Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

When in Doubt: Hang Up, Look Up, and Call Back (krebsonsecurity.com) 85

Many security-conscious people probably think they'd never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Brian Krebs: Here's how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse. Today's lesson in how not to get scammed comes from "Mitch," the pseudonym I picked for a reader in California who shared his harrowing tale on condition of anonymity. Mitch is a veteran of the tech industry -- having worked in security for several years at a fairly major cloud-based service -- so he's understandably embarrassed that he got taken in by this confidence scheme. On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card. But Mitch knew enough of scams to understand that fraudsters can and often do spoof phone numbers. So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges -- under $100 apiece -- but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

If the caller had been a fraudster, he reasoned at the time, they would have asked for personal information. But the nice lady on the phone didn't ask Mitch for any personal details. Instead, she calmly assured him the bank would reverse the fraudulent charges and said they'd be sending him a new debit card via express mail. After making sure the representative knew which transactions were not his, Mitch thanked the woman for notifying him, and hung up. The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn't seem right, and so Mitch decided to use another phone to place a call to his bank's customer service department -- while keeping the first caller on hold. "When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch," he said. "But as it turned out, that other call was the attackers also talking to my bank pretending to be me."

This discussion has been archived. No new comments can be posted.

When in Doubt: Hang Up, Look Up, and Call Back

Comments Filter:
  • by LatencyKills ( 1213908 ) on Thursday April 23, 2020 @02:44PM (#59981318)
    The boil down is that it was what I would view as an incredibly elaborate scam which involved separately duplicating his bank card and getting his PIN, and he did everything right and the bank security was the weak link the chain. Anyway, ultimately the bank got his money back because the scammers took it via wire transfer, which I believe the bank can always do. Which is why smart scammers have grandma send them iTunes gift cards and similarly irreversible transactions.
    • by lgw ( 121541 ) on Thursday April 23, 2020 @03:00PM (#59981372) Journal

      This specific example may have worked out OK, but you still want to be cautious, and especially to confirm things out-of-band.

      When I bought my house I needed to make a wire transfer for the value of my house to escrow. Wire transfer fraud is much more common that you might think - the rewards are huge, so "incredibly elaborate scams" are a real risk.

      When I got the wire transfer instructions by email, I didn't act on them right away. I also didn't search for the phone number of the title agency on that same computer, or on my phone, as man-in-the-browser attacks with corresponding phone attacks are the normal way financial fraud happens these days.

      So, I just printed out the wire instructions, drove to the title agency office where the closing would happen, and ask them to confirm. 30 minutes well spent, given the amount involved.

      In general, if you want to verify whether someone is a scammer, you need to go entirely outside of what they might control. This can be tough if it's a company you're skeptical of, but if it's an individual claiming to represent some company, just find a way to confirm that that's outside of the potential attacker's control. (I haven't heard of phone hacks at the same time as phishing or other attacks outside of the financial world, as that does take real effort to pull off, but never trust your phone when it comes to confirming anything in banking or finance.)

      • by sinij ( 911942 )
        You also have to consider the amounts involved. For a one-time $10K, it is just not worthwhile to get that sophisticated.

        Aside, when I was wiring money for the house, I had my lawyer give me the info and I had him date and sign it (as he is covered by fraud insurance).
      • Can't banks always claw back wire transfers? They simply withdraw the funds from the receiving institution, and it is up to that institution to find restitution down the line or go to court and fight it. I believe foreign banks especially lack recourse from claw back, as if push comes to shove the US bank will just stop doing any business with them at all, which is often the greater harm than whatever funds they lose.
        • by lgw ( 121541 ) on Thursday April 23, 2020 @03:47PM (#59981546) Journal

          Can't banks always claw back wire transfers?

          Don't bet your life savings on that, would be my advice. Make some effort to protect yourself from fraud, don't rely entirely on the system. Even if the bank does eventually sort out the situation, you've probably missed the chance to buy the house you wanted, and if you've already sold your current house and have to move out, life will get interesting for a while.

