10th caller won the prize. I assume he was switching back and forth between two internal phone lines.
I was confused because I was calling to make a song request and had no idea that this contest was initiated because they had just played a certain song.
Just FYI, this does not and never applied to mobile phones or any kind of entirely digital (SIP, etc) phone system.
Modern "landlines" when used with DSL or fibre are also no longer "true" landlines, instead the modem/router acts as a SIP client and gives you an FXS port to plug an analog phone into. While it could theoretically emulate this behavior (by keeping the SIP session open for a few more seconds), I don't believe any of them do - in any case it's trivial to test by calling a different phone that you control, hanging up on your "landline" and seeing whether the other phone hangs up immediately (it should) or if the line is held open for some more time.
If this is still a thing (I frankly don't see the purpose of it), it would only apply to real landlines where your phone is directly connected to your phone socket without a modem/router in between.
That's not necessarily true. Most smartphones and SIP clients are designed to kill RTP immediately after sending a BYE, but session teardown doesn't _have_ to happen then. There are many scenarios where a BYE would not constitute destruction of the RTP session, and using a dumb analog phone over FXP could easily be one of them.
Even already knowing about this I'm still mystified that landlines work this way on every occasion that I'm reminded of it. Does anyone know if there is, or at least was, a justification for this mode of operation? Was it at least of any use to anyone back around the 1900s or whenever or is it just another "we do it because that's how we've been doing it" residue that hasn't been cleaned yet?
Back in the day, folks would have more than one phone in their house.
Someone would call and all the phones would ring (or you might turn off the ringers on some of them so only one main phone actually rings). So someone might pick up the phone in the entrance hall and the caller would ask to speak to Becky, and Becky’s mom would yell up the stairs ‘BECKY PHONE’ and then put the receiver back down while Becky runs into her big sister’s room to grab the upstairs phone, and carry the whole phone, trailing on its wire, into her bedroom, slamming the door on the wire for privacy, before she picks up the receiver to answer.
I saw this sort of thing in american sitcoms as a child, and I was always mildly triggered by it. Here in Australia the landline phone system disconnects as soon as either person hangs up.
On the shows they would sometimes hang up the phone, then somebody else picked up a receiver and the call continued?? Phones don't work like that! Go try it on your real phone, and you'll see!
It never occurred to me that US phones worked differently than Aussie phones.
The fact I was so bothered by this probably says an awful lot about what sort of person I was as a child. Its no accident I fell in love with computers.
Just going from memory - but I’m fairly sure that around 25 to 30 years ago, in Australia, it did work the way that is being described. That is, the person receiving the call could not disconnect the call by hanging up. The person making the call needed to hang up, otherwise the line stayed open. I messed around with this a few times because I was amazed it existed.
Editing to add that more detail, since I’m basically contradicting your memory of how it worked:
I’m fairly certain it didn’t work if you dialled out, so you may not have come across the circumstances to test it. Also, the other person would probably also need to be participating in testing it, because otherwise they will hang up as soon as you do.
I’ve just remembered another detail - I think there was something different about the tone you heard. If you received a call, and the other person hung up, you would hear the disconnected beeps. If you made a call, and the recipient hung up, I think you would hear the disconnection, but then just silenced.
By the way - I was also confused by seeing how phones seemed to work in the US - like pushing the hang up sensors (is there a name for these?) once to switch lines for call waiting. I never really connected their strange behaviour with how the phones in Aussie worked.
Actually, is this all related to party lines? I’m fairly sure Aussie had these. NZ did.
Was harassment by exploiting this ever a big problem? Seems like you could call someone and if they pick up, you now control their phone line... indefinitely?
> On the shows they would sometimes hang up the phone, then somebody else picked up a receiver and the call continued?? Phones don't work like that!
Well, a few decades ago (80s-90s), at least, landlines sure did work like that in Australia, if you were the one who received the call. I played around with that a lot as a kid. Maybe you just tried it on calls you initiated?
I lived through this era and at one point worked at a phone company and never knew about this behavior. I'd hold the receiver until I heard the other person pick up, then hang up.
As opposed to my sib comment, I could see (theoretically, not saying this is what the original logic was) some justification to deal with intermittent line breaks or connection issues - if one side can keep the call open, then a wind gust breaking the connection for a couple milliseconds somewhere between the two parties won't cause the whole call to end. From a customer point of view, it's more resilient and ends up with fewer dropped calls.
I could also theorize about the different switching actions going on, where up until the other party picks up there's already only one phone on the line, but that's getting into phone system/phreaking stuff that is way out of my depth.
This is similar to the other answer regarding answering a different phone in the same house, but perhaps more necessary if sharing a line with neighbours. Distinctive ringtones may have made this phone line non-disconnection behaviour unnecessary though.
I’ve never experienced a party line - but they sound ridiculous (and fun).
If you're up for an (at least to me) fascinating rabbit hole of technological history in audio form, you might enjoy this narrated audio tour of analog phone switches:
Was this common in the US? I spent a bunch of time on the phone in the late 90s at several of my family members houses (I was a social kid) and any time someone hung up I'm pretty sure I'd hear the busy signal if I left the phone unhooked long enough.
What the actual f. I feel like the only commenter here who wasn't aware of this. Thankfully I don't use landlines, but still, that is beyond crazy to me.
So your neighbor hung up to proceed with a follow up call, which, if they're like most people, consists in just pressing the switch with a finger, while keeping the handset to their ear. But then upon releasing the switch, they just started dialing without waiting for the dial tone? And after they finished dialing and never heard the ringing tone, they didn't find that unusual? Forgive my skepticism, but something's missing from that story.
Edit:
Just read up on the disconnect time (10 seconds for some providers) and yes, a sophisticated scammer could indeed emulate the various tonalities.
Yes, and this is how it works as another responder mentions.
The thinking by phone companies is essentially: guy calling pays for the call, so we can milk each call for a few extra cents each time even if they're shady or a wrong number.
Unless both sides hang up, there's something like a 10-20 second window where the call is held open. Hanging up, picking up within 10 seconds and dialing, means you're still connected to the original caller. If they're clever, the might even detect the click of you hanging up, and play a dialtone for when you pick back up, and stop playing it when you start to dial.
Your neighbour dialed a new number without hanging up his ongoing call? Is this his first time operating a telephone? The scammers mustn't have believed their luck when they realised that was happening. Did they mimic a "brnnnnggg brnnnggg" sound when he dialed?
The connection isn't always torn down immediately. Different switches behave differently in this regard. I remember a long time ago being trolled by a friend of mine who refused to hang up. I wanted to call someone else, but every time I picked up the handset to dial out, he was still on the line laughing at me.
So if you're served by a switch that operates this way, the scammer just holds the line open, plays dialtone and ringback tones appropriately, and you're none the wiser.
Yes, this is what I do too. I say "Thank you for the information. For security reasons I won't discuss this matter on this incoming call but I will immediately contact your fraud department on the number I have." They've never been annoyed about this. In fact, mostly they've been positively surprised.
I am a security guy by profession, the other day my wife singed up for a tesla and they ran her credit. next day we get a random call from wellsfargo regarding an auto application and wanted to verify her information. my wife confused why wellsfargo calling, did what I always ask her to do. tell the individual to provide her with the case number and she will call back and they do not need to provide her the call back number. This is easy to remember for most people and She did just that. It turned out tesla has multiple financier which tesla failed to mention that one is wellsfargo.
Yes, this is scam prevention 101. Anyone who called you is always unverified. It's hard for me to take seriously a "scam prevention expert" who doesn't seem to know or follow this rule, which by itself is enough to protect you from most scams. Normally I try not to victim blame people for getting scammed, but when you've made a declaration like that you forfeit that right.
I'll also point out that the author seems to have some complicated arrangement for their phone number(s), presumably in the name of security, that in fact got in the way of identifying this to be a scam.
Regarding the complex phone arrangement: There's an effect, the name escapes me, that adding security can make threats less frequent but more dangerous. Sounds like he was more complacent because he had trust in his phone system.
And I agree about author - if he had said that he violated an easy rule and owned that I would take his credentials more seriously. Everyone makes mistakes, but he didn't list this simple, well-known rule as a way of preventing this.
I can see a normal person falling for this, but in my opinion this person called themselves a scam expert is a scam in itself. The claim that this has only been praise since 2018 is absurd, even if true being four years behind on current practices is making you a no longer expert.
Agreed. No matter how tired and annoyed I was, I'd have stopped dead at the confirmation code that they asked for. There's absolutely no way I'd have given that to them, even if it meant cancelling my account and using a different bank.
That seems a bit extreme, but if their procedures are so crazy as to require circumventing another system's security procedures, I'm not going to bank with them.
I actually had a bank send me an email asking for information that came from another domain, had a header that looked liked it had been badly scanned in, and had links to domains they don't own. When I ignored it, I eventually got a notice that my car loan was in jeopardy because I hadn't provided that information.
They had no clue why I was so upset about that email.
I paid off my loan immediately and never looked back, even though the interest was less than I make off the stock market.
I think this is a statement easier to conclude in hindsight, especially as you are primed with "this story is describing a scam, definitely". The author describes the thought process and what ended up nudging them toward believing the scammer about the workflow. A code sent like this in a legitimate workflow could be plausible. Maybe it's a requirement to ensure that the customer is indeed acknowledging the operation and the CSR isn't taking actions behind the customer's back, for instance.
The author had a lot of signals pointing toward legitimacy to counteract their natural skepticism, it was a stressful situation and the nature of a phone call puts time pressure into the decision making, increasing the odds of a mistake.
Your example points out that false positives on the "scam or ham" decision do have a cost to the contact recipient too, so "never respond to anything" comes with risks and costs too. It's hard to be perfect.
> In order to do that, I needed to relay a confirmation code that would be texted to me.
Everything up to that point matches exactly what happened when I got a call from my own bank (Charles Schwab) regarding fraudulent charges. However, whenever Schwab sends me a code (or Bank of America, Coinbase, etc) the code comes with a message stating that an employee will never ask you for this code.
The fact that OP is an "expert" yet fell for this shows me that they are in fact not an expert here. Don't get me wrong, the execution by the scammer was slick, but I would expect an "expert" to be familiar with their own bank's policies:
"Wells Fargo will not call or text you requesting an access code. We may ask for an access code when you call Wells Fargo customer service. Always contact us using a trusted number on the back of your card or wellsfargo.com."
1) You don't hear about the stories where the scam is stopped.
2) As you have noticed yourself, legitimate banks do what they can to make their actual requests indistinguishable from scams, and "not falling for that" can have severe consequences.
Banks and health care providers have aggressively trained customers to be ok with giving sensitive info in a received call. It's a real disservice to the community, but kind of a tragedy of the commons.
I also do a callback (verifying the number they give me via a google search) but it seems like almost no one else does. On one of these calls from a bank, I asked the agent whether anyone else asked to do a callback, and they said no one ever did this.
Excellent, simple advice! I don’t believe anyone who calls me with a problem, ever!
Overdue bill? Okay cool thanks, I’ll call back and ask to speak to someone, hang up.
Compromised card? Okay cool thanks, I’ll call the number on the back of my visa, hang up.
(This one happened to me) Relative in another country is dying of cancer and needs money for some obscure procedure and doesn’t want to tell anyone else about it only me so don’t call anyone about it? Okay cool, I’ll check and get back to you.
I don’t care how important the matter is; your house could be on fire! If you are calling me and need any type of personal info whatsoever, I hang up and call you or someone I know related to you or just Google that thing!
Same with door to door salespeople. No thank you goodbye.
Hi, the government is giving $5000 credits for people to add insulation, blah blah blah. Can we do a free evaluation? No! I would have heard of this free money falling from the sky from someone I know.
No thank you, hang up, give zero info don’t even confirm my name, close the door or hang up. Goodbye, won’t phish me.
I feel like the author made two mistakes that anyone who goes after scammers should know.
First is to never trust the caller. Didn't matter what info they have.
Second is never give your 2fa. Who cares if some third party product has some wonky scheme that requires it. Don't do it.
That's good advice. I'm also wary of providing information over a customer service chat. A recent example that comes to mind was when I was price matching a product on Best Buy's website over a chat session. The rep confirmed the price match was valid and began to initiate it. And then he started asking for all of my personal details including, phone number, address, and credit card. When I politely refused, he thought I didn't want the price match anymore. I confirmed I still did, and he said he needed all of the info to place the order for me. I had assumed I would be sent a personalized link to order the product, or it would just be added to my cart (since I was signed in). But no, he needed personal info which would live in a chat log. I ended up ordering from the other retailer.
