I nearly got taken by a scammer because Amazon transferred me to one. I purchased a set of Reolink cameras on Amazon, (they've been great) one of them failed a couple months in. I contacted Amazon customer support (via my Amazon login and in their interface) and they wanted to troubleshoot with their technical team. Eventually the (very helpful) Amazon technician suggested contacting Reolink for support and started a 3-way call. The "Reolink" technician got my phone number and then said they wanted to call me back.
They called me back a minute later (now without Amazon recording the conversation) and asked me for my NVR's serial number so they could connect to my NVR. I was shocked they had a backdoor into my NVR but I figured I'd let it play out. A minute later the technician said that he was having trouble connecting because "an internet virus is corrupting my firewall". I was extremely confused and thought it must be a translation problem. Until he kept insisting it was a problem and became belligerent and angry. He said I needed to pay $300 to have an on-site technician troubleshoot the problem. I got angry because he was making some weird excuse for their camera not working, and wanting to charge me rather than just ship me a replacement. I refused and he started mocking me. I demanded his manager and he ignored me. Eventually I hung up and called Amazon back.
The Amazon technician was helpful and shipped me a replacement. I contacted Reolink via email to complain about their technician. They responded that they have no on-site technicians and that it was a scam!
I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...
> I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...
1) Amazon is complicit in shady behavior on their platform, whether it's inventory commingling, sketchy sellers repurposing existing, well-reviewed listings for a totally different product or those bribing customers to leave good reviews with gift cards or free stuff.
2) The tech support number could very well be provided by the seller, and you could've bought the camera from a listing from said seller instead of the real Reolink (if the "real" Reolink even sells on Amazon to begin with). Maybe tech support scammers are now using this as a new lead-generation tactic ("legitimately" sell a high-maintenance product but scam anyone that calls for support?).
It's really hard recognizing the image Amazon have in the US compared to my personal experience with amazon.de . The service is stellar, shipping both ways is free as long as you buy products covered by prime. Refunds are with no questions asked (as long as you don't start abusing it i guess). As soon as you go into 3rd party sellers the experience gets muddled, though I've had plenty of good experiences with those as well. There's simply nothing here in Europe that gets even close to what Amazon offers. I really really hope it will never be like the horror stories i see here on HN.
Not an isolated incident. My mother was transferred to an Amazon employee who tried to scam her as well. This was years ago, and I reported it to Amazon. No idea what eventually happened, but I was shocked that they'd be so brazen about committing fraud as an actual employee.
Amazon today is a street side flea market. You really don't know what you'll get. I've started ordering more stuff from traditional retailers. Their online operations these days are really good, and at most a few dollars more than Amazon. Clothes from macys.com, home goods from homedepot.com and target.com, and so on. You're not flooded with choices with these stores that are mostly garbage, instead you get only 1-3 choices that are reputable.
Lots of call centers get targeted with this type of scam. I think it's because call center employees are so poorly treated and compensated that it's appealing to join the scam. I've seen the same exact thing happen with QuickBooks support. The actual agent you're speaking with gives your contact info to the scammer who calls you back.
Do you know if the original order was from Reolink? If I had to guess, that may have been a questionable reseller, I've seen several cases in which it looks like you're ordering from SomeCorp as fulfilled by Amazon but once you get into the actual order process it shows up as some other seller that was in the "Buying Options" list.
Definitely sketchy behavior on Amazon's part, never dealt with the selling side there so no idea if this is sellers gaming Amazon or just awful market platform in general.
The question reduces to one of incentives. Scams are extremely easy to initiate, cheap to scale, and once they're sniffed out, extremely easy to replicate with a small variation in location/product/approach. In other words, they're like good software.
So...what might curtail the proliferation of scams (besides cruel and unusual punishments)? Decentralization? More factors of authentication?
Slightly OT but I swore off Reolink because as late as two years ago they still required a Flash plugin before you could view camera captures in a web browser. I think they've finally fixed that, but the utter cluelessness of requiring Flash in 2020 left a bad taste in my mouth.