          • Like everything else in this world, the answer is "Yes, with appropriate motivation".

            The problem is not to do with the reversibility of the transaction -- the transaction is *always* without exception reversible. The problem is in applying the appropriate level of motivation to cause them to do the necessary.

        • by vinn01 ( 178295 ) on Thursday April 23, 2020 @04:11PM (#59981646)

          "Can't banks always claw back wire transfers"

          No. A wire transfer is not ACH. A wire transfer does not go through a clearing house. When the money leaves the bank, it's gone. Most wire transfers need multiple approvals before it's done.

          This is the first wire transfer that I've ever heard was reversed. It wasn't really reversed, somehow is was canceled before it was completed. But it my experience, wire transfers take at most a few hours to complete. My general experience is that if I do a wire transfer in the morning, the money is clear at the other end by the afternoon.

          • by lgw ( 121541 )

            There is a mechanism for reversing wire transfers, in cases of obvious fraud, but I wouldn't count on that! Usually the money is gone from the destination account promptly, so there's nothing to reverse.

      • Doing business in person is usually more secure than doing anything on a computer. But so many people don't think this way, the naively assume that the internet is secure. And it's not secure, not even with long passwords that fit the rules, not even with two factor authentication. It's not that difficult to drive to the bank, drive to the title agency, and so forth.

        With my mother it is a struggle to keep things under control. I ask if she has any paperworkd for her investments and she hands me a postit n

        • by lgw ( 121541 )

          Well, I certainly trust my broker, whom I've never interacted with in person, but mostly because the government insures me against the broker going under. My online interaction with that broker is the one place where I take security very seriously, down to having a VM that's only ever used to connect to financial institutions, using 2FA that's not my phone and so on. Of course, that's beyond the capacity of most people. Heck, most people have banking apps on their phone - that's practically giving your

        • The Internet is 100% absolutely secure -- depending on your definition of "secure". Since you did not define "secure" the only think that can be gleened from your tirade is that you are, indeed, an idiot.

        • by Bert64 ( 520050 )

          Fraud also occurs in person and is often much easier to pull off, just harder to get away with.

          As for handing over personal data, this is just getting worse... People are now actively encouraged to disclose personal information via social media sites, and people using aliases online are often shunned.

          I had an interaction with someone quite recently where i was talking to someone over the phone and he asked for some information to be sent via text message. I sent the requested information (ie he was expectin

      • by ebyrob ( 165903 )

        I also didn't search for the phone number of the title agency on that same computer, or on my phone...

        Don't even get me started on how messed up our information hygiene is these days. You can't even look up a telephone number without doubting the veracity of the result.

        • by brm ( 100455 )

          Well, you can always check with a government agency, and if you are suspicious about the agent you're talking to you can go up the hierarchy and check for references. Like an apostile.

          Ultimately, of course, trust rests with the president.

      • When I bought my house I needed to make a wire transfer for the value of my house to escrow. Wire transfer fraud is much more common that you might think - the rewards are huge, so "incredibly elaborate scams" are a real risk.

        Very true. When I paid off my home last year I thought about doing a wire transfer but decided against it. I went to my bank and got a cashier's check for the full amount. Then I drove over to the mortgage company's bank and directly deposited it with a teller.

        It was a very small amount of work to protect a significant asset and completely prevented any kind of man-in-the-middle fraud or redirection.

    • cc change back can kill iTunes gift cards

    • that was texted to him for wire transfers. You never give those to anyone, and if anyone asks for them (or any kind of authentication information) hang up, you've got a scammer or an idiot, most likely a scammer.
    • by jon3k ( 691256 )
      When he provided the texted PIN to someone on an inbound call, that's when he screwed up. Never provide any information to an inbound call. Hang up and call your financial institution. Do not give ANY information to someone making an inbound call to you.
    • by gavron ( 1300111 )

      > getting his PIN

      Nobody said that. Please don't confuse the issue by making up facts not in existence.

      K Thanks Bye.