Anyways, maybe there was nothing wrong with providing those details. Maybe they were already available to him on his screen. But the act of asking for that info and making it commonplace for people to just provide it is how so many scams are successful. I don't know how we get away from bad security practices being the norm.
My doctor's office has a note in my file about this now.
Every time they call me, they just say, "Hi smeej, it's NAME at Dr. NAME's office. We have an update for you, so go ahead and hang up and call us back."
I thought that was fairly standard in banking/credit card fraud as well. That's how I was directed to proceed when I got a call from my CC company about fraud: "please call the service number on the back of your card regarding potentially fraudulent transactions"
Last week, I cancelled my Netflix subscription and been trying to remove my credit card details from my account to prevent surprise reactivation in the future. There wasn't an option to do it online, so I went in their chat support and ask them to remove my CC information from my account. Then they asked me to provide my CC number to validate who I am. I told the rep that I am not comfortable sharing my CC information over the chat and prefers only give out my service code or alternative information. This rep kept ensuring that it is secured and they can't see what I am typing in. I asked them to initiate it and I will decide if it is trustworthy to put it down. I got the prompt and it asked for a full CC number. I declined the prompt and told them that I'm not comfortable doing that. And it didn't help that the rep are unintentionally behaving like a scammer. I shared my concerns about the rep behavior and remarks that scammers can say those things. The rep understand my concerns and asked for other information like the email address that is linked in the account and what are two recent activity on the device I uses. I gave out the information and validated I am the accountholder. Then the rep processed my request and I see my CC information is removed from my Netflix account.
That's what I do. If it's actually important I'll get physical mail or a knock on my door. If I didn't request the communication then the communication is not legit.
You literally can’t set up Xfinity internet service without accepting an inbound call and then clicking on a shortened link they text you.
I asked for a callback number instead. They hung up and made me go through the entire process again, culminating in a new inbound call a day later and a new sms.
I think I read about this rule here on HN and have been following it since a couple of years. The funny thing is, banks do scammer like things so often. I had a yearly subscription that tried to renew and they tried to charge me first for 0, and bank rejected it. 2 hours later I get a call from a weird number from my city (when my bank is in another city and all official numbers are from there) from apparently the fraud department of another bank that now handles fraud prevention from my bank. I refused to give them any info, told them I will call the bank back and just called the number on my card, which is the default support number for my bank and sorted everything out in 5 minutes.
I don't know, I maintain that policy fairly strictly, but I can imagine falling for this.
I won't as a policy give out information to an incoming call, and I do call back if they want any info from me. But my working memory is not endless. The topic of discussion had changed three times before he was asked for any information, and the information still wasn't PII, it was a confirmation code. The scammer knew enough about him that he wasn't especially on alert. I can well imagine that flag in my mind that I was on an incoming call having been lost before we got to that point. And I suspect that's exactly how the scam was designed.
I feel like all banks and other such institutions should give trainings / information at least once a year on how they will contact you in the case of e.g. fraud.
I think that any phone calls from a bank about fraud should only be a notification and them telling you to "go to the website, the Contact page, there you will find a number to call in case of fraud". Without naming a web address. And the search engines should mark bank websites and the like as protected, so neither competitors nor scammers can buy ad space when people search for a bank by name.
"never give out any info on incoming calls". 100% agree. It's such a simple rule that I don't understand why it's not part of everyone's DNA. Should be taught at home and in schools, same as "look both ways before crossing a street".
> There's one easy rule that could have avoided all of this - never give out any info on incoming calls.
When I don't recognize a number, I don't pick up. I tell them to email me/text me and that they provide when they called and with what number. Then I might call them back.
Asking extra effort from unknown people will do a few things:
I go one step further and tell them I don't talk to unauthenticated callers, ask them for a reference number and an published return phone number that I can authentic using the usual methods (website, advertising material), explain to them that unaurhticated / cold calls are unethical, and then end the call.
what information is actually being asked of people on incoming calls these days? I never seem to get any of these calls, but banks and credit cards etc. by now should be clued in enough to this stuff that when they actually call a customer, they do nothing more than alert that customer to proper channels they should initiate and follow to resolve the issue.
that was not the point. the point was, the actual banks should at least no longer be asking people for information on initiated phone calls. so that we can in fact tell people, "never give information to anyone that calls you", no need for awkward arguments with legitimate callers, because no legitimate caller would ever do that.
surprised too, once i read it all started with a phone call from author's bank. your bank will "almost" never ask you for your info on the phone. if they do, you don't have to provide it. you can ask to go to a branch in-person, or log onto the website to provide the required information.
all banks should often remind their customers of this. mine does.
banks and phone carriers should do scam and fraud trainings for customers. or friendly reminders.
It gets even weirder when your bank acts like a scammer. A few weeks ago I was trying to help my wife add her USBank credit card to Apple Pay and Apple Pay said I needed to call this number to finish setting up the card. So I call the number and the guy is very friendly and asks me for a bunch of identity verification details, which I provide to him, but then he asks us to send a code back that will be coming over text messaging - yes, I initiated the phone call, but I suddenly realize that the number Apple directed me to was not the same number on my USBank card. Being a bit paranoid I tell the guy “Look, nothing personal but I get nervous when people ask for a verification code to be read back to them, I’m just going to call the regular number and go from there, okay?” Instead of being friendly, this guy suddenly gets in my face and is like “Oh, you’ll give me all this other info but won’t read that code back to me? I’m Fraud Prevention dude, good luck getting this done calling the main number. Oh, and just for this I’m putting a block on your card.” I hung up immediately and called US Bank’s main number and asked to talk to a supervisor - sure as hell, it turns out the guy I had talked to did work in their fraud prevention department and actually had retaliated against me by locking my credit card. It was the most incredibly ugly thing I’ve ever seen from a customer service department.
I had a problem with US Bank just trying to open an account with them. They sent me these instructions on how to upload a copy of my ss card through some “secure” Cisco system. The email I get has a different subject line than what the instructions said it would, it has this HTML attachment that doesn’t render right, and it was missing the button they said it would to create some kind of account. I was like wtf and their security department said if I didn’t like it then I had to go into a branch to handle everything.
Something I learned (almost the hard way) was to always make sure I have a Bank/Credit Card's own app installed (and logged in) before trying to add to Apple Pay. Apple Pay can and will redirect you to verification steps in the app if the app is installed. More often than not, if you initiate "Add to Wallet" from the app itself there's no additional verification step.
With some banks, it was seamless to setup. With another bank, it wasn't clear how to finish setting up Apple Pay. I don't recall if I called them or went through their app to actually set it up. It was definitely confusing, and the Apple Pay onboarding screens didn't provide useful instructions.
I do not envy the Apply Pay team's challenge to have onboarding systems that span the vast disarray of bank systems (because I know some of my banks and how technically behind they can sometimes be, and I know mine aren't the worst offenders). It is probably a small miracle of engineering and patience that Apple Pay onboarding works at all. (And obviously it is complex enough scammers are using it as an excuse to scam, given the article contents here.)
What happened after that, was it a hassle to unblock things? Though at that point I'd probably just close out my account & switch to another bank's credit card.
They were actually quite nice about it, unblocked my card and down the road I went. Good for them, but they should have terminated that guy because he really did get so obnoxious that I actually thought I was taking to a scammer.
It would be nice if banks need this kind of a process could agree on how it should work.
Like maybe the automated "we will never ask you for this info" email should only contain decimal digits and the "we are on the phone and will send you a confirmation code to read back" could only contain alpha characters. Or something obvious and consistent.
There was one time I thought I was being scammed, but it turns out there was an actual issue with my bank account.
Sitting at my desk at work, I get a phone call from my bank on by cell phone. "Mr. Anechoic, there appears to be a security issue with your bank account. We can resolve it for you. For security purposes, can you give your checking account number and the last four of you SSN"?
This is clearly a scam, right? I tell the guy there is no way I'm giving up that info for a random dude that calls me. He stresses again that there is an issue with my bank account, that the account will be frozen, and there is nothing he can do about it without the account and SSN information. I refuse again, and he tells me that I should go to a local bank to get it resolved. I hang up and go back to work. I log into my bank account website, and all seems fine.
After about 20 minutes, something is still bothering me, so I leave work to go to a local branch. I speak to a branch manager about what happened, and she agrees with me that it was clearly an attempted scam and the bank would never call me and ask for that information. But just to be safe, she checks my account on her computer. To our surprise, it turns out there was a security flag on my account!
She calls the bank security desk, they confirm that there was an attempt by someone in another branch a few states to get money from my account and the call I got was legit and logged in their system. We get the account locked out, and then the manager asks to talk to a security supervisor about the messed-up way they reached out to me. The security person basically said "this is how they do things" and didn't see the problem. The bank manager apologized, said it was messed up and she would try to run things up the chain to improve their process.
Not the same thing, but relatedly, every legit email I receive from my health insurance is functionally indistinguishable from phishing. They always bounce me through a million weird domains too. It's very discomfiting and makes me worry that I won't be able to pinpoint a legit phishing attempt because it won't stand out.
In the same vein, every corporate "security training" email I've received that's been outsourced to a third party vendor looks indistinguishable from spam and phishing, the exact things it goes on to train you not to open. I scare-quote that because they're universally worthless training programs used to tick boxes on compliance forms and not actual training, so I happily flag them as spam.
I've also recieved company-wide corporate gifts (like $5 digital gift cards) distributed through extremely spammy looking vendors with dubious looking links.
The same goes for the overwhelming majority of vendors, recruiters, and outsourcing companies that are cold-emailing me, it all looks like 50 shades of scam.
Yes, this! I had an email from a 3rd party telling me about required training, click the link and use my employee credentials to log in.
Other training has been posted as a to-do in our individual HR account portal, and this was an external site, so it set off warning flags. Not only that, the name of the 3rd party was a legit company, but the site the email linked to was not that company's domain. Big red flag! Curious as I am, I run whois on both domains. Completely different registration info!
So, confident I've identified a phishing attempt and concerned it might have been shotgunned to many people, I notify the appropriate people. Was it a scam? Nope! In fact the person I notified was quite frustrated because a month earlier there had been an email that, sometime in the future, there would be $X training coming up. Yeah, a month later I had no recollection of a generic HR notification that (when I looked in my archive) made no mention that it would not be using the standard secure MFA HR portal used to link out to all other training.
This was all about 4 months after a similar required security training, which was accessed via the usual HR portal, and which listed about half a dozen phishing red flags that the new training violated. But not to worry, my workplace takes security seriously. I guess their seriousness is just very unevenly distributed. It's a good thing we're not really a high value target for hackers.
The weird domain stuff is something related to SSO I feel, and it is HIGHLY indistinguishable from phishing.
So all the "just be smarter" talk from ten years ago about checking your domains, etc is out the window. scammerbillz.biz is ACTUALLY your hospital billing service, too bad.
I love the weird domains - billing is sometimes outsourced through x redirections, and they use weird third party email hosts (CISCO secure email etc) that is halfway broken with CSS for you to upload your employee rosters (complete with socials and DOB's etc).
The domains for these are always commically like phising domains (secure-bank-email.valimail.com etc).
"Very well. Please repeat to me in writing that if I receive an unverified call claiming to be from Your bank, and asking for my personal details, that I am to give the information and follow all instructions and will not be at fault for
damage that might result from this."
As they clearly won't do that, at least the moron will lose face, and quickly so.
Security theater. I had a situation where I had to buy something online from a company in Europe (owl4thunderbird) I placed the charge and then right after I got a text telling me to call a # for a possible fraud alert.
That's a big red flag there. So I try and find the phone # of the fraud dept of Citi because anyone can send a text message. Turns out can't find it anywhere in the official Citi site. So I finally give up and call the phone # before they could go further they asked me to confirm a 2FA they would text to me. At that point I noped out and decided if it was a realt problem I'd find out about it another way.
The problem is I now know how easy it is to break into any Citi account just send them a text with a # and pretend to be the bank. The worst part is every every every message I get that is actually being secure always says "You will never be asked for this code" and everytime they ask for it.
It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.
Side note: if unexpectedly getting a new card, call the support number on your old card. A friend of mine almost got taken about 15 years ago by a scam where someone got his address and bank name, then sent him a fake credit card from that bank with a letter saying something like fraud had been detected and they were sending him a replacement card. When he called the number on the new card's activation sticker, something seemed off and he balked when they asked for his SSN. He called the support number from his old credit card and confirmed that he had in fact not been sent a new credit card by them!