Given how many fake products amazon sells and intermingles with legitimate products, it isn’t at all surprising that they forwarded you to a scammer. They just don’t care about protecting their customers, apparently.
It sounds like you bought a product not sold by Amazon and got transferred to the company in question.
Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.
NOTE: This applies to prime items as well. Amazon's vetting services for 3rd party sellers is nonexistent. I could literally sell you dog shit right now; with no verification I even exist. I've had a seller account for over a decade, and I've not sold a single item. The Amazon Marketplace is an anonymous Craigslist. Please don't forget that.
There's one easy rule that could have avoided all of this - never give out any info on incoming calls. If I get a call or text about fraudulent transactions, I'll keep them on hold while I log into the bank website. If I get a call about a late payment, I'll thank them for the info and ask them to stay on while I pay online. If I get an inbound call with a more complex request, I'll ask them for their employee info and call back the official service number. It annoys the caller sometimes, despite always treating them professionally, but I keep that a hardline rule no matter how real it feels.
I heard this from a security guy and was under the impression it was one of the sacred laws of security. If it's not, it should be - it's a rule of thumb that would stop 90% of social engineering attacks I hear about.
It gets even weirder when your bank acts like a scammer. A few weeks ago I was trying to help my wife add her USBank credit card to Apple Pay and Apple Pay said I needed to call this number to finish setting up the card. So I call the number and the guy is very friendly and asks me for a bunch of identity verification details, which I provide to him, but then he asks us to send a code back that will be coming over text messaging - yes, I initiated the phone call, but I suddenly realize that the number Apple directed me to was not the same number on my USBank card. Being a bit paranoid I tell the guy “Look, nothing personal but I get nervous when people ask for a verification code to be read back to them, I’m just going to call the regular number and go from there, okay?” Instead of being friendly, this guy suddenly gets in my face and is like “Oh, you’ll give me all this other info but won’t read that code back to me? I’m Fraud Prevention dude, good luck getting this done calling the main number. Oh, and just for this I’m putting a block on your card.” I hung up immediately and called US Bank’s main number and asked to talk to a supervisor - sure as hell, it turns out the guy I had talked to did work in their fraud prevention department and actually had retaliated against me by locking my credit card. It was the most incredibly ugly thing I’ve ever seen from a customer service department.
I had a problem with US Bank just trying to open an account with them. They sent me these instructions on how to upload a copy of my ss card through some “secure” Cisco system. The email I get has a different subject line than what the instructions said it would, it has this HTML attachment that doesn’t render right, and it was missing the button they said it would to create some kind of account. I was like wtf and their security department said if I didn’t like it then I had to go into a branch to handle everything.
Something I learned (almost the hard way) was to always make sure I have a Bank/Credit Card's own app installed (and logged in) before trying to add to Apple Pay. Apple Pay can and will redirect you to verification steps in the app if the app is installed. More often than not, if you initiate "Add to Wallet" from the app itself there's no additional verification step.
What happened after that, was it a hassle to unblock things? Though at that point I'd probably just close out my account & switch to another bank's credit card.
There was one time I thought I was being scammed, but it turns out there was an actual issue with my bank account.
Sitting at my desk at work, I get a phone call from my bank on by cell phone. "Mr. Anechoic, there appears to be a security issue with your bank account. We can resolve it for you. For security purposes, can you give your checking account number and the last four of you SSN"?
This is clearly a scam, right? I tell the guy there is no way I'm giving up that info for a random dude that calls me. He stresses again that there is an issue with my bank account, that the account will be frozen, and there is nothing he can do about it without the account and SSN information. I refuse again, and he tells me that I should go to a local bank to get it resolved. I hang up and go back to work. I log into my bank account website, and all seems fine.
After about 20 minutes, something is still bothering me, so I leave work to go to a local branch. I speak to a branch manager about what happened, and she agrees with me that it was clearly an attempted scam and the bank would never call me and ask for that information. But just to be safe, she checks my account on her computer. To our surprise, it turns out there was a security flag on my account!