      E

  • Ah.. (Score:2, Insightful)

    by sabri ( 584428 )
    Ah, the weekly krebsonsecurity plug.
    • by Pascoea ( 968200 )
      And? At least it's a useful, applicable, intelligently written piece. And a good reminder that even one of "us nerds" can get taken for a ride if we let our guard down.
      • No, it is an obvious scam.

        If my Bank wishes to speak to me I will get a call from them requesting yhat I please give them a call at their published telephone number (which is not given as part of the call). Once I call that number and identify myself to them the call is transferred to whichever person wanted to speak to me.

        I someone calls claiming to be "from the Bank", I know they are not.

        • What I get a charge out of is the phone scammers who claim to know my CC number, and "prove " it by telling me the first four digits. For over 50 years I've been bitching that schools don't teach kids what's really important.
        • by Bert64 ( 520050 )

          That sounds like you have a competent bank... But.

          Not all banks operate in such a sensible way.
          Non banking companies tend to be even worse.
          Customers even of the decent banks are not properly educated about how the bank is operating.

          Another stupid one is emails from the bank...
          The banks could (and some do) sign their mails usng s/mime. Any mail not signed or with an invalid signature is therefore fraudulent and should be deleted. Only these banks failed to properly educate their customers about this.

        • by Pascoea ( 968200 )

          Once I call that number and identify myself to them the call is transferred to whichever person wanted to speak to me.

          A good practice to follow. But my point still stands, there is absolutely nothing wrong with repeated reminders and examples of what to look out for. YOU may be too smart to get scammed, but that doesn't mean the next person is.

  • Good to be rich (Score:5, Insightful)

    by ugen ( 93902 ) on Thursday April 23, 2020 @02:49PM (#59981336)

    Those lucky rich people, that can go for weeks not noticing multiple transactions spending "under $100" and even a few ATM withdrawing $800. It's also nice to have an account with that much money and not check it at least every few days.

    • These people who don't even have an online banking service which notifies them through SMS every time a transaction takes place on their account.
      I have such a service and it costs me exactly 25 cents a month.

      • I have such a service and it costs me 0 cents a month. I think that is nice of them to not nickel and dime me for some basic peace of mind. A bit like my registrar not charging me for WHOIS record obfuscation but enabling it by default. But then again, they are in the EU, not US.

        • I have such a free notification service from the bank that notifies me by several methods for "big" transactions on any of my accounts, and I get to define "big". E-Mail, SMS, and the Banks own notification system simultaneously. I have defined "big" as any transaction of $0.01 or more. Works quite well. Though sometimes it can present duplicate notifications which are annoying, but perfectly reasonable given how the back end systems work.

        • EU here as well, I don't mind paying 25 cents a month for this service.

    • by reanjr ( 588767 ) on Thursday April 23, 2020 @02:58PM (#59981366) Homepage

      I am not rich. I have a job that I need to live. I have to plan my retirement. I need to check my bank account balance when making large purchases. But otherwise I don't check my account. All it requires is a reasonably balanced budget. I spend less than I earn, so my bank account keeps going up and I never have to worry about it. That doesn't make me rich.

    • Things get more complicated with a wife and kids, hundreds of dollars of legit charges all the time that you can't vouch for without sitting down and going through them.

      That's one realization of becoming a parent, that simply turning off the spigot of spending is out of the question, you have no choice but to keep filling it faster than it drains.

      • by ugen ( 93902 )

        As a parent myself, I disagree. Just as easy to follow your finances. No such thing as a "hunderds of dollars of legit charges" we don't know about.

      • by Bert64 ( 520050 )

        If you have a joint account then it will show who made a given transaction, so you keep track of yours and your wife keeps track of hers just as you always have done.
        For kids you give them an allowance into their own account, and teach them to do the same. How they spend their allowance is not really your concern, but it's your responsibility to teach them how to manage and monitor their accounts.
        If they need more money for something they have to come and justify the expense to you so you can transfer it to

    • It is nothing to do with rich people.