Hopefully we can at some point stop treating a SSN as a universal password that can never be changed. At least mother's maiden name stopped being a universal security question.
somebody physically manufactured a fake, new card and mailing envelope that was close enough to pass scrutiny and in person physical inspection, and send it to him by US postal, for the purpose of getting the person to call the 1-800 number on the sticker and give the scammers his SSN and other details?
He was the CTO of a reasonably large hedge fund at the time, so it's reasonable to think he was the target of a spear fishing attack. If you don't need the magnetic strip to actually be magnetic, I don't think making a fake credit card is much different from making a fake ID.
Though, I suppose it's possible he was telling me a tall tale, he's generally trustworthy.
The two additional explanations would be that he was confused about what was going on, or that there was genuinely a mixup at his bank. If he was confused about what was going on, it would seem that he would have needed to have gotten a card that he didn't remember applying for, and being confused about which bank issued it. The spear fishing and mixup at his bank both sound like million-to-one odds to me.
So now, re-evaluating things based on what I've learned about banks in the past 15 years, maybe his bank grew organically by acquiring several other banks, and has incomplete consolidation internally. Maybe he requested a card from one subsidiary of the bank, forgot about it, and called another subsidiary of the bank (the one that gave him his first card), which had no idea what was going on. The internal structures of large banks are much more disjoint than I realized 15 years ago.
>It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.
It's security theater giving people exactly what they want. People want to feel secure, but they don't want any amount of actual difficulty in getting what they want from Company A.
Like it or lump it, but regular people really don't want actual security. They want the ease and convenience of no passwords at all, and want someone to blame in case something goes wrong.
>They want the ease and convenience of no passwords at all,
That's not what I see. I see people looking for inconvenience. Expiring passwords. Password requirements, so you have to write your passwords down. (You will change it soon, anyway) "Security" questions. Lock-Screens, session limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA that was on the frontpage yesterday. IP-Geo-location-voodo so you can't log in from a different ISP/cellular/your parents place on this supposedly world wide internet. It's not like these things happen on their own.
Computer illiterate people thing that these inconveniences bring them security.
Of course people want security, how can you say otherwise? What you seem to be talking around is that security researchers have been unable to figure out simpler forms of maintaining a true sense of security, simpler forms of reliability. There is no survey where people say they don't want these things, and if you're relying on the sales figures for Yubi keys or something, that's not a good indicator.
And of course people don't want difficulty! That's why we don't hand-crank to start our cars anymore. Blaming people for wanting faster horses[1] is a convoluted anti-intellectualism where the experts who actually know what's possible are let off the hook. All in all, if you ask me this should be a locus of UI/UX research.
You're absolutely right. People do unquestionably want security! They want privacy too!
The issue that the parent is alluding to is that the same users who want these things seem unwilling to make decisions or change behavior to get that security or privacy. Those of us working with security and privacy often wind up with the sense that users want them, but also that users expect them to be automatic and perfect and free. This starts with the computer-illiterate user who finds passwords confusing and goes all the way to developers who find it irritating to be forced to update the libs in their docker images.
Are there better ways? I sure hope so. So far we don't have simpler forms of maintaining true security or simpler forms of reliability. We just have cheaper ways of maintaining a sense of security - and that's theater.
I don't blame people for wanting faster horses. We don't have them on offer though, so in the meantime it might be nice if they were willing to consider what's available.
> always says "You will never be asked for this code" and everytime they ask for it.
Yes, but the real meaning behind that phrase is "You will only be asked for this code by pages served by our domain name or a native app we published." It's unfortunate brevity.
Oh I didn't mean to suggest the brevity was your doing. I've seen it the short way first-hand, but yes, more typically it's pretty decent, as you've clarified.
Maybe it would be better to send a link. Then it can't be sent to the wrong domain.
Of course you need to then educate people that they shouldn't trust the domain they land one and always immediately close the tab. Even if that tab says "Warning you have a fraud alert on your account. Click here to check your recent transactions"
The link may look similar or even appear identical, and still be under control of the scammer.
Similar to just not trusting incoming phone calls, you can't really trust incoming links via standard email, without some definitive way of validating the sender.
Hell, I'd wish there'd be some zero-knowledge proof protocol that can be performed with a pen and paper over a phone call. You know, like Dining Cryptographers or Solitaire cipher. Maybe there is something, but I'm not a cryptographer and not aware about it.
Though, of course, it's completely unrealistic to expect that some bank person would agree to do some weirdo math tricks with SSN numbers :)
Only the customer support number, not the fraud number specifically and at the time I didn't have the time nor patience to navigate through a thousand mile phone tree and wait on hold for 8 hours.
I expected some crazy new attack vector that was so sophisticated it could fool this Scam Prevention Expert, but this post is laughable. They fell for textbook "scamming 101" that my grandma knows to avoid.
Here's one tip for this expert – if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text" right under it, DON'T give it to a "support agent" over the phone.
> this is clearly a two-factor authentication code, meant to be entered directly into an authentication page. Which is normally not something that would be relayed over a phone call to a customer service rep. A concern that I raised to Daniel. However, he said that it was part of Apple's system, which they only had limited access to. An explanation that, as someone who works with computers, data security, and API integration professionally, I completely bought
And after reading multiple paragraphs of this person describing money literally taken out of their account in front of their eyes, you get to this line:
> Putting all of this together, the scales started to tip toward this potentially being a scam call, but I still wasn't certain
Anyone can fall for these attacks in the moment, even experts. That was the point of the article.
What makes us vulnerable is that we are human: we get tired, caught up in the urgency of the call and our logical thinking stops working.
The actual story of the article is that we need to design systems that are robust even when people are getting scammed. Able to identify and reverse scamming soon after it happens with easy ways to report it.
There are no experts in information security. It's just random people with in depth knowledge of some tiny subsystem they happened to feel like studying. They are literally all LARPers who will fall for every single thing aside from whatever class of vulns they specialized in. There is no way to use modern systems securely. Absolutely none. Even with 20 years of study you will still find new ways they are broken and where security forgot to be implemented.
All of this is a consequence of the industry being controlled by what is essentially a 5 year old: monetary incentives.
> Able to identify and reverse scamming soon after it happens with easy ways to report it.
Just make a site with a username / password where the user gets locked out forever if he forgets it. Do banking transactions by singing them with your public key, via a phone app. This is what I was complaining about not being able to do before smart phones became a thing. This is literally better than the tripe the 'experts' come up with. All these roundabout shit ways of authenticating people just add new ways of getting phished, exploited, etc.
I agree. I nodded along to the part about not assuming it's the victim's fault, and then this "expert" falls for an extremely basic, obvious attack. "Wells Fargo will not contact you by phone or text to request this code." -- maybe that should have been bigger and bolder, but it was there. This guy should not be allowed to call himself a "scam prevention expert" anymore.
There's a lot of text in that e-mail. The text you're referring to is perfectly positioned to be almost invisible -- it's in the last paragraph intermingled with the standard "if you have any questions, call us on blah blah blah" text. My brain skipped the rest of that paragraph the first 5 times I skimmed the e-mail.
Listen, I responded to a particular part of my parent comment. Whether the author's given explanation for why she in the moment read the code over the phone is reasonable or if it proves that she's a fundamentally terrible scam prevention expert is a much bigger topic which my comment didn't touch on.
The author mentioned that (1) they have had many poor experiences with Wells Fargo and (2) they don't have much experience with Apple but the experiences they have had weren't positive. I personally have had to deal with my fair share of janky and badly designed support systems (especially in health and banking), sometimes they are worse than startups. So it's not outside the realm of possibility that giving the support rep the auth code was simply the best solution they could find given whatever poor and legacy systems they had in their backend.
This feels like an unreasonably nasty and condescending response to an article about how anyone can make mistakes in the moment. I thought it was a pretty good article about how easy it is to sit at your computer and look down at people who fall for scams, but that scams are effective precisely because they take advantage of mistakes and the fallibility of people - even knowledgable ones.
I feel like this comment misses the core thesis of the article - that condescension and expectations of human perfection are not effective ways to prevent social engineering attacks and that building systems that anticipate human error is a better approach.
even worse is spreading this attitude is something that only aids a scammer. Fear and shame at reputational harm prevent victims from alerting authorities, about alerting their friends. About getting help.
Worse than being wrong. Worse than just being a jerk. This poster is being actively harmful.
> if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text"
I needed a cashier's check recently at $GIANT_US_BANK.
The teller initiated a 2FA handshake. The text said something like "never give this number to anyone, none of our representatives will ever ask you for it".
I figured scammers probably hadn't set up an entire bogus branch with yelp reviews going back years. I handed it over.
The check they issued cleared, from what I can tell.
If you think that's bad, try applying for a mortgage. It's 100% remote these days, with a mix of multiple communication channels, all bootstrapped with incoming phone calls, emails (and, if you're me, phone numbers from government licensing databases, followed by awkward call backs)
> He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call
There's a red flag right there — I've never found a bank willing to provide any verification of who they are when calling me. They call me and ask me to give them a code or card number without providing me with any proof of their identity. I've tried to get them to give the sum of the last 4 numbers of my account, but they won't do it.
They always tell me to just call back using the number on my card and try to find my way to the right department. Super annoying.
It's a chicken/egg problem of not wanting to give information first, but a one-way function (hash) is a fantastic idea. The collision possibilities in this particular function are worrisome, though.
It'd be unreasonable to ask someone to perform a hash of those last four digits (how would your mom respond if the bank asked her for the sha256 hash of her card number?), but it could be helpful to ask questions that don't reveal too much information, like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"
It would be difficult to come up with something you could reasonably ask an account holder to figure out on their own that also wasn't easy to randomly guess.
> like, "is the sum of the last four digits even?" or "is the sum evenly divisible by 3?"
Exactly. After only a few of these you have an equivalent security level to checking the four digits directly but at each step of the way there is a 50% chance that the attacker, not knowing the number yet, gets it wrong and you stop giving more info. If they do a thousand calls a day, they'll still get some people, but it's probably not you so that's at least a small win.
You might enjoy learning about PAKE/SPEKE, which has similar properties.
> An important property is that an eavesdropper or man-in-the-middle cannot obtain enough information to be able to brute-force guess a password without further interactions with the parties (Wikipedia: PAKE)
Just enough enjoyment to then get depressed wondering why nobody is using these nice things
My mom would only have a 50% chance of correctly adding four single-digit numbers, and if she had to divide them by 3, she'd be lost.
She's an intelligent woman who's just lousy at arithmetic. I'd guess hers would be approximately the median experience if something like this became standard.
What I was suggesting wasn't asking the account holder, but asking the bank. With a little training, the call center reps should be able to handle adding together the last few digits of a card number.
I agree that asking account holders for this would be confusing, but since the bank is the one calling in this case it makes sense that the caller (bank) should provide information first.
Of course, it appears that in this guy's case, not even this would have worked, since they apparently had his full card number.
If the account holder has to ask the bank for a piece of information, the account holder will also have to produce it for comparison.
Summing the last four digits could unintentionally leak information (what if those digits are all zeros?), so the challenge question should be carefully chosen by the bank, not just whatever the account holder comes up with.
There may be inferences you can make from the sum that aren't immediately obvious. If cards can end in four zeros, the sum and the last four digits contain equivalent information, but you would also confirm that three of the digits are zeros if the sum was 1. It's something that, if I were a bank, I would want someone with a background in number theory to weigh in on. If I were a paranoid bank exec, I wouldn't trust the low-wage customer support reps I had on staff to vet customer questions for how much information they might leak and would instead have blanket prohibitions on answering questions from customers until after the authentication phase of the call.
Questions like "is the sum even?" trade a lower opportunity for information leakage for a greater opportunity for a random guess to be correct.
I understand the perspective of the paranoid bank exec! But if the alternative is that their customers are trained to give out personal information whenever someone calls and says they're from the bank, that's quite possibly worse.
It would be nice if when someone called me from an institution, they gave me a code that I could enter after calling the number on the back of my card. That way I would have confidence I'm talking to the bank and would feel comfortable giving out verification information.
In the past, it has always been a headache to find my way back to the department that called me.
Don't forget the last digit is a checksum digit too. Which I still can't give you an attack, but I also agree that I definitely can't say I'm sure there isn't one.
That does reduce the number of possibilities greatly, which might matter for some attack scenarios, but usually not IMHO as rate limits should thwart any online brute force.
I'd be interested to know how greatly, if someone has the equation for that.
"What is pictured on the front of my card?" might not be a bad question (assuming the bank allowed account holders to choose from a large variety of images or upload their own). It's data that the bank could capture on card issuance, that anyone who has been in the physical presence of the card could answer, and that would not be captured by payment systems.