She calls the bank security desk, they confirm that there was an attempt by someone in another branch a few states to get money from my account and the call I got was legit and logged in their system. We get the account locked out, and then the manager asks to talk to a security supervisor about the messed-up way they reached out to me. The security person basically said "this is how they do things" and didn't see the problem. The bank manager apologized, said it was messed up and she would try to run things up the chain to improve their process.
Security theater. I had a situation where I had to buy something online from a company in Europe (owl4thunderbird) I placed the charge and then right after I got a text telling me to call a # for a possible fraud alert.
That's a big red flag there. So I try and find the phone # of the fraud dept of Citi because anyone can send a text message. Turns out can't find it anywhere in the official Citi site. So I finally give up and call the phone # before they could go further they asked me to confirm a 2FA they would text to me. At that point I noped out and decided if it was a realt problem I'd find out about it another way.
The problem is I now know how easy it is to break into any Citi account just send them a text with a # and pretend to be the bank. The worst part is every every every message I get that is actually being secure always says "You will never be asked for this code" and everytime they ask for it.
It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.
I expected some crazy new attack vector that was so sophisticated it could fool this Scam Prevention Expert, but this post is laughable. They fell for textbook "scamming 101" that my grandma knows to avoid.
Here's one tip for this expert – if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text" right under it, DON'T give it to a "support agent" over the phone.
> this is clearly a two-factor authentication code, meant to be entered directly into an authentication page. Which is normally not something that would be relayed over a phone call to a customer service rep. A concern that I raised to Daniel. However, he said that it was part of Apple's system, which they only had limited access to. An explanation that, as someone who works with computers, data security, and API integration professionally, I completely bought
And after reading multiple paragraphs of this person describing money literally taken out of their account in front of their eyes, you get to this line:
> Putting all of this together, the scales started to tip toward this potentially being a scam call, but I still wasn't certain
> He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call
There's a red flag right there — I've never found a bank willing to provide any verification of who they are when calling me. They call me and ask me to give them a code or card number without providing me with any proof of their identity. I've tried to get them to give the sum of the last 4 numbers of my account, but they won't do it.
They always tell me to just call back using the number on my card and try to find my way to the right department. Super annoying.
This is a perfect case of iatrogenic security. When the systems get so
complex and remote that security experts are caught out, they do more
harm than good.
It's also a consequence of solutionism, systematic monotonicity,
mother-knows-best and externalising costs such that we:
Only add more security solutions on top of existing ones to fix their holes.
Deny the user any choice or agency in setting their own security terms
Never revoke or remove a feature (that would be admitting defeat)
Push the burden in every process on to the user
Create fear in the user - that any misstep will cause them more
inconvenience and trouble.
Make security an authoritarian culture such that user will not
question or be sceptical.
All of these are antithetical to civic cyber-security that we need
available so educated and empowered users can operate technology under
their control.
I'm so skeptical of these "experts" especially if they write a blog post where they hate their bank.
I've been with Wells for over a decade. They have never called me. Never.
I have had "fraud" alerts hundreds of times. They always happen at certain POS, and it's always a text alert.
Some of the stories I read make me viscerally react with "what in the world are you doing with something as simple as a bank account?"
Also a fundamental default is "no action". If you are even slightly suspicious, do nothing. It isn't somehow so important that you stop thinking and just act or react. Just stop.
I was never attempted scammed online, and I think (naively like the author) that it wouldn't happen to me.
But I was pick-pocketed twice in my life. Both failed attempts, but only because of dumb luck. And I thought that would never happen, "because I'm that much present always."
One time I'm wearing a hoodie, and a cheery guy distracts me and sticks his hand into a double-ended pocket and my hand, resting in the other side, instinctively grabs his; a trigger-happy hand-shaking mechanism and a bad choice of pocket. I quickly walk off because his grumpy friend looks like someone who would stab you.
Another time I'm running for the bus, my phone is thrashing forth and back in my pocket, so while running, I quickly grab the phone and stick it in another pocket; two seconds later, a young guy bumps into me, and his hands reach all the way down in the now empty pocket. We land, we stare at each other, and I run for the bus rather than him; I'd have no chance catching him anyways.