      The root cause is that this so-called Mitch is what we call a "poser". That is he is not an actual "security" person but only "poses" as one. The give away is that he "worked in security for several years at a fairly major cloud-based service". A "real" security person could not stand working as a cloud-based service for a few weeks, let alone several years, and anyone who did so for more than a month is no longer qualified as a "security person", they have been hopel

  • by jellomizer ( 103300 ) on Thursday April 23, 2020 @02:51PM (#59981340)

    About 10 years ago I got a call from the States Tax and Finance saying that I owed them $200 in taxes. They called me up and then asked to verify my SSN number. I just refused to answer the questions. And hung up. I then looked up my States Tax and Finance department and give them a call. Sure enough, it was a legit call. But better play it safe than sorry.

    • by Lonng_Time_Lurker ( 6285236 ) on Thursday April 23, 2020 @03:12PM (#59981398)

      Yeah, I don't really understand why this guy called his bank, to verify the INBOUND call was real. Just stay on the real call with your bank, the one you initiated.

      • This! Also, doesn't everyone use the security feature of getting an email when any financial transaction happens on their account? If the bank doesn't have this feature, it's time to find another bank. I catch credit card fraud before the bank does because of this.

      • It was not completely crazy on his part. A lot of those departments are silo'd, so that he might get passed around and end up with a random person a couple cubicle away from the person he is already talking to.

      • by Barny ( 103770 )

        Yup!

        My prodding actually caused my ISP to change their verification flow for outbound calls.

        I was having a problem with my internet and called the company, usual stuff to log a ticket. They called me back two days later and wanted to "verify my details". I flat out told them no, and that they called me so they know my authenticity already, but I didn't know theirs.

        Their tech person was savvy enough and had enough autonomy to realize this was their problem and not mine, and was able to complete the call with

    • by Bert64 ( 520050 )

      And that's the problem..
      legitimate organizations call in the same way that the scammers do, so it's difficult for users to tell them apart.

      They should just send you an automated message telling you that you need to contact your state tax department, you can then find the contact details yourself and contact them.

  • I would go to one and call them back from it.

    Why advertise if you don't have to?

  • by sinij ( 911942 ) on Thursday April 23, 2020 @03:01PM (#59981374)
    I am having doubts about this story, or alternatively it was targeted hit and attackers were hired to do harm (and were not ultimately after the money). It does not make sense to go that deeply involved when enough senior citizens fall for various crying nephew scams.
    • Re:Too elaborate (Score:4, Insightful)

      by eclectro ( 227083 ) on Thursday April 23, 2020 @03:24PM (#59981440)

      I believe it because crooks can in fact be that shitty.

    • with nothing but a phone and internet I could see this happening. Plus there are call centers in some countries doing this kind of fraud. $10k is a _lot_ of money even in a 2nd world country. Depending on the country, exchange rate, etc it's equivalent to around $100k USD buying power.

      Also the complexity probably evolved naturally. e.g. they tried something simpler, it didn't work, and they kept trying until they came up with this mess.

      As for crying nephew scams, well, you're right that they're easy
    • Re:Too elaborate (Score:5, Interesting)

      by Comrade Ogilvy ( 1719488 ) on Thursday April 23, 2020 @04:00PM (#59981596)

      Like all good mystery novels, the central mystery is not very complex from the instigator's point of view. It is only confusing because of the optics from someone who does not yet have all the pieces to look at, at the same time.

      A lot of these scams are being run from professional scam call centers. Getting piddling amounts from a scrapped card is old hat. The key innovation is that they make a (1) call to set up a perception of trustworthiness (2) while coupling the trust building game with the small time fraud already ongoing, before going for the big score with a follow up call.

      It is just one extra phone call, plus one extra phone call from (ideally) a co-conspirator with another phone line.

      That he called the real help center was a weird thing, but not weird from the scammers point of view. They absolutely wanted to use that magic code within seconds of receiving it. That the scammers looked extra trustworthy for being confirmed to be on a call was a happy accident, one that they probably did not even plan on.