That would prevent using a pre-generated lookup table but doesn't help much with brute force attacks. All possible card numbers is a finite set, and if you have the sha256(card number + salt), you can figure out which card number was used as input given the improbability of sha256 collisions within that set.
Keep in mind this in the context of an account holder asking the bank to authenticate themselves on a phone call using data only the bank and the account holder should know. sha256(card number) was an example of something that is obviously inappropriate, and I don't think sha256(card number + salt) is any different qualitatively.
This happens with my doctor's scheduling people all the time. "Hi I'm calling for $YOU, will you please verify the last 4 of your social and full DOB?" uhhhh... no I will not, random person
DOB made sense because 10,000 people in the world have the same birth date. DOB (without PII) didn't narrow enough to identity the person. Regarding that last 4 SSN, yea I would never give that out.
My doctor office required me to provide my DOB before I can schedule an appointment or questioning over the phone. My pharmacist required my DOB before I can get my meds from them. If I don't provide my DOB, they will turn me away and assumed that I'm a scammer.
I had a similar scam fraud call from my bank and I asked them to verify the last 4 of my SSN. They had it! But later they said they'd send a text verification but it was asking to add my card to apple pay. So I hung up and called my bank back and they had no record of the call. It was freaky that the scammer had so much info though.
This is a perfect case of iatrogenic security. When the systems get so
complex and remote that security experts are caught out, they do more
harm than good.
It's also a consequence of solutionism, systematic monotonicity,
mother-knows-best and externalising costs such that we:
Only add more security solutions on top of existing ones to fix their holes.
Deny the user any choice or agency in setting their own security terms
Never revoke or remove a feature (that would be admitting defeat)
Push the burden in every process on to the user
Create fear in the user - that any misstep will cause them more
inconvenience and trouble.
Make security an authoritarian culture such that user will not
question or be sceptical.
All of these are antithetical to civic cyber-security that we need
available so educated and empowered users can operate technology under
their control.
I'm so skeptical of these "experts" especially if they write a blog post where they hate their bank.
I've been with Wells for over a decade. They have never called me. Never.
I have had "fraud" alerts hundreds of times. They always happen at certain POS, and it's always a text alert.
Some of the stories I read make me viscerally react with "what in the world are you doing with something as simple as a bank account?"
Also a fundamental default is "no action". If you are even slightly suspicious, do nothing. It isn't somehow so important that you stop thinking and just act or react. Just stop.
My wife used Well's Fargo, I've heard about how they don't like to bother customers, in fact they hate it so much they didn't even bother notifying customers when opening new accounts for them, or performing actions on their behalf to generate fees.
The point is not that banks don't suck - it's that a professional will not inject that sentiment into a post on another topic. And if a professional does mention it, they will do so in a way that doesn't sound like blanket griping, but will instead focus on specific facts about that bank that cause them to recommend against them. And finally - it would be a former bank, not a current one.
The author does seem to bang on about his "reasonable assumptions" for how much Wells and Apple Pay suck, so he should continue the call! Like he's just too clever to follow the advice he'd give everyone else to hang up and call back.
I didn't read it as explaining why she should continue the call, just why she did continue the call. She's explaining why those things didn't immediately trigger the scam alarm. Nowhere did I see her claim to be too clever to do anything.
I found it an interesting read which details an experience which is far removed from how you expect a scam call to occur. It's interesting to read the signs which should have been alarm bells, but which were dismissed because nobody is perfect all the time.
The author very kindly addresses my comment in a PS:
I also, admittedly, allowed my cynicism toward my own industry and Wells Fargo to cloud my judgment; I didn't know the first thing about Apple Pay or Google Pay prior to this incident, but I don't have particularly positive experiences or feelings toward either company, and it's extremely common for the process of fixing someone else's mistake on large tech platforms to be nightmarishly convoluted.
Ultimately she did realise & fix her mistake - at some pace - lost nothing, and got an up-close view of a scam in progress.
I'm honestly surprised he even wrote this if he claims to be an expert.
He literally ignored half of what the rep was saying because he was busy fiddling with the computer, then willingly gave up all his personal information because of the distraction.
You would think an expert would know how to properly use 2 factor auth too. Giving someone the code is exactly how you defeat it.
Once, I got a call about attempted activity on a debit card. The person gave the wrong last four digits of the card number, then the call dropped due to poor cell reception.
This was on Christmas Eve or something. I called the number on the back of the card, but they were an outsourced call center for card replacements. Fraud alerts had been outsourced to a different company, so they had no idea if the call was legit.
I went into the physical branch the next week, and spoke to a manager. They said it could be legitimate or not. I think we ordered replacement cards at that point, and watched the next few statements more closely than normal.
Honestly, the behavior of the scammer sounds more legitimate than the actual non-scam behavior of the last half dozen banks I've dealt with.
I think it was important of the author to put that out there, expert or not. It made me take a mental inventory, and bolster my first-responder thoughts.
I was never attempted scammed online, and I think (naively like the author) that it wouldn't happen to me.
But I was pick-pocketed twice in my life. Both failed attempts, but only because of dumb luck. And I thought that would never happen, "because I'm that much present always."
One time I'm wearing a hoodie, and a cheery guy distracts me and sticks his hand into a double-ended pocket and my hand, resting in the other side, instinctively grabs his; a trigger-happy hand-shaking mechanism and a bad choice of pocket. I quickly walk off because his grumpy friend looks like someone who would stab you.
Another time I'm running for the bus, my phone is thrashing forth and back in my pocket, so while running, I quickly grab the phone and stick it in another pocket; two seconds later, a young guy bumps into me, and his hands reach all the way down in the now empty pocket. We land, we stare at each other, and I run for the bus rather than him; I'd have no chance catching him anyways.
So... with some humility: The only way to stay out of trouble is to apply really dumb protocols.
I was at my local coffee shop yesterday when the manager was on the phone for 10+ minutes with a scammer. Was a new one to me.
The landline caller ID showed "Madison Police Dept" - the local police. The caller introduced themselves as an investigator working a case with counterfeit bills. "Don't contact your boss/owner because we are not sure if they are in on it." The caller knew details like employees names and the layout of the store. The manager was going through the cash in the back "confirming" serial numbers when the owner got in touch and cleared things up.
I was confused about the end game for the scam, but online I've read a version where they send a courier to pick up the "counterfeit" bills. There's also a version where they convince the employee to purchase moneypak cards to be deposited into an account so that the 6AM audit shows balanced books making up for the counterfeit bills that will be confiscated. [1]
To a person that doesn't know caller ID can be spoofed, getting a call that shows up as coming from the local police department can put you in a mental state that it 100% is the police, and it will take a lot of counter information to realize that it isn't. Between that and the convincing reason to "don't tell your boss", I'm afraid this might be an effective scam until it's more widely known.
Sometimes scammers will have you do varrious bits of busy work that can't possibly result in loss just to get the mark into the flow of doing what the scammer says and distract them from thinking critically.
Standard procedure for everybody in the last 20 years should be: Whenever I get a call about security or fraud from the bank, I thank them for the notification and tell them I will call them back, and hang up. Then I call the number on my credit /bank card, not the number I was called from. Fortunately there is a lost or stolen cards so there is no queue time and tell them I received a fraud alert notification.
> The caller ID showed the correct name and number for my bank, but caller ID data is so hilariously easy to spoof that it might as well not even exist.
Honestly, what is with the low quality comments attempting to undermine this person's credibility?
What is with low quality comments commenting on low quality comments?
An expert doesn’t just know about a risk, they think through mitigations and apply them. This is a basic 101, and yet no mitigation. A phone call warning about fraud is highly likely to be fraud in itself, so never, ever proceed with the call.
So what if they said that? I'm not trying to pile on them but the reason people are questioning their credibility is that they fell for a pretty basic scam. Even if they acknowledged that their assumptions were incorrect (knowing Caller Id is very flawed but still falling for it), it doesn't necessarily make the scam any less obvious.
Would you not question the credibility of a doctor who falls for say, crystal healing or homeopathic cures?
> I'm not trying to pile on them but the reason people are questioning their credibility is that they fell for a pretty basic scam.
Yeah, I've read the armchair quarterbacks around here thinking they wouldn't be the ones to get duped if it was them.
Of course, I'll bet if they did get duped, they wouldn't post about it on social media because a bunch of folks would come out of the woodwork to point out how stupid they were.
Personally, I read this accounting and thought "You know, for all my own knowledge about how these scams work, I might've been caught by this one." This specific example strayed into spearphishing territory given the knowledge the attacker had of the victim. This wasn't just an average war dialler. And the time investment, alone, on the part of the attacker makes this unusual compared to your average phone same.
But hey, maybe I'm just not bright enough to hang with the cool kids around here.
I'm not saying I wouldn't get duped, but Im also not a scam prevention expert! And you are right that I wouldn't be posting this if I was in their place but I'm not sure if that means that makes them immune to criticism. "I bet you'd have done the same" is not an extraordinarily good defense when we are talking about a scam precention expert.
I also don't think this has anything to do with intelligence. You can question expertise without questioning intellect
Simple and effective. It's been over 10 years that I've followed this same protocol. It hasn't failed me yet. I also don't think I've missed anything that could have been better handled, had I chosen to speak to the caller. Just don't say anything, beyond greetings, to the caller.
> if it was a scam, then this was clearly a bluff to try to reassure me, but he had WAY more information about me than I would expect an average scammer to have
you can purchase FULLZ from darkweb marketplaces, these contain name and address and social security number and often come with credit card details too
with that, you can do social engineering like this, you can also remote desktop into any computer nearby to their zipcode (from a different darknet marketplace of compromised computers being rented out) and purchase things online from that, making it less likely to be flagged
the idea that "scammers intentionally do obviously red flag things to weed out discerning people and just target susceptible people" is just one segment of the market. doing smarter more cunning things is entirely available and entirely lucrative
I mean you could try to find the large known leaks and go through them yourself
People just cross reference them and sell individual ID packs one by one
There were 15,000,000 people in the Experian leak alone. Most of that information is still valid, we've just gotten numb to it.
Merchants that care about customer support and reviews will just replace an ID for the consumer if its been used before
There isn't a way to try to find who is in a database without the source databases yourself. Merchants don't tell you how they found the aggregate data, they just have reviews from people that say if it was accurate data or not. You could try and ask a merchant if they have a particular person, but I doubt many merchants have a way to sort that themselves, as the files are no longer in a parseable database by the time it reaches them. The organized networks are corporations and conglomerates with separations of knowledge and duties.
All you would be able to do is purchase a FULLZ and get what you get.
> Said he was calling from Wells Fargo's Fraud Prevention Department, calling to verify some transactions. He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call.
I recently had to speak with the Zelle FPD because it had frozen my ability to send (but not receive) after I had made some small trial transactions. Also, I use a Google Voice number with Zelle, which Zelle seems not to like.
I was shocked at the depth of questions that the Zelle FPD agent asked me. My SSN, DOB, address and recent transactions were expected. But then it went deeper: state where my birth certificate was issued. Fine. Car loans I had. Okay, this is all stuff on my credit report. But then it went past me: where my kids were born and their DOBs; my brother's DOB and age; my wife's DOB and age; my mother-in-law's (!) maiden name. Keep in mind this all after I've authenticated myself to my bank including a phone password I have setup. And, it's for a secondary checking account that I have less than $1000 in.
Real bank FPDs have a crazy amount of information on not just you, but also your family members.
I personally would hang up if any of my financial institutions called me and I'd call them back.
I had a legitimate call from my credit union last month. They were following up on a problem I had reported with their on-line bill pay system. Toward the beginning of the call, they wanted to verify that it was me and they asked me to provide them with the 2FA code they had just texted to me. I declined and told them that this is what scammers do. They agreed with me and encouraged me to call them back at the number on my ATM card.
I thought it was really unprofessional of them to operate this way.
It's insane for them to request that you read a 2fa code to a human over the phone. Even if you called them. Escalate and get their policies changed, or get them fired if they're violating policy.
> I've never heard of a call center system that can accept touch tones seamlessly while a call is active, and it would take extremely sophisticated audio processing capabilities to be able to do that, since the frequencies used by touch tone keys heavily overlap the frequencies of human speech.
It's actually happening all the time. VoIP systems _do_ extract touch tone (DTMF) from the call and convert them to appropriate out-of-band messages (either on RTP or SIP, there are multiple standards). This might also happen with VoLTE, although I didn't verify it myself.