So... with some humility: The only way to stay out of trouble is to apply really dumb protocols.
I was at my local coffee shop yesterday when the manager was on the phone for 10+ minutes with a scammer. Was a new one to me.
The landline caller ID showed "Madison Police Dept" - the local police. The caller introduced themselves as an investigator working a case with counterfeit bills. "Don't contact your boss/owner because we are not sure if they are in on it." The caller knew details like employees names and the layout of the store. The manager was going through the cash in the back "confirming" serial numbers when the owner got in touch and cleared things up.
I was confused about the end game for the scam, but online I've read a version where they send a courier to pick up the "counterfeit" bills. There's also a version where they convince the employee to purchase moneypak cards to be deposited into an account so that the 6AM audit shows balanced books making up for the counterfeit bills that will be confiscated. [1]
To a person that doesn't know caller ID can be spoofed, getting a call that shows up as coming from the local police department can put you in a mental state that it 100% is the police, and it will take a lot of counter information to realize that it isn't. Between that and the convincing reason to "don't tell your boss", I'm afraid this might be an effective scam until it's more widely known.
Standard procedure for everybody in the last 20 years should be: Whenever I get a call about security or fraud from the bank, I thank them for the notification and tell them I will call them back, and hang up. Then I call the number on my credit /bank card, not the number I was called from. Fortunately there is a lost or stolen cards so there is no queue time and tell them I received a fraud alert notification.
> The caller ID showed the correct name and number for my bank, but caller ID data is so hilariously easy to spoof that it might as well not even exist.
Honestly, what is with the low quality comments attempting to undermine this person's credibility?
Simple and effective. It's been over 10 years that I've followed this same protocol. It hasn't failed me yet. I also don't think I've missed anything that could have been better handled, had I chosen to speak to the caller. Just don't say anything, beyond greetings, to the caller.
> if it was a scam, then this was clearly a bluff to try to reassure me, but he had WAY more information about me than I would expect an average scammer to have
you can purchase FULLZ from darkweb marketplaces, these contain name and address and social security number and often come with credit card details too
with that, you can do social engineering like this, you can also remote desktop into any computer nearby to their zipcode (from a different darknet marketplace of compromised computers being rented out) and purchase things online from that, making it less likely to be flagged
the idea that "scammers intentionally do obviously red flag things to weed out discerning people and just target susceptible people" is just one segment of the market. doing smarter more cunning things is entirely available and entirely lucrative
> Said he was calling from Wells Fargo's Fraud Prevention Department, calling to verify some transactions. He verified my name, he had the last four digits of my debit card number, and everything generally seemed to follow the normal script of a transaction verification call.
I recently had to speak with the Zelle FPD because it had frozen my ability to send (but not receive) after I had made some small trial transactions. Also, I use a Google Voice number with Zelle, which Zelle seems not to like.
I was shocked at the depth of questions that the Zelle FPD agent asked me. My SSN, DOB, address and recent transactions were expected. But then it went deeper: state where my birth certificate was issued. Fine. Car loans I had. Okay, this is all stuff on my credit report. But then it went past me: where my kids were born and their DOBs; my brother's DOB and age; my wife's DOB and age; my mother-in-law's (!) maiden name. Keep in mind this all after I've authenticated myself to my bank including a phone password I have setup. And, it's for a secondary checking account that I have less than $1000 in.
Real bank FPDs have a crazy amount of information on not just you, but also your family members.
I personally would hang up if any of my financial institutions called me and I'd call them back.
I had a legitimate call from my credit union last month. They were following up on a problem I had reported with their on-line bill pay system. Toward the beginning of the call, they wanted to verify that it was me and they asked me to provide them with the 2FA code they had just texted to me. I declined and told them that this is what scammers do. They agreed with me and encouraged me to call them back at the number on my ATM card.
I thought it was really unprofessional of them to operate this way.
> I've never heard of a call center system that can accept touch tones seamlessly while a call is active, and it would take extremely sophisticated audio processing capabilities to be able to do that, since the frequencies used by touch tone keys heavily overlap the frequencies of human speech.