      Of course, it is conceivable that they are so clever to keep the "oh, just call up the help center yourself from another line and confirm I am real" card up their sleeve. Maybe. Or maybe not. Does not really matter.

  • My friendly 85+ year old neighbor thought he was doing the right thing by "looking up" the number for HP on Google. He called a scammer who conned him in to shelling out $250 to install even more adware on his computer.

  • Is this in some country where they actually allow callers to spoof phone numbers?

    • by PPH ( 736903 )

      Yeah. The USA. Because it would be too much trouble for telemarketers and other scammers to have to authenticate themselves before using any phone number they wanted. And other convoluted reasons that con artists give whenever someone suggests that phone companies should fix caller ID to block this.

    • I get a lot of spoofed calls from Indian call centres allegedly originating from US. Usually they are the usual "we've discovered something wrong with your Windows computer" but I've had a few claiming to be from my bank. Except they never get the right bank which I find hilarious as I tell them to fuck off, hang up and report the number to the fraud department of the named bank...

      • by Bert64 ( 520050 )

        It's more fun to keep them on the line and waste their time...
        Give them access to a sandbox and see what they do...
        Pretend you're running linux or chromeos etc and their instructions aren't working.
        Create a sandbox running something very old and/or exotic like nt4/alpha to confuse the hell out of them.
        Create a sandbox that's got a totally broken configuration and keeps crashing or won't run things etc, and pressure them to fix all the brokenness since thats what they claim they're doing.
        Run a sandbox using

    • Yes, the US has no authentication (which is really-really stupid).

      But don't think this can't happen to you. It isn't actually that hard for a scammer to take control of a user account on a company's voice mail system and forward his calls to the public from there.

  • by tlhIngan ( 30335 ) <slashdotNO@SPAMworf.net> on Thursday April 23, 2020 @03:55PM (#59981578)

    If you need to get me, you have my cellphone number. I am extremely choosy who gets that. And I don't answer if I don't recognize the number.

    I do have a landline and it's hooked to an answering machine. I never answer it. The machine gets it always. If it's my bank (they don't get my cellphone number because there's rarely any emergency where they need to call me) I call back on their main line.

    No landline? Google Voice is your friend. Give away that number, and I don't answer any calls there - let the voicemail functionality handle it.

    Incidentally, those text to speech systems that scammers use don't really work all that well with Google Voice or other transcription service - I guess when they're optimized for "natural speech" the erratic speech synthesis of the scammer voices just doesn't recognize well at all.

    • "If you need to get me, you have my cellphone number. I am extremely choosy who gets that. And I don't answer if I don't recognize the number."

      So you *do* answer the phone, your security through obscurity has lulled you into complacency, and you trusted the spoof-able information channel to authenticate your obscurity.

      • by Bert64 ( 520050 )

        Just because you don't give away your number doesn't mean it won't still be called by scammers.

        Phone numbers can and do leak, someone you have given it to could easily be compromised and leak the number. Many users choose to upload the contact lists from their phone to services like facebook etc.
        Sequential auto dialers do exist and will hit your number just as easily as any other.

  • by Kernel Kurtz ( 182424 ) on Thursday April 23, 2020 @04:05PM (#59981624)

    So while still on the phone with the caller, he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges -- under $100 apiece -- but there were also two very recent $800 ATM withdrawals from cash machines in Florida.

    So his card was compromised for weeks already. If he were paying attention to such things, he would have cancelled it himself and that would have been that.

    The scammers no doubt noticed he pays no attention to his accounts and figured he would be a good target for further exploitation. And they were right.