So, while the request was indeed weird, there's nothing technically strange about typing touch tones at any point in a call. Regarding the fact that those frequencies overlap with human speech, it's expected because they were designed to be transferred over phone lines, which are made for human speech frequencies. Since landlines here in Switzerland have been converted to VoIP several years ago, I often hear DTMF tones appearing from nowhere in the middle of a call and covering the voice of the other person. The reason is easy: some intermediate system detected a tone and sent the corresponding SIP/RTP message, while also filtering the tone out of the audio. On the other end of he line, that out-of-band message triggered the generation of an actual in-band tone, whence the result.
Yeah, I'm confused, isn't "To get help with problems relating to your account, press 4." and similar just par for the course in almost every automated call system?
Yes it is. I think the author was supposing that the phone system will listen for DTMF tones only at that specific moment. But in fact in most cases those tones (at least nowadays) are detected at any time in the call (and of course ignored, if there's no reason to make use of them like in an automated call system menu).
Just don't give people 2FA codes? I am never going to give a 2FA code to someone who calls me, no matter what combination of words come out of their mouth.
As TFA starts out, it is always easy to point out all the mistakes after the fact. People underestimate how prone the mind is to just trying to play down danger, inconvenience and generally unpleasing situations. Even after a few minutes on the phone, after you built up the most basic "relationship" with the person on the other end, you simply don't want this to be a scam. Avoiding cognitive dissonance. Just like when you bought something expensive that doesn't really meet your expectations.
Then you must not underestimate the pressure under which you then are, because either way is not a pleasant situation (getting scammed or having been scammed already trying to contain the damage). I fully believe the author that they only skimmed that mail and weren't even aware that this is 2FA. It must have seemed like "just some one-off verification code".
Then I think there is also this phenomenon where experts think that just by being an expert on something, they are immune to it. Not consciously, rationally, but lingering in the subconsciousness. It reminds me of the show "the good doctor" where a seasoned oncologist is diagnosed with a brain tumor and completely blocks off any conversation about it and rejecting treatment. I think that very well illustrates what I mean.
Another anecdote to add here if that Jim Browning, a YouTuber focused on finding scam call centers, getting into their systems to gather information and shutting them down in the end got his YouTube account taken away from him through a scammer on the phone. So I'd be careful with claiming this could never happen to me because I'd never do X. Until the day you do without realizing.
Look, I certainly believe that as you get larger and larger groups of people, law of large numbers it becomes inevitable that someone becomes scammed.
And I certainly don't doubt that I could be scammed at some time, especially by a phishing email or something of the sort.
But I don't think I'll ever give out a 2FA code to anybody that's not me. It's a really simple rule of thumb. Just never do it, there is never any reason for anybody besides myself to know my 2FA. If there is a reason, that is unfortunate that they've designed their system that way because, again, I am never going to give out my 2FA code to anybody.
The person in your anecdote never gave his 2FA to anybody, so it is not relevant to what I am discussing.
Yes, it's easy to convince yourself you're way too smart to make this mistake. At the same time, you now deliberately skipped over the fact twice that he just skimmed the mail and didn't fully realize it was specifically a 2FA code, just assumed it was some verification code. I mean, the wording explicitly talks about entering this code somewhere to enable stuff. That's already two dead giveaways. Otherwise you'd be implying this guy, being an expert, doesn't fully understand how 2FA works. Pretty unlikely, but sure, not impossible. But I mean realistically now that this has been overstressed I actually do believe you'd never make that specific mistake in the future.
It's pretty obvious what is a 2FA code and what is not. If I'm being sent a code on my email or phone, I know not to tell it to someone on the phone. Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.
I read the entire article, I am just unimpressed by the justifications as to how this "could happen to anybody."
I don't think the e-mail in the article is very obviously a 2FA code? I usually associate 2FA with something I use to log in somewhere; not to do some other operation which (presumably) already requires account access. To me, it looks like a Wells Fargo Apple Pay "Verification Code", which honestly could mean anything.
There are other signs, obviously. You could ask the question of, why is the e-mail asking me to enter the code myself while the customer support rep asking me to provide it over the phone? But as you well know, the author also asked that question, and arrived at a plausible enough sounding answer.
Regarding that last sentence: I have actually skimmed the e-mail many times now, and only when looking at it again to try to understand what you meant by "even that very email contained a reminder not to tell it to someone on the phone" did I actually see that part. I suppose I just started reading the standard "if you have questions call us on this number" text and skipped the rest of the paragraph. Brains are very good at extracting what they think is the relevant information and ignoring what they think is the irrelevant information, especially when in an active social interaction with another person who expects something from you.
I think any technical person should be able to analyze a play-by-play description of the events and explain exactly how each mistake could've been avoided. But I think most technical people could've made similar mistakes if they were caught in a vulnerable state of mind. I think sharing these kinds of stories, where even people who "should" know better got scammed, is an important part of how we learn to recognize scams. I think the vitriol in places like this comment section plays a part in making people avoid sharing stories like this.
> Indeed, even that very email she was sent contained a reminder not to tell it to someone on the phone.
Yes, as regular unformatted text and tucked away at the end of the very last paragraph that starts with standard boilerplate:
"If you did not request this code, or if you have questions, please call us at the toll-free number on the back of your card. Wells Fargo will not contact you by phone or text to request this code."
Worse yet, the second paragraph starts with "Important:". That implicitly signals that the most important part of the email is what follows. However, that's obviously not the case.
The email is absolutely horrible security-wise, it downplays the most important security bit while overplaying everything else.
I happened to read through the entire email while reading the story and spotted the text at the end, but I'm not that confident I would be as diligent in a real life situation, especially if I was tired, like the OP was.
Just about every regular person would easily fall for this.
> It's pretty obvious what is a 2FA code and what is not.
Unless you're distracted or otherwise having a bad day. Everyone has bad days, even experts. To stay secure you must be secure always, while the scammer only has to be successful rarely. This dynamic favors the scammer very strongly.
Until you play with 15 different companies each which have slightly different variants of how they do their authentication security theater, as well as them throwing odd balls at you every month until you really have no idea how anything is supposed to work anymore.
> even offered to transfer me to his supervisor, which is not something a scammer would usually be able to do, but I had not yet actually challenged any of it.
This tactic is actually used by so many scammer, it's weird that a scam prevention expert is saying that kind of things. His sentence prove how effective transferring it to someone else is powerful, how could they transfer us to a supervisor?!
They are working in call centers, they just give their phone to someone else, often time someone with more experience with scams thus better to convince you. In some case I have seen situation where they use that tactic as good cop / bad cop, where the first one is threatening, this bad thing will happens if you don't act quick, etc... and the next one is more on your side, he believe you, but you need to works with him. I even seen some where they say that they have no other choice but to open a police report with your local police, and ask you your local police phone number, act like they talk with them on a second phone (as if they couldn't put you on hold and initiate the call directly on their system) and then say that the police want to talk with you and they will call you directly (I guess using fake caller id again but with the police phone number).
I got another report from a former colleague about a nearly identical story yesterday. This person was also in the "knows better than to fall for this kind of thing" category.
The critical difference, though, is that he reported the scammer read off a list of his actual recent transactions.
That part, especially when combined with this second story so soon afterward, makes me think some third-party budgeting tool or something was recently breached and just hasn't announced it yet.
I have to give credit for sharing your story and how sophisticated these attacks can be. These scams work because we're human and don't always think rationally under pressure.
I think the movie was Phone Booth that begins with the line
"A ringing phone demands to be answered"
Technology projects a form of authority (disconnected from any real power)
in the same way that written words were synonymous to truth for illiterate
13th century peasants.
To follow your logic, which I am not criticising as it's a valid
approach given how dysfunctional cellphones are as trustable systems,
I would say it's better not to have a phone. But there's the road to
living in a woodland shack and eating spider and squirrel broth.
The rule in our family for a number of years now has been, "If the number is not in your address book, let it go to voicemail." We have the landline ringer off and always let it go to voicemail. As an 80/20 solution, it's been remarkably effective so far.
No offence but as an "expert" there is no excuse to run a webpage/blog etc. with no https.
With Vercel, Netlify and many others offering free stating hosting and let's encrypt https certificate there is no excuse to run a site without an SSL certificate.
To me the moral of the story and that you should never ever follow instructions by an alleged bank calling you asking to confirm informations and, even worse, give them codes over the phone. Especially if you are an "expert".
The most unbelievable part is falling for the idea that if you had called back your whole account would be on hold. That was such a smoke bomb that was easily detectable.
If this seemed plausible as your dislike your bank and don't like the service why not take your business elsewhere?
From your own story, if anything, Wells Fargo prevented this from becoming a much bigger problem and acted very promptly to your request.
HTTPS provides essentially no security to a broad spectrum of attacks-- particularly, any attacker that can position himself between the webserver or name server and any CA is largely unaffected by https. Only attackers that are limited to intercepting between the webserver and end client are meaningfully thwarted. It isn't magical pixie dust. It doesn't appear that this page provides any information or service that would be meaningfully protected by https.
The most important reason to have it is to avoid the automatic search engine downraking that google now applies to non-https sites (helpfully elevating all manner of spam and scams over decades of technical documentation).
> To me the moral of the story and that you should never ever follow instructions by an alleged bank calling you asking to confirm informations and, even worse, give them codes over the phone.
Unfortunately, as pointed out by many others in this thread many banks engage in and even sometimes require you to comply with scam indistinguishable behavior, making your maxim hard to follow. Even ignoring that, everyone makes mistakes, gets distracted, or has bad days... this makes security very hard, even for experts.
HTTPS is when you ask 200 companies if either of them know the key for your bank. And they are all run by charlatan boomers who think buying more firewalls and cool security products is equivalent to securing their private cert signing keys. Why on earth would I ever want this? Like hello, have you ever seen ultracorporate tech company culture? They really don't know what they're doing. Why would you trust them let alone trust 200 of them in a way such that even if one of them messes up, all your sites are compromised?
Imagine that domain names contained the public key in them. I Google up "mybank", and it gives me https://8c789ad256afa4ca93f1af6436e7adff51cdd1c380de7d7cc78b...
This takes <1000 lines of code to implement and already stops the only thing that HTTPS stops: a noob MITM positioned attacker who can't break into CAs. The MITM can't change the Google results, because you already came from https://a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e..., which you somehow obtained before the MITM happened.
These 2FA bypass scam calls genuinely unnerve me - because they're specifically designed to trick someone who knows how scams work and has actually put some effort into securing their accounts.
Hardware authentication factors are, of course, immune to these sorts of attacks because you can't confuse the victim into forwarding their second factor back to you. However, I don't see why you couldn't construct a specific scam setup for those.
Why are you talking about hardware? Just get rid of these weird snakeoil auth flows and make user / password the be all end all way to authenticate. If there's a problem with that, well there isn't. No company on earth has ever tried it, not even in the 90s.
He "relayed" an "Apple Authentication Code" from an email to this Daniel fellow, right? Presumably he read it into the phone?
That's where (I hope) I would have stopped; if X sends me an authentication code, the only reasonable place to send it back to is X.
Also, I think the real fraud department would be completely OK with me saying "Oh, thanks for spotting it. I'd like to call you back now please - give me your name and the name of your department, and I'll look it up and call you back - what do I do to bypass transfer hell?".
Getting on the blower to Wells Fargo on the other line was smart, but you need to have multiple lines at your disposal.
I wonder who these well-spoken, educated scammers are and how they’re recruited.
Pet theory: voice recordings will be the next fingerprints/DNA, at some point it will be trivial to identify the person based on old recordings. At which point we can retroactively convict these people years or decades later, when they thought they were out of the woods.
> retroactively convict these people years or decades later, when they thought they were out of the woods
Limitations exists for most crimes and torts. Prosecuting someone years or decades later when potentially exculpatory evidence is less available (e.g. no one, even themselves can remember their alibis, etc.) would be highly unjust.
With costs of living skyrocketing everywhere and wages stagnating if not decreasing (remote work suddenly brings more competition) I wouldn't be surprised if otherwise legitimate people are tempted or even forced to do this out of desperation.
The author ("scam prevention expert") was extremely uncomfortable at multiple points in the interaction and just...kept going.
I know that this scam is relatively sophisticated compared to others, but I have to think if I was a scam prevention expert that I wouldn't tarnish my own name by putting a story with this much raw honesty out there.
They basically violated rule #1 of scam avoidance which is that no legitimate business cold calling you will need you to do anything with urgency.
Either that or it's a way to make potential customers feel better about the obvious mistakes they made.