It's actually happening all the time. VoIP systems _do_ extract touch tone (DTMF) from the call and convert them to appropriate out-of-band messages (either on RTP or SIP, there are multiple standards). This might also happen with VoLTE, although I didn't verify it myself.
So, while the request was indeed weird, there's nothing technically strange about typing touch tones at any point in a call. Regarding the fact that those frequencies overlap with human speech, it's expected because they were designed to be transferred over phone lines, which are made for human speech frequencies. Since landlines here in Switzerland have been converted to VoIP several years ago, I often hear DTMF tones appearing from nowhere in the middle of a call and covering the voice of the other person. The reason is easy: some intermediate system detected a tone and sent the corresponding SIP/RTP message, while also filtering the tone out of the audio. On the other end of he line, that out-of-band message triggered the generation of an actual in-band tone, whence the result.
Yeah, I'm confused, isn't "To get help with problems relating to your account, press 4." and similar just par for the course in almost every automated call system?
Just don't give people 2FA codes? I am never going to give a 2FA code to someone who calls me, no matter what combination of words come out of their mouth.
As TFA starts out, it is always easy to point out all the mistakes after the fact. People underestimate how prone the mind is to just trying to play down danger, inconvenience and generally unpleasing situations. Even after a few minutes on the phone, after you built up the most basic "relationship" with the person on the other end, you simply don't want this to be a scam. Avoiding cognitive dissonance. Just like when you bought something expensive that doesn't really meet your expectations.
Then you must not underestimate the pressure under which you then are, because either way is not a pleasant situation (getting scammed or having been scammed already trying to contain the damage). I fully believe the author that they only skimmed that mail and weren't even aware that this is 2FA. It must have seemed like "just some one-off verification code".
Then I think there is also this phenomenon where experts think that just by being an expert on something, they are immune to it. Not consciously, rationally, but lingering in the subconsciousness. It reminds me of the show "the good doctor" where a seasoned oncologist is diagnosed with a brain tumor and completely blocks off any conversation about it and rejecting treatment. I think that very well illustrates what I mean.
Another anecdote to add here if that Jim Browning, a YouTuber focused on finding scam call centers, getting into their systems to gather information and shutting them down in the end got his YouTube account taken away from him through a scammer on the phone. So I'd be careful with claiming this could never happen to me because I'd never do X. Until the day you do without realizing.
Until you play with 15 different companies each which have slightly different variants of how they do their authentication security theater, as well as them throwing odd balls at you every month until you really have no idea how anything is supposed to work anymore.
> even offered to transfer me to his supervisor, which is not something a scammer would usually be able to do, but I had not yet actually challenged any of it.
This tactic is actually used by so many scammer, it's weird that a scam prevention expert is saying that kind of things. His sentence prove how effective transferring it to someone else is powerful, how could they transfer us to a supervisor?!
They are working in call centers, they just give their phone to someone else, often time someone with more experience with scams thus better to convince you. In some case I have seen situation where they use that tactic as good cop / bad cop, where the first one is threatening, this bad thing will happens if you don't act quick, etc... and the next one is more on your side, he believe you, but you need to works with him. I even seen some where they say that they have no other choice but to open a police report with your local police, and ask you your local police phone number, act like they talk with them on a second phone (as if they couldn't put you on hold and initiate the call directly on their system) and then say that the police want to talk with you and they will call you directly (I guess using fake caller id again but with the police phone number).
I got another report from a former colleague about a nearly identical story yesterday. This person was also in the "knows better than to fall for this kind of thing" category.
The critical difference, though, is that he reported the scammer read off a list of his actual recent transactions.
That part, especially when combined with this second story so soon afterward, makes me think some third-party budgeting tool or something was recently breached and just hasn't announced it yet.
I have to give credit for sharing your story and how sophisticated these attacks can be. These scams work because we're human and don't always think rationally under pressure.
