Wednesday, November 14, 2018

How I Almost Fell For A Slick New Phishing Scam


I like to think that I am fairly savvy when it comes to phishing scams, but I came very close to falling for one last week. It was pretty slick and if I was not sitting at my computer when the call came in, I might have been a victim.

The Scam

I get so many telemarketing calls on my cell phone these days, I never answer the phone unless it’s from a number I know. One of the tricks telemarketers are using now is to fake a local number that shows up on your caller ID. This is called “neighbor spoofing” and the thinking is that people will be more likely to answer a call from an unknown number if it looks like it’s from someone nearby. This is actually pretty easy for me to spot because last year, I moved from Arizona to Washington, but I kept my same cell phone number, which has an Arizona area code. If it’s a neighbor or local business calling me, they will have a Washington phone number, not Arizona, so I simply ignore all calls from Arizona that I don’t recognize.

But the call I received last week was from an 866 number, so I answered it. The person on the line claimed to be from Verizon and was calling to confirm that an authorized user on my account had ordered 4 new phones. He claimed the person was waiting on his other line while he authorized the transaction.

Of course, I said I did not authorize this. The caller than said they would help me press charges if I wanted to and said they would help me change the password to my Verizon account.

This is where I was glad I was at my computer when this call came in. As soon as I was told this guy was an authorized user on my account, I logged in to the Verizon website to look for his name. While I was doing this, the scammer told me I should reset my password and, if I wanted, he could initiate that for me. Of course, I said ok. He said I would be getting a text message from Verizon with a password reset link. He wanted me to tell him when the text arrived – which it did seconds later.

But at this point, I was already logged in to my account, so I asked the scammer where on my account I could find the authorized users page. He told me I would not be able to log in to the account because he just reset my password – which was true because I just got the text message. I told him I was already logged in to my account, which I had done before he reset the password, so where could I see the list of authorized users? At this point, he hung up, which was a pretty clear indication this was a scam 😀

He was able to actually reset my password, so I did have to go through that process, but the scammer no had no way to get that new password and my account was still safe. After giving this some thought, I think I figured out how this scam works.

Here’s How It Was Supposed To Go

This scam is possible because the Verizon website allows you to log in using your phone number as well as a username. Because phone companies are assigned blocks of numbers, it’s very easy to tell what phone company a particular number is from. The scammers had my phone number and could tell I was with Verizon.

For better security, they should not allow a phone number here


So they call me up, claim to be from Verizon, and make me think my account has been hacked. When I agree to have them help me reset my password, they enter my phone number on the Verizon website and click the “Forgot my password” link. This brings you to a page where you can enter your user ID or phone number. The scammer enters my phone number and Verizon resets my password and sends me a text message with a link to create a new one.



Had I not become suspicious at this point, causing the scammer to hang up, I’m pretty sure his next step would be to have me read him the reset link from the text message to “confirm” I got it. If I read the link to him, he would enter it into his browser and change my password to whatever he wanted, thus gaining control of my account.

This is probably not what would happen though, because I would immediately be locked out of my account, which would raise my suspicions. Instead, I think he would have entered the link on his computer and asked me to give him a new password, which he would type in himself. Now he would have access to my account, but so would I and I would not be suspicious at all. He can hang up and get into my account at any time to do whatever nefarious things he was planning on. Sure, I could have changed my password again after I got off the phone, but why would I? I should be thinking I was dealing legitimately with Verizon and everything was taken care of.

Pretty Slick

This was a pretty slick scam for a couple of reasons. First, it used Verizon’s legitimate password reset tool. Second, he told me the supposed phone buyer was still on the line and that he would help me press charges. This does two things: it creates a false sense of urgency and it appeals to my desire to prosecute someone scamming me, both thoughts that are designed to make me eager to work quickly with the real scammer and not think too hard about what is going on. Lastly, and this is based on my conjecture on how this scam would have concluded, it gets the scammer access to my account without immediately raising my suspicions, giving him precious time to rip me off before I take notice.

How To Avoid Scams

I got lucky in that I was able to force the scammer off-script by immediately logging into my account before he could initiate the password reset. At that point, he didn’t know how to proceed, so he just hung up. But even if you aren’t able to log in to your account while the scam is in progress, there are a couple of things to remember that would protect you from this.

The password reset process is designed to be completely automated. There is never a need to speak to someone. This is simply a matter of cost control for companies. It would be too expensive to have help desk people taking calls from people who forgot their password. Therefore, the entire process is designed to be done without any assistance from a live person at the company.

There is never, ever a need to tell your password to anyone, even if they legitimately work for the company. They don’t need to know it. Furthermore, they don’t want to know it because that creates a legal liability for the company. Suppose a bank requires you to tell your password to their phone agent. That agent can make a note if it, go home, and access your account. Or sell that password to someone else. In short, it’s a huge security risk for the company, so they have designed their systems so that their agents can perform legitimate tasks without your password.

Keep these tips in mind and you will go a long way towards keeping yourself safe from phishing scams.

0 comments:

Post a Comment