> I have to think if I was a scam prevention expert that I wouldn't tarnish my own name by putting a story with this much raw honesty out there.
I think it's an absolutely excellent story to publish. The road to becoming an expert in any field or art is paved with failures, and your own failures tend to be the ones you learn the most from. Plus in a field that primarily deals with dishonesty, being this transparent does help build a positive image.
> but I have to think if I was a scam prevention expert that I wouldn't tarnish my own name by putting a story with this much raw honesty out there.
I wouldn't consider sweeping one's mistakes under the rug a virtue. Quite the opposite - I think it shows integrity.
> They basically violated rule #1 of scam avoidance which is that no legitimate business cold calling you will need you to do anything with urgency.
There's an overlap between legitimate but dysfunctional systems and very sophisticated scams that can make telling them apart almost impossible. The author points this out repeatedly - is this a super sophisticated scam or are the bank's systems just that bad?
For example, other commenters in this thread have pointed out instances where their banks would ask them for information that they should never ask for.
I'm surprised at the level of scamming we tolerate as a society. As technologists, we have a good chance of not falling for it, but my parents are sitting ducks.
Some combination of new consumer protection laws, infrastructure improvements, and law enforcement attention is desperately needed. I don't know why this doesn't get more attention. Is it just the historical attitude that each of us are responsible for protecting ourselves? Is the line too blurry between a legit business and an outright scam?
Many of these scammers have made it their life long career. It can become an addiction and driven by the big easy money wins of a successful scam. Imagine doing this for a while - you're unlikely to have many other career options. Not sure this ever gets rooted out of society.
I have been almost successfully scammed and there is one thing that stood out of all this text that I can relate: the author was mentally tired.
I wasn't tired, but I got a call at 8AM on a Saturday as I was just about to wake up, and I hadn't slept very well. You may be very aware of all the latest security practices, but in the end you are human, a big bag of emotions swirling around. And it only takes a moment where you are vulnerable to scam you successfully.
The lesson here, I think, is: it could happen to you.
> So, I faithfully relayed the Apple Pay verification code, as requested.
I cannot fathom how a tech professional would do this. I mean, I read their justification, but it still doesn't make an ounce of sense to me, other than their brain was shut off for the entire call.
I think I can kind of get it. This guy has made his own life so complicated that he no longer knows what a normal guy operates like.
A normal person knows that scam calls come in all the time, so they're on the alert for them. A normal person has their MFA device or has MFA on text and they know these two mechanisms have codes they should never relay. If they got an MFA via email they'd immediately have their suspicions up.
A normal person, through the normalcy of their system, assumes that if this bank is having trouble dealing with them they'd have trouble dealing with everyone and that's just absurd.
But if you're the _abnormal_ person, then you assume your custom setup is the problem. That's because 99% of the time it is the problem. He's fucked himself into being a social engineering target.
Back in the day, this was a thing with Linux. You'd encounter a bug in a Windows app hosted through the WINE runtime and you'd think "Well, it's WINE, it can't be perfect. I'll just report it on WineHQ and go about my life". Well, sometimes it wouldn't be WINE. It would just be the app itself. But you assumed that because you're the weird one using WINE. Everyone else is using Windows. So you blame your own setup and your bug doesn't get fixed because it's in the wrong place.
So this is my attitude to a lot of security stuff. I want to be the normal user. Huge advantages:
- If something is broken for you, it's broken for everyone. So no one will blame you for consequences.
- If something is weird about it, it's weird; you should be suspicious
- If things go badly for you because of it, no one will blame you because they can relate; you will get help easier
> A normal person has their MFA device or has MFA on text and they know these two mechanisms have codes they should never relay. If they got an MFA via email they'd immediately have their suspicions up.
What? I get MFA codes on e-mail all the time. I've got them from Steam, from Mojang, from GitHub, from Square Enix, from Digital Ocean, etc. For a normal person, getting some code you have to relay to some other entity via e-mail is normal.
Not to mention that the e-mail was actually a legit 2FA e-mail from Wells Fargo? That's how this scam works after all; you tell the victim that they'll receive a message with a code, then the scammer tries to do some action which requires 2FA, then the victim reads the code from the 2FA message. The fact that you would categorize this e-mail as an obviously fake e-mail which normal people would immediately recognize as suspicious, when it's actually a real 2FA e-mail, is pretty telling I think.
> A normal person, through the normalcy of their system, assumes that if this bank is having trouble dealing with them they'd have trouble dealing with everyone and that's just absurd.
No, this is absurd. Everyone has experienced having some one-off problem with some account in some system. Not to mention that the case in TFA was explicitly about fraud prevention calling you about suspected fraudulent charges, which seems extremely normal to me. Limiting individual accounts due to suspected fraud, and then notifying the owner of that account, is exactly the purpose of fraud prevention.
The only part of this event which the author's unusual set-up is responsible for, is that she gave an unusual level of credibility to the scammer just for calling her phone number.
But if it comforts you to think normal people would be immune to this scam just because normal people have their information more readily available on the internet, keep believing that I guess.
Here is an interesting story in which a scammer almost got me but failed because he knew me "too well":
One morning in college I was awakened by a call after staying up all night working on some project. The caller claimed to be from my home country's embassy and was investigating a fraud case I was involved in. He started by confirming my personal information such as DOB and passport number and he had them all correctly. He asked me to physically visit consular office, which I told him was impossible because I was in some program.
At this point I sort of give in, but he asked if I was preparing for piano/music rehearsal - a huge red flag that awakened me from foggy mind. During adolescence I attempted to becoming a pianist and dedicated lots of time to training and competitions, but this is a past that was never mentioned on resume or to friends. There couldn't be legitimate way to relate that experience to me.
I said yes and asked why he knew it. He began talking about my musical experience and what awards I won, without knowing that all these bits sounded to me like a pretentious show of being knowledgeable about my life.
One lesson from this and Op's story is that the scammer can attempt an attack at any moment, including downtime of brain activity.
No, not to my knowledge. It seems that they obtained/built my pre-college profile many years ago, but they attempted scam until later and failed to match it up-to-date
> We always say we'd rather people report a thousand false alarms than fail to report a single real emergency, but if the process of filing those reports results in condescending info-dumps or intimidating interrogations, is it really a surprise that so many people have been trained to just not say anything and hope their suspicions were wrong?
This is how it is at almost any company I have ever worked for. They always say things like "We prefer that you ask questions if you don't know" or "We would rather get a hundred false reports than miss one valid one." That sort of thing.
And then when you follow through with what they ask for, it's just like the quoted part says.
> results in condescending info-dumps or intimidating interrogations
It's not just a cyber security problem folks. This is pretty much a global problem, because no one ever really wants to be bothered over trivial matters, and no one really wants to believe the boy who cries wolf; even if the wolf is real.
None of this will get better until people in general become both intellectually and morally wiser. So get a drink and some popcorn cause this is gonna be a while.
It's actually also quite frustrating when financial institutions don't have proper secure practices in place. If you've ever wired money from SFCU, you'd know they would ask you to fill out a form with a handwritten wire password. You submit the form and someone from the credit union would call you to verify your wire password.
When I received the call from them, they asked for my date of birth and other information. I explained that I'm not comfortable revealing my details to an incoming call and to give me their extension instead. When I did this with BoA or Chase, they'd immediately understand my concern.
The SFCU person on the line, however, gave me some passive aggressive statement about me causing extra work. This was followed by me calling their official number on their web page and having to wait about 20-30 minutes to get through to the extension number to the same person, which proved that the previous call was legit. However, said person proceeded to mock me for having wasted our time.
I love SFCU but they really need to understand how scammers work.
To be charitable, it may well have been a waste of time simply because of how terrible the rest of the bank security is.
I've had close to 100% success social engineering confidential information out of financial services companies and other service providers about myself using only information that would be available to a scammer.
So, if a scammer knowing your name and address could call your bank and talk them into giving out your DOB, then going through the effort of calling them back before giving it to them really would have been a waste of time.
Some of the comments here are cruel and missing the entire point.
Well yes, as you're slowly reading this entire case, with the prior knowledge that he is getting scammed, and having all the time in the world to find the mistake or red flag in his actions, sure enough you'll find it. How very smart and vigilant you are.
But as the article already explains, those are not the conditions in which a scam happens. You don't know you're being scammed. The person sounds helpful, exploiting your inner desire to be cooperative. There's a sense of urgency, which disrupts calm and clear thinking. It was a very sophisticated and well prepared scam, which increases trust and makes you glance over or "forgive" small oddities.
Ironically, the fact that some of you chose to criticize somebody showing vulnerability is very emotional behavior, not rational behavior. Perfect candidates to be scammed.
By the way, are Americans still logging into online banking with a username and password? That's it? Please tell me that's a joke.
> are Americans still logging into online banking with a username and password?
For financial institutions identity verification of existing and new customers is a way more complex topic than most people realize. Fraud is an issue but so it’s friction. If it’s too hard to login or to open a new account, people will use/move to a different service. So in the US institutions use “invisible tools” to authenticate users and minimize the risks. Third party services collect huge amounts of user data which is then used to verify customers’ identities in a probabilistic way. (For instance the odds that a fraudster is logging in into your bank account from your phone and from an IP that you have used numerous times in the past are very low)
So while the impression is that only a username and a pw are used, that’s not the case.
So in short: security is not the only goal of the financial services available to the masses. The goal is finding a balance between security and friction.
I almost got scammed regarding renewing my software subscription with Intuit. I got a voice message indicating that my credit card on file for the renewal was expired (true) and that I should call back at the number given. That was my big mistake; given that I made the callback, I overlooked the fact that I had not myself looked up the number I was calling. But how did they know my CC number was expired, and that my annual renewal date was coming up soon?
When I called, I immediately got connected to a live person. Second mistake: you can never get through the voice menu to a live person so easily. Anyway, the guy sounded convincing, and said I could get a special discount on renewal, so after some further conversation, I commented that I should be able to log in online and get this same deal, which was my preferred method. At that point, he finally put me on hold and then the call disconnected.
She is trying to find an identity in tech. A few years ago she was a "professional web developer". Many of us have been there, titles give some sort of security to people; even if they are not well-fitting.
I've had calls from my bank's fraud prevention department and, for me, they go down like this:
* A call comes in from a number I don't recognize, it goes to voicemail.
* The voicemail message says "This is the fraud prevention department at $BANK, please call us back at $NUMBER"
* I pull out my physical card, call the number on the back (which does not match $NUMBER). I go through the menu tree to get the fraud department and ask if the call was legit.
Interestingly enough, at some point the bank modified the menu system so that when you enter your card and the fraud department has called you they'll bypass the menu completely and transfer the call right to that department. Clearly I'm not the only one that does this and they don't necessarily want to discourage this behaviour.
A lot of people seem to be telling similar stories in the comments about how their banks also act like scammers, which trains you to trust the actual scammers.
For this reason, I am extremely stubborn about inbound calls. When my bank/superannuation/etc. call me about something and ask for any personal details, I explain to them why it's really not okay for them to be doing this, request a way to call them back via some telephone number that is published on their official website, and then later follow up with a formal complaint.
Who knows whether it actually does any good. Probably not. :/ EDIT: I mean, it definitely protects me, but I don't know if any of these orgs have changed their practices.
I honestly do not understand why anyone having a fraud call, would not bother to go to the bank itself. That is my rule and would have avoided the situation. I had a call similar to the article's and in the end I just said I will go to the bank myself and sort the issue in person. As i did not see any communication in my bank's page, nor app(it has push notification), nor any letter I never bothered to waste more time.
I put the effort on the bank, as the bank has the duty to safeguard my money, not the other way around. The bank's responsibility on suspicion of fraud is to block the transaction and summon the account holder.
I use the bank's channels for communication and this does not include random calls. It communicates with me through the bank's web page and app and it has never sent me any email. This is true for my experience in Poland and Portugal. The Portuguese bank used to have a crappy web-banking system and even this worked properly. When I got contacted by my bank, it was an in-person summon with no ability to discuss through the phone, the end.
Being so "remote" these days that we do not consider it important to go to the bank in person is maybe the issue. It is ridiculous one's ability to handle one's fortune in a phone call. It should be bureaucratic by nature.
I can understand being busy but not a single time the article's writer mentioned he will go and sort things himself in the bank. Are physical banks rare in the United States?
Scam reports like these really frighten me. If someone of above-average intelligence like the author can nearly be taken for a ride, imagine how easily our friends and family -- who are often far more vulnerable -- can be taken advantage of.
As the people most capable of remediating the vulnerabilities in our telecommunication and banking systems, I think we ought to close ranks and insist that our employers do a better job of protecting the innocent, even if it means breaking a few conveniences.