[+] [-] rolobio|4 years ago|reply
They called me back a minute later (now without Amazon recording the conversation) and asked me for my NVR's serial number so they could connect to my NVR. I was shocked they had a backdoor into my NVR but I figured I'd let it play out. A minute later the technician said that he was having trouble connecting because "an internet virus is corrupting my firewall". I was extremely confused and thought it must be a translation problem. Until he kept insisting it was a problem and became belligerent and angry. He said I needed to pay $300 to have an on-site technician troubleshoot the problem. I got angry because he was making some weird excuse for their camera not working, and wanting to charge me rather than just ship me a replacement. I refused and he started mocking me. I demanded his manager and he ignored me. Eventually I hung up and called Amazon back.
The Amazon technician was helpful and shipped me a replacement. I contacted Reolink via email to complain about their technician. They responded that they have no on-site technicians and that it was a scam!
I was blown away that Amazon would transfer me to a scammer. I contacted Amazon again and let them know what had happened. Hopefully they will figure out how their guy got this scammers phone number and teach him how to find a 3rd party phone number...
[+] [-] Nextgrid|4 years ago|reply
1) Amazon is complicit in shady behavior on their platform, whether it's inventory commingling, sketchy sellers repurposing existing, well-reviewed listings for a totally different product or those bribing customers to leave good reviews with gift cards or free stuff.
2) The tech support number could very well be provided by the seller, and you could've bought the camera from a listing from said seller instead of the real Reolink (if the "real" Reolink even sells on Amazon to begin with). Maybe tech support scammers are now using this as a new lead-generation tactic ("legitimately" sell a high-maintenance product but scam anyone that calls for support?).
[+] [-] Galaxeblaffer|4 years ago|reply
[+] [-] switchbak|4 years ago|reply
[+] [-] carabiner|4 years ago|reply
[+] [-] ______-_-______|4 years ago|reply
[+] [-] overtonwhy|4 years ago|reply
[+] [-] itslennysfault|4 years ago|reply
[+] [-] reincarnate0x14|4 years ago|reply
Definitely sketchy behavior on Amazon's part, never dealt with the selling side there so no idea if this is sellers gaming Amazon or just awful market platform in general.
[+] [-] evancoop|4 years ago|reply
So...what might curtail the proliferation of scams (besides cruel and unusual punishments)? Decentralization? More factors of authentication?
[+] [-] dreamcompiler|4 years ago|reply
[+] [-] ashtonkem|4 years ago|reply
[+] [-] Cd00d|4 years ago|reply
[+] [-] mensetmanusman|4 years ago|reply
[+] [-] 1270018080|4 years ago|reply
[+] [-] eek2121|4 years ago|reply
Don't buy 3rd party products sold on Amazon. I always tell people this. They ignore me and then stories like yours pop up.
NOTE: This applies to prime items as well. Amazon's vetting services for 3rd party sellers is nonexistent. I could literally sell you dog shit right now; with no verification I even exist. I've had a seller account for over a decade, and I've not sold a single item. The Amazon Marketplace is an anonymous Craigslist. Please don't forget that.
[+] [-] faangiq|4 years ago|reply
[+] [-] craftyguy|4 years ago|reply
You shouldn't be. The amazon store's core business model is allowing scammers to sell garbage to unsuspecting buyers.
[+] [-] dheera|4 years ago|reply
Considering they have a backdoor, why did you want a replacement instead of a refund?
[+] [-] klik99|4 years ago|reply
I heard this from a security guy and was under the impression it was one of the sacred laws of security. If it's not, it should be - it's a rule of thumb that would stop 90% of social engineering attacks I hear about.
[+] [-] rcurry|4 years ago|reply
[+] [-] starwind|4 years ago|reply
Went with a local credit union instead
[+] [-] WorldMaker|4 years ago|reply
[+] [-] ineedasername|4 years ago|reply
[+] [-] Anechoic|4 years ago|reply
Sitting at my desk at work, I get a phone call from my bank on by cell phone. "Mr. Anechoic, there appears to be a security issue with your bank account. We can resolve it for you. For security purposes, can you give your checking account number and the last four of you SSN"?
