Cabel Sasser, founder of a software company, got a worrying call that appeared to come from the 1-800 number of the Fraud Department of his bank. According to his story, the told @cabal that his ATM card had been used at a far-away Target store, and asked whether he was using the card on travels. He wasn’t… so, uh-oh, it sounded like a timely call from the bank to prevent fraud! Good news, right?
Well, the “bank” asked for some card information to confirm that Cabel was in possession of the card, and with that settled, offered to send him a replacement card. Again: sounds reassuring, right? Maybe so… until what happened next. The near-victim continues his tale:
Then [the bank caller] asked me to key in a new PIN.
I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.
“Don’t you… know my PIN?”
“It’s just to confirm the change. I can’t see what you enter.”
“But… you’re the bank. You have my PIN, and you CAN see what I enter…”
“Only the IVR system can see it. Hey, if it helps I have all your account info up… to confirm, the last four digits of your SSN are XXXX, right?”
The guy WAS right, but something was very wrong.
Yep. Whether it’s your bank, your mobile phone carrier, some other tech company, the IRS, whoever, a legitimate caller will never ask for the PIN (your personal code number) to any account of yours (or, for that matter, ask for any password of yours). If you’re ever asked for such information, it’s a scam. Hang up!
At the end of the above story, Cabel hung up on the “bank representative” and called his bank himself. (Needless to say, he looked up and called the bank’s legitimate phone number, not any number given by the mysterious caller.) Here’s what he reports:
No one had used my card at a Target, and, yes, I was just four key presses away from having all of my cash drained by someone at an ATM.
Be careful, friends!
Yikes. Scary stuff. Never give away private numbers or passwords to a phone caller!
They keep trying…
The above is just one example of the many creative schemes that phone scammers keep inventing. Security expert Brian Krebs offers this warning:
Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).
In an overview of such scams, Brian details the “Fraud Department” tale above, plus the unfortunate story of a man who did give his PIN to a caller claiming to be from his credit union – with the result that the scammer withdrew thousands of dollars from the man’s bank account.
To make things just a bit scarier, Brian continues with the tale of Curt from Canada, who was nearly taken in by a terribly realistic-sounding voice that wasn’t even human! Curt credits his paranoia with alerting him to the possibility that the alleged TD Canada Trust bank representative was in fact a software robot under the control of a scammer. He had the presence to try responses that might stump an artificial “person”:
Trying to throw the robot voice further off-script, Curt asked what the weather was like in Barrie, Ontario. Another Long pause. The voice continued describing the offered service.
“I asked again about the weather, and she said, ‘I’m sorry, I don’t have that information. Would you like me to transfer you to someone that does?’ I said yes and again the real person with a French accent started speaking, ignoring my question about the weather and saying that if I’d like to continue with the offer I needed to provide my date of birth. This is when I hung up and immediately called TD Bank.” No one from TD had called him, they assured him.
What to do?
Phone scams that try to get you to give up personal information – phone phishing scams, as they’re called – are becoming more sophisticated all the time. And they’re only going to become more common, too, as scammers harness the power of tireless automated callers, software “robots” that will happily make calls all day.
But don’t fear! These scams aren’t hard to thwart. Just follow the experts’ advice:
- Be immediately suspicious of unsolicited calls. Banks, government agencies, big companies, and the like rarely have reason to telephone individuals. Scammers have every reason to call individuals.
- Don’t trust caller ID. Just like a sender’s alleged email address, the alleged source of a phone call can be faked. If you use caller ID and the feature shows the phone number of your bank, don’t assume that this is proof that the call is actually coming from the bank.
- Make voice mail your friend. If you’re uncertain who’s calling, do like a lot of young people do, and just let voice mail (if you use it) take the call. You can later
- Never give out personal information on the phone. Or by email, or any other means, for that matter, unless you know it’s safe (like on a personal visit to your bank branch). Always remember: Legitimate callers do not ask for social security numbers, PIN numbers, or other personal information!
- Don’t be pressured. One of the tools scammers use is insistence on some imminent risk requiring urgent action, a ploy to throw people off guard. Don’t fall for it. Take all the time you need to think things through, and ask questions.
- Return the call – and not to the number the caller gives you. If you still think an unsolicited call from your bank, etc. might be legitimate, tell the caller you’ll call them (or visit in person, if possible). Do not call back to any number the caller gives you; that could just take you right back to the scammers! Find the bank’s real number on your own, and call that. (Alas, a caution is needed here: If you search for the number online, you could end up with a fake number from a fake web page set up by – yep – the same scammers. Find a sure way to get the right information, like taking a bank’s phone number off of its statements or brochures.)
- Talk to others. Still think the call might be legitimate? Remember, anyone insisting that you need to provide information now is almost certainly a scammer. Don’t hesitate to put the caller on hold (or simply end the call for now), and ask family or friends what they think.
- Help others stay safe. Share this information with those around you. We’re trained to be polite to callers and to instinctively trust apparent authority figures; that’s what scammers count on. Tell family and friends that they need to be careful, and that modern phone etiquette requires suspicion toward any unknown callers!
- Thread by @cabel: “I almost just got scammed hard: a cautionary tale… (Thread reader)
- Voice Phishing Scams Are Getting More Clever (Krebs on Security)