> imagine how easily our friends and family -- who are often far more vulnerable -- can be taken advantage of.
FUD. Hackers and scammers exist, sure, but your friends and family are always most likely going to be victimized by friends and family.
Outsiders have to work to collect intelligence, gain access and obtain your trust. Friends and family already have all three prerequisites.
Bernie Madoff didn't become the most prolific con-artist in history by cold-calling strangers. And consider what demographic is most likely to try recruiting you into the latest MLM scheme.
Why do you assume the author is of above average intelligence just because they work in a technology profession? I work in this industry, and I've met a lot of people even dumber than me in it, so intelligence can't be much of a requirement.
Can I get scammed? Sure, but in this specific case, that Wells Fargo scam wouldn’t work on me because I know firsthand that Wells Fargo fraud prevention is terrible. Case in point, a few years back I had in-store mall transactions happening 400 miles and 2600 miles away from my current location within an hour span of my lunch transaction. No fraud alert. It even took me weeks to contest these transactions. This is abysmal compared to virtually every other credit card provider.
On related note - I work for Asian company which sends me money to Europe through their US "offshore" bank account in Wells Fargo.
I'm receiving monthly payments, but once payment bounced back because my local EU bank switched their intermediary bank, something normal client shouldn't care about, but I learned about hard way because WF is not updating their database of intermediary banks and routed my payment through outdated intermediary bank.
I was pretty pissed about my own bank not informing me about changing intermediary bank, so I changed my receiving bank to different one, although in the end it was Wells Fargo problem not keeping their records up to date.
Guess what happens years later after my other bank merger with different bank, Wells Fargo once again ignores new intermediary bank and bounced back the payment.
I dunno if this is standard US international banking experience, but I find it extremely unprofessional and unheard in other countries that payments would be bouncing because bank is too lazy to update their intermediary bank database, not sure what operation they are running in Wells Fargo.
In the end company made exemption for me and they are sending me money directly from their Asian account, because apparently you can't get worse banking experience than with US banks.
Was the first thing I noticed, but to be fair, there also just isn't really a need for a blog like this. Someone once said something like "I encrypt my innocuous blog because else private becomes suspicious" but by now the internet is largely encrypted and this one blog won't reverse that.
And who knows, maybe the person reading along at the NSA will also enjoy the article :)
I'm a gullible motherfucker: I have memories of handing a $20 to a random guy walking up to me and saying "Hey, man, my car's stuck and I need some cash for gas".
That said, I've had a lot of these calls and fortunately not fallen for them once. The funny thing is that eTrade (I think) has a system where you can ask for a callback but then they'll go right into taking your information. When that happens, I followed the play book: I asked for a phone number that I could find on ETrade that I could add an extension for to get to this person. He gave it to me and everything along with some sort of quick access code I was supposed to use to get whomever I hit to pass me along.
Well, I did the whole thing and the person at the other end in the ETrade system that I dialed said "It's okay, I'll just take care of it, sir". I mean, at this point I just sucked it up and went through with the process since I figured I dialed the number from their website to get there and then the extension so surely it has to be legit, right?
But I just know someone is going to point out a way that I could have been scammed through this mechanism.
Sure. I've been scammed. It felt really bad. And I consider myself quite knowledgeable. On the other hand, I noticed what was happening before greater harm could have been done. Perhaps that's what distinguishes so-called experts from the regular folks. Because an expert would know sooner, without being impervious.
Long story short, I could have ended up with a subscription on a set of questions for 20 dollars a week, which was given only after a set of legitimate surveys were given on behalf of Apple. I of course notified Apple of this, but I never got the 20 first dollars back, before cancelling the "subscription" I had apparently signed up for.
I really wanted to track the guys down, but they had been very careful in covering their tracks with proxies and mailbox addresses, so in the end I considered it too much work. But I did spam them. Perhaps I could have even used their mail for even more spam, but I suppose they just use throwaway mails anyway.
Not sure how they got through the cracks of Apple, though. IMHO it's pretty damning for the reputation of Apple to work with guys like that.
I got a really weird call yesterday from some place claiming to be the medical center where I was a patient 5 years ago (I go to a new place today). I was a bit suspicious simply because it's been years since I've been a patient there. But there are many plausible legitimate reasons for calling me. However the first thing they did was "verify" me by asking for my date of birth and home address. I was disarmed at first because the lady was clearly American, and sounded bored. But I was still hesitant to give up any information on an incoming call. So I asked for some way for me call them. She gave me a phone number... which was the same one calling me, so I hung up. I looked up the phone number, but it was just a random landline from SC (this was a MA based business). At this point I gave up, and decided if I owed some money they would probably send something in the mail. But it makes me wonder if there's a new class of scammer out there with a bit more sophistication.
I got called twice in my life, both times in response to a ticket I had filed but didn't necessarily need a response to (firstly a complaint about some new hardware authenticator that was worse than the old one (I was hoping enough complaints might make them pick a better replacement next time), secondly about phishing-but-legitimately aka Sofort which they now, two years later, finally semi-blocked).
From the post, since it mentions this being routine and normal, plus the comments here, it sounds like americans are called every month or so. Is that impression correct? Is it because of this credit card system where basically anyone with your account number has withdrawal access identical to what we use 2FA (chip and pin) for? With IBAN it's more of a money destination than a source. Direct debit exists but I have yet to see it abused, not sure how that works exactly, and definitely never got a call to confirm this or that.
I was scammed by a kid locally. He paid me for a motherboard over Paypal, then months later claimed it wasn't approved. I thought it was fishy he mentioned to me having his little brother pick it up. I said no to that. And I insisted on cash, but eventually relented, thinking it would probably be ok. He filed a PP dispute and lost, as I had text messages proving the sale. Then he did a chargeback and won.
I would've filed in small claims court but the filing fee is more than the loss. So I looked up all his family info and addresses, and next time in his neighborhood I'll be knocking on their door for my money.
And, I'll just keep finding creative ways to chase him down, online and off, until the day I die. I'm never letting it go and eventually if I had to "take" the money from him through other means (him losing money), that's what I'll do. I'll be sure to double or triple his losses though if it comes to that.
I wish the title hadn't given away that it was a scam call. Perhaps it could have implied it was a gripe about Wells Fargo at first. Reading it while already knowing it was a scam, it seemed blindingly obvious to me, and it was hard to imagine how I could have made the same mistakes. But that could be overconfidence.
This is just very weird to read. What was this scammer’s endgame?
With all this info they can call up GoDaddy and redirect your domain (and all your emails) to themselves, or call AT&T and sim swap you. Why even call the actual account holder?
As for these “confirmation” emails or SMS — they are so dumb !!! Why don’t they just include a full description of the ACTION you are supposed to have taken, that you are expected to be confirming? In big red letters before the confirmation number. That way the scammer won’t be able to trick you. Sheesh, these companies haven’t figured out to include that?
There is one simple rule: If your bank calls you for anything, tell them you call them back, then look up their number you have (or the one on your credit credit or whatever) and call them back. Period.
Even if your bank is really calling you they will still understand if you call them back on the number you have.
Scams are getting more and more sophisticated. We've always known that when you write a playbook, sooner or later the red team will find holes in that playbook. Perhaps that's where ML/AI comes in, since you can train them, but you never really understands what they really "learnt" from that training (/s sort-of, but the famous amazing snow/husky classifier always comes to mind)
Personally, I've received such calls before, and the first thing I'd ask for is a case number, and that I would call the support number printed on my credit card, to get back to them. Of course, if someone co-opts that number, then I'm also SOL, but I'd imagine then this would be engineering on a larger scale, rather than a specifically targeted whaling attempt.
This says it all. You may be the best expert and everything you want, but when you are tired you are no longer an expert, and it's something that practically can't be learnt to self-identify.
If you think that X will never happen to you, wait until you are tired and we'll see about that.
I can tell from the comments and from my own observation, the entire HN knows she is not an expert. I think we shouldn't beat the dead horse here. I also agree she shouldn't call herself "expert" of at least the cyber security field.
Hm, interesting. I've had surprising fraudulent charges on a WF card just a few days ago. They texted and emailed me, but I had to call them myself (not that I would've trusted a call, I even wondered for a minute if SMS was a fraud attempt).
The issue is, it was a card that I keep only because it's the oldest card I have, that I don't really ever pull out of my wallet anymore. I'm not familiar with the underground stuff but I suppose stolen CC numbers are typically sold reasonably fast (months, not years) and used while they're still fresh? If that's the case, while two random anecdotal data points don't prove anything, I start to wonder if it's possible that WF was recently compromised.
I've been scammed by a car salesman while, I thought, I was really read up on signs and paying attention.
I was buying a 2 yo Toyota car at an official Toyota salesplace. Before this, I've bought three used cars, looked at tons of videos (eg Chris fix on youtube) on how to check the car itself so I don't buy something that risks needing expensive repairs two years later. I wasn't super prepared against the salesman before though. But he wasn't looking like, and behaving like, a salesguy. He was a bit uncertain in his way to talk, and it felt like I was more sure of the buying process than he was.
I had two main concerns - I didn't want to buy a lemon ("Monday specimen") or a crashed+repaired car. The latter may mean things like bearings being slightly out of alignment and leading to wear quicker. So I voiced those two concerns and asked whether this car had ever been repaired, "No, nope.". I asked about service subscription, the guy whispered "I shouldn't say this, but it's better you get it at the other place which is closer to you" (also an official Toyota place).
Since my daughter has allergies, I asked about smoking or animals, "njet, nada, nopes".
Well, a month later the car was completely registered to me and I got access to the Toyota digital registers and surely enough, it had been smacked along the side by a truck. It also already had a service sub pre-payed on it, so that was him getting out of a 350€ service at their place. A final insult was that, as the chemical perfume smell of the cleaning agent came off, it had a foul pungent smell of wet dog.
I confirmed this with the previous owner too, she'd had a dog in the car. Had to buy a replacement air filter and clean the car internally, but at least my daughter doens't call it the "smelly car" anymore.
Pretty happy with the car, and would likely have bought it even if he was completely truthful, but having been lied to, and fallen for it, makes me pretty angry.
Feels good to share the story :). Don't forget to like and subscribe.
I nearly got phished by Citi recently because their call center gave/sold my info to a phishing network.
I had called their support line to dispute a charge, spoke to an agent for a bit, and they put me in the dispute queue, and then hung up on me after 20 mins waiting. I call back, repeat the process, wait 20 mins and got hung up on again.
Then an hour later, I received text message telling me that my Citi account was frozen, with a (phishing) link to reactivate it.
I had called Citi using a new phone line (not linked to my existing Citi account), so for the phisher to text this new number means that the call center must have leaked it soon after intentionally hanging up on me.
It’s possible that my number was randomly targeted, but the timing was very very suspicious.
Is that "Verify your card in Apple PayⓇ" email real/non-spoofed? On that email's screenshot there's a huge red flag as with other 99.9% scams: bad punctuation. Nobody writes "number:" (1:, 2:, 3:, ...) for lists in English. https://writing.stackexchange.com/questions/5680/is-it-ok-to...
> my bank, Wells Fargo (I know, I know; trust me, they were not my first choice).
> aren't phone numbers that Wells Fargo recognizes as valid mobile numbers (one of many things I despise about this bank).
> Wells Fargo's system would be so janky and sloppily-built that this is the least awful way they could figure out how to do it.
> consistent with similarly nonsensical policies I've encountered with Wells Fargo before (I hate this bank so much
Simple solution to this: Never do anything important or give out info on an incoming phone call. Always hang up, find the proper number online, and call back to continue the conversation.
** ** ** really an _expert_ relaying a DO NOT SHARE 2-factor code with someone in _ANY_ situation is someone who deserves to be called out for this! This is not expert behaviour.
I think a lot of sysadmins following best practices (not every box or estate on the net are compromised, and this is not to say zero-days don't exist) are getting frustrated with security "experts" like this who simply can't even be bothered to practice what they preach...
There isn't a more polite way of phrasing this really...
ehhhhhhhhhhhh I always call back. Isn't that one of the 1st laws of not getting fucked online/over the phone? I go to the company web page (https only of course) and get a phone number. I mean suppose it's possible for an employee to screw you over, but at least it's (call metadata) probably being logged somewhere. Also if I was into security my blog page would be on https, even if that's not entirely necessary for webpages. It throws up a yellow flag to me.