  • I have to do a second read-through because I don't understand. Came to the comments in between to complain that the summary is too long. This is slashdot, we don't need sentences telling us that scams exist. And we don't need a half a dozen sentences about the part that went to plan. All of that could have been condensed to simply say day 1 X happened. No need for an explanation about how "a smart person calls the number on the card" Again, consider the audience here.
    • Ahh, now after reading the article more information is added later, about things that happened already..like reading back the SMS code. Why was it written in a way to do a "gotcha" first, then fill in the important details? This article was kinda weird. Can't put my finger on it but something feels weird.
      • Yeah, it's fishy alright, I wouldn't trust it at all. It's probably trying to scam you. Trust your instincts. Hang up on the article and all comments, then point your browser back to Slashdot and see if you can find it again. I'll bet that the article isn't even there and that you had been somehow routed through a proxy to a fake Slashdot article that was trying to rip you off. But hey, while I've got you here, what's your full name and social security number?

  • How did this guy get rinsed for over $1600 before the phone scam even started? Sure, losing $10k MORE on top of that sucks, but if they steal your card and you let it go for a month you're kind of an idiot anyway.

  • Customer needs to authenticate to "The Site" using usual username / password / 3FA. (eg: Customer is logged in)
    Agent needs to be authenticated to "The Site" (and usually will be while at work). (eg: Agent is logged in)

    Customer directed by agent to an "Authenticate Human" link on "The Site".
    Agent goes to an "Authenticate Human" link under the customer's account on "The Site".
    Agent requests verbal random verbal session password from customer eg: "ASD123X"; agent enters this into the customers webpage which

  • Banks regularly call me and they are often unable to prove to me that they really are who they say they are. The worst though was the Canadian Revenue Agency (CRA) who called me and the guy on the line said I could call him back and gave me his number. CRA is usually very good with security. They won't even send you an email other than to notify you to log into their site to read a message. The notification doesn't even contain a link to the CRA. That slip up with the call eventually escalated to my fi
    • If my Bank wishes to speak with me they will call me and ask me to call their call center at the number printed on the back of their client card. They will not reveal the phone number to call or what the call is about. When I call their call center I will be asked to provide my client number, after which I will be forwarded to the person who wanted to speak to me who will perform their normal verification procedure for callers.

      Anyone who calls me and claims that they are representing X is immediately clas

  • I haven't answered a phone call from a number that isn't in my short list of contacts in at least 5 years. I don't understand why you would. That's what voicemail is for. Even then, unless the voicemail is from family or friends or I'm expecting the call, I look the number up. I thought this was common sense.

    • Yes and no.. There have been occasion when I had to call a family member for some urgent matter using a borrowed phone because my phone was out of battery. He is also like you that never answers unknown number. You can image my frustration trying to reach him urgently but he just won't pick up the damn phone.
  • I don't answer it! If it is important, they will leave a voicemail. If they don't leave a voicemail, it gets call blocked.
  • They have to email me, use a website or show up in person because phones cannot be trusted these days and I don't feel like googling you WHILE on the phone to see if you're real. The upside is I need almost no minutes on my plan!
  • Caller ID has had huge security holes since it started 30 odd years ago, and yet the public takes what's displayed as gospel. The phone company can't be wrong after all.

      They need to fix this broken system, and in the meantime educate the public that caller ID cannot be relied on. But of course, the phone companies can't be trusted to do the right thing, so this needs to be forced by law.

  • With all the cold-calling, I never answer numbers not in my contacts. Anyone who needs you urgently will leave a voicemail. I'm one of those who was "trained" as a child to imemdiately pick up a ringing phone, but at least 75% of the calls you get these days are cold calls, drop that habit of answering the phone and let voicemail get it.

  • I never ever accept the legitimacy of a "cold" call from my bank's fraud department. Get their details, hang up and then lookup the number to call. Oddly enough when I do this it always seems to annoy them a little bit, as if I should know that they are legit, because they work in the fraud department. More concerning is that it now occurs to me that I have an recurring relationship with my bank's fraud department due to the number of times my card details have been stolen.

  • I had a bank call me, then demand I verify who I am with sensitive information. Wary of the obvious scam, I refused and insisted they verify to me who they are. The person on the phone started getting irate insisting that since they would need to divulge sensitive banking information, I would need to verify to them who I am despite the fact that THEY CALLED ME. So I hung up and called the bank to report the phishing attempt, only to discover it was a legit call from my bank

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...