There are some odd things here. How can someone be a "scam prevention expert" and not be aware that caller id can be spoofed, and therefore should never be trusted for anything important? How can someone be a "scam prevention expert" and not know (even if you only "skim" the email) that you don't read out 2FA authentication codes to someone who calls you and asks you for them? These are surely the two most basic methods used to scam people...
"while I'm no expert, I've never heard of a call center system that can accept touch tones seamlessly while a call is active, and it would take extremely sophisticated audio processing capabilities to be able to do that, since the frequencies used by touch tone keys heavily overlap the frequencies of human speech."
"Extremely sophisticated?" The tones are just a sum of two sine waves of known frequencies. That's trivial to detect. What am I missing?
Nah, phone calls are even worse than SMTP here. Caller ID means nothing. It's like a From header on an email with no DKIM.
It can be set by the caller to anything, if they have access to some trunk from an operator that allows this. It's another trust based thing, with no automated verification.
Trusting caller ID was the initial mistake. Never trust caller ID with your money. It's like trusting sender names in your spam folder mean anything.
Interesting that even in the addendum at the end of the article (which I only skimmed) there is no mention of the most glaring oversight of the author. From his own screenshot:
"[...] Wells Fargo will not contact you by phone or text to request this code."
To be fair, that should be about as large as the title text, and displayed before the code. And the scammer was likely doing a good job of keeping the author distracted enough to miss that.
Turns out our scam prevention expert wasn't an expert at all. She poorly titled herself without proper knowledge of security field. Probably a curious person but not trained in this field at all.
A tip that may or may not travel well: some banks can set a "security passphrase" or passcode that must be provided before they will do anything for you. A few years back I had someone compromise my credit card and somehow answer enough questions to increase the credit limit on the card substantially. This was the bank's response to this.
> he was talking about mobile app payment systems, like Apple Pay and Google Pay. Which, yes, I'm very familiar with, but I don't use and have no interest in using.
I think if you're going to be a Scam Prevention Expert, you should at least familiarise yourself with the user experiences of these services so that you can detect when they're potentially being used in a scam.
The first thing you should do when someone contacts you about a transaction you don’t recognize or with any kind of account concern is hang up / don’t email back and find a valid number for the company from a reputable source and call them back. If they are legit you’ll connect with them, if not you’re already in the right place to get the id theft investigation started.
>I checked the caller ID, and it was my bank, Wells Fargo (I know, I know; trust me, they were not my first choice).
This was too quickly dismissed. If you know a bank isn't up to your personal standards, don't cave into using them anyway! There are so many alternatives that the decision to keep using them should be seen as the primary or root cause of the problem.
The best pilot would not rationalize for even a second why their instrument readings did not match their intuition. They would fall back on their training immediately in the face of ambiguity.
This person is not even close to being the best…which is irrelevant, since they should have known better anyway.
That being said, bad stuff can happen to anyone regardless of who they are.
I think when I had fraudulent charges on a credit card I was directed on where to find the appropriate customer service # on my credit card and the options to choose for a fraud issue, and proceed from there knowing that I was talking to the real company. Seemed like a pretty good way to avoid all sorts of scams like this.
That's an error condition I've never seen before; that page only appears when no corresponding virtual server can be found (leftover from when I used to host friends' websites, a very long time ago), but I'm not sure what would cause it to be displayed without fuzzing the domain name. If the application got overloaded and fell over and died, it should've thrown a 50x error of some sort. Thank you for pointing it out! I'll look into it :) It was already back up when I checked, so I guess whatever happened auto-recovered (hopefully it did that quickly).
8 years ago I got a call from Discover card asking if I wanted to extend my credit limit. I immediately asked for his name and said I would call Discover with the phone number on their website. I got through and asked for him and our call continued. It was not a scam. I can't believe this person is an expert.
Honestly I’m shocked a scam prevention expert would talk to anyone who initiated a call to them.
Even if I get a text message flagging a purchase that I initiated I still won’t call the number they text me with I’ll always go to their website via url I type and call the number there. Surprised an expert isn’t doing the same.
ALWAYS CALL BACK. If they are legitimate, advise they should block the transactions until you've been able to reconnect with them. Get their details, and advise you will call back on the company's dedicated fraud prevention hotline.
NEVER give details over the phone on a call you didn't initiate EVER.
Yes, but banks shouldn't be using these insecure processes in the first place. I got a legit fraud text alert from my bank directing me to call a certain number. It should have asked me to call the number on my card.
The amazon rep is a scam. Amazon would not waste their time to do a 3-way call with a technician. They always provide you with a refund or direct number if you ask... but that direct number is usually searchable. The fact that they 3-way call suggests they wanted to hide the phone number
> When discussing scams and social engineering attacks, it's easy for security researchers and experts to present information in a way that implies the victims of these attacks should have known better.
Uhhh, when I see any SE I assume it happened because the user / customer is making use of a giant beuracratic system and nobody knows how it works and what is supposed to be private data and what data needs to be sent where, along with government pointing gun at you to send 5 pieces of ID all over the place ASAP without you ever understanding which ones are needed for what purpose. The very reason these broken, impossible to understand systems exist everywhere is because "the user is too dumb, stop being elitist".
Imagine if you logged into runescape and instead of entering user / pass, it said you need to have your IP address authorized, then you need to get a runescape license, then they need a picture of your iris. But you also sent your iris to some pizza shop to "prove" you own your house, and you have no idea what steps that pizza shop took to secure your iris photo (none). Then to get your IP "authorized", runescape tells you to login to some weird website you've never heard of before, and send it two pieces of photo ID (which you also sent to a paint shop to order paint), and then that website says "please give us your phone number so you can open our secure phone app", and then you open the "secure phone app" and you have no idea what it just did or what data was sent where or what data about you it just assumed you're now supposed to keep secret. I don't know, is this concept like not obvious to internet people? It's called ungroundedness.
The reason I'm writing all this without burning my eyes on this stupid color theme, is because whatever typical bullshit narratives HN will prop up as usual in response to this article here are completely invalid. This classic "boo, hoo, you're an elitist" talking point is irrelevant nonsense because in most cases the user hasn't been tricked; he hasn't been provided with a system that allows him to use it properly. But oh wait I just wrote about this last week as the cliche was made again then. I actually WANT a system that makes "elitists" secure and doesn't care about unqualified people (and I know lots of people who also want this, it's what UN*X users like to think of themselves as): https://news.ycombinator.com/item?id=30780519
I think we should understand how users get scammed with study, research and empathy and not because we get scammed ourselves. Having bias that it's the stupid user's fault us just that, bias, and doesn't help in the pursuit of any scientific results.
until he got to the payload of the scam, it was honestly a smoother and more positive and helpful call than any legitimate interaction I've ever had with Wells Fargo (which, in and of itself, probably should have registered as suspiciously too good to be true
Makes me wonder how many "security" clients the author has. No https, outdated site, 2FA over the phone.
Her other post also mentions "I'm a professional web developer". Unsure what she does for living. Her site shows lots of interest for tech but not at a professional level.
A key bit of info "he also had a distinctly North American accent". It is real easy to dismiss scammers you can't understand well, but when speaking to another native speaker, your guard comes down several notches.
Different bank, but they had all the basic information, but then started asking for information that I know they don't need (secret questions and answers) and when I told them it was sus they hung up.
It's fun how the expertise of the person ("I know how those various systems work, and how everything is duct-taped together"), and being accustomed to things being shit with the banks, has turned against them.
I keep seeing this story headline from security admins lecturing me how to not get my estate compromised... please just learn and employ best practices and stop getting on at those with proven track records
For a variety of reasons (this being one of them) I never pick up calls from unknown phone numbers, banks, and other insitutions. They always go to voicemail, and I often immediately call back.
Uh, I'm not a scam prevention expert, yet I would NOT have followed your steps. If a bank (or ANY entity) calls me up claiming to be X, I usually ask them what the issue is, then hang up and call the number listed on my card, the official website or documentation, etc.
You should never give out ANY information on the receiving end of a phone call. Period. Ask what their name is, what department they are in, hang up, call the number you were provided prior, and ask for the same department/person and describe the details of the call.
I take this to the next level, and never even call any banks or providers. I just walk in and deal with them in person. Probably takes more time and effort, but is totally worth it IMHO.
The author is simply not very good at defending against these scams.
A. Fraudulent charges are YOUR BANK's problem, not yours. There is no reason to take any risk or share any information. You can agree that charges are fraudulent, but that's the endpoint of your responsibility.
B. Don't give out any information to an inbound caller. None. (except to acknowledge fraudulent charges)
C. Don't try to figure things out. You don't need to reason through it. This author spends SO MUCH time trying to reason out whether this is or is not a scam call. WHY??? Just hang up and move on. If it makes you feel better, you can always call you bank back.
"Putting all of this together, the scales started to tip toward this potentially being a scam call, but I still wasn't certain. It was all circumstantial and conjecture, and a lot of it seemed very legit, plus the difficulty of accurately putting together the information needed to make an attack like this against me without also including strategic disinformation that would tip me off about where they got their data. I needed more information. It was time to push back on this."
>>WHAT??? Why do you need to push back? What's the point? Hang up!
"So, I was immediately suspicious, and started asking technical questions; "
>> NOW you're suspicious? Again, why ask technical questions here. Who cares? Move on!
This author spends FAR FAR too much time trying to outsmart the scammer - and in the process gets outsmarted himself.
Edit: Nevertheless, I give the author a WHOLE LOT OF CREDIT for being willing to post this. I'm sure he was a bit embarrassed, but sucked it up for the greater good and education of all of us. Thanks!
tl;dr: Someone claiming to be from Wells Fargo contacted her by phone and requested a code that she got emailed. The email with the code said "Wells Fargo will not contact you by phone or text to request this code." She gave him the code anyway.
Not a single reader in this forum thinks she is an expert. Let's not hurt her feelings further with insults. She probably knows she isn't an expert, it is just a title she came up with, randomly?
Randomly? No, it was deliberately used to make this article clickbait. Its not that fascinating when a normal person gets scammed. She scammed us by telling us she's a expert when she's clearly not.
> I answered, the guy said he was calling from Wells Fargo's Fraud Prevention Department, calling to verify some transactions. He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call.
No legitimate bank would do this. They say "call the number on your card, and mention reference # NNNNN"
Agreed. I wish someone would try this level of attack against me - I'm 99% sure I wouldn't have fallen for this particular one, but how can I truly know without going through it?
Anyways, I am extremely aware of caller ID spoofing. I use it myself to show a usable callback number on a VoIP outgoing-only line.
And the 2FA - I would be incredibly reluctant to give a code over the phone, even if I had initiated the call.
I honestly got this exact same scam happen to me, and probably came 50% of the way through falling for it. Especially since it happened just a few weeks after I had actually had my card compromised, and used for fraudulent transactions.
I got the same text about "confirming fraud transactions" and then a phone call from "my bank". I nodded along at his script for a few seconds, before I remembered the constant, unending advice of: "if your bank calls you, hang up and call back on the fraud number listed on your card". I told the person I'd do exactly that, and hung up.
I then checked my card account and confirmed that there actually weren't any fraudulent transactions, so didn't bother calling.
That said, I can absolutely see a world in which a tired or otherwise frustrated me would just follow along the script, and with a similar background to the author (I'm not a security professional, but I work in fintech and on security-adjacent things):
> I also find it entirely plausible that Apple (or Google) would require a bank to jump through these kinds of hoops in order to remove a fraudulently-added payment method from someone's account, and that Wells Fargo's system would be so janky and sloppily-built that this is the least awful way they could figure out how to do it.
This honestly resonates with me as a plausible thought path. I'm pretty confident that I wouldn't have actually provided the two-factor code, but again, everyone has off days, and everyone makes mistakes. That's the core of all of this, that endless refrain: defense has to work 100% of the time, offense only needs to work once.
They called me back a minute later (now without Amazon recording the conversation) and asked me for my NVR's serial number so they could connect to my NVR. I was shocked they had a backdoor into my NVR but I figured I'd let it play out. A minute later the technician said that he was having trouble connecting because "an internet virus is corrupting my firewall". I was extremely confused and thought it must be a translation problem. Until he kept insisting it was a problem and became belligerent and angry. He said I needed to pay $300 to have an on-site technician troubleshoot the problem. I got angry because he was making some weird excuse for their camera not working, and wanting to charge me rather than just ship me a replacement. I refused and he started mocking me. I demanded his manager and he ignored me. Eventually I hung up and called Amazon back.
The Amazon technician was helpful and shipped me a replacement. I contacted Reolink via email to complain about their technician. They responded that they have no on-site technicians and that it was a scam!
I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...