This is clearly a scam, right? I tell the guy there is no way I'm giving up that info for a random dude that calls me. He stresses again that there is an issue with my bank account, that the account will be frozen, and there is nothing he can do about it without the account and SSN information. I refuse again, and he tells me that I should go to a local bank to get it resolved. I hang up and go back to work. I log into my bank account website, and all seems fine.
After about 20 minutes, something is still bothering me, so I leave work to go to a local branch. I speak to a branch manager about what happened, and she agrees with me that it was clearly an attempted scam and the bank would never call me and ask for that information. But just to be safe, she checks my account on her computer. To our surprise, it turns out there was a security flag on my account!
She calls the bank security desk, they confirm that there was an attempt by someone in another branch a few states to get money from my account and the call I got was legit and logged in their system. We get the account locked out, and then the manager asks to talk to a security supervisor about the messed-up way they reached out to me. The security person basically said "this is how they do things" and didn't see the problem. The bank manager apologized, said it was messed up and she would try to run things up the chain to improve their process.
Damned if you do, damned if you don't.
[+] [-] buscoquadnary|4 years ago|reply
That's a big red flag there. So I try and find the phone # of the fraud dept of Citi because anyone can send a text message. Turns out can't find it anywhere in the official Citi site. So I finally give up and call the phone # before they could go further they asked me to confirm a 2FA they would text to me. At that point I noped out and decided if it was a realt problem I'd find out about it another way.
The problem is I now know how easy it is to break into any Citi account just send them a text with a # and pretend to be the bank. The worst part is every every every message I get that is actually being secure always says "You will never be asked for this code" and everytime they ask for it.
It is security theater of the worst degree by incompetents and MBAs and I am getting sick of it.
[+] [-] paxys|4 years ago|reply
Here's one tip for this expert – if you get a 2FA code over text or email that clearly has the line "we will never contact you for this code over phone or text" right under it, DON'T give it to a "support agent" over the phone.
> this is clearly a two-factor authentication code, meant to be entered directly into an authentication page. Which is normally not something that would be relayed over a phone call to a customer service rep. A concern that I raised to Daniel. However, he said that it was part of Apple's system, which they only had limited access to. An explanation that, as someone who works with computers, data security, and API integration professionally, I completely bought
And after reading multiple paragraphs of this person describing money literally taken out of their account in front of their eyes, you get to this line:
> Putting all of this together, the scales started to tip toward this potentially being a scam call, but I still wasn't certain
I really hope they don't have a lot of clients
[+] [-] gnicholas|4 years ago|reply
There's a red flag right there — I've never found a bank willing to provide any verification of who they are when calling me. They call me and ask me to give them a code or card number without providing me with any proof of their identity. I've tried to get them to give the sum of the last 4 numbers of my account, but they won't do it.
They always tell me to just call back using the number on my card and try to find my way to the right department. Super annoying.
[+] [-] nonrandomstring|4 years ago|reply
It's also a consequence of solutionism, systematic monotonicity, mother-knows-best and externalising costs such that we:
Only add more security solutions on top of existing ones to fix their holes.
Deny the user any choice or agency in setting their own security terms
Never revoke or remove a feature (that would be admitting defeat)
Push the burden in every process on to the user
Create fear in the user - that any misstep will cause them more inconvenience and trouble.
Make security an authoritarian culture such that user will not question or be sceptical.
All of these are antithetical to civic cyber-security that we need available so educated and empowered users can operate technology under their control.
[+] [-] nopeYouAreWrong|4 years ago|reply
I've been with Wells for over a decade. They have never called me. Never.
I have had "fraud" alerts hundreds of times. They always happen at certain POS, and it's always a text alert.
Some of the stories I read make me viscerally react with "what in the world are you doing with something as simple as a bank account?"
Also a fundamental default is "no action". If you are even slightly suspicious, do nothing. It isn't somehow so important that you stop thinking and just act or react. Just stop.
[+] [-] sshine|4 years ago|reply
But I was pick-pocketed twice in my life. Both failed attempts, but only because of dumb luck. And I thought that would never happen, "because I'm that much present always."
One time I'm wearing a hoodie, and a cheery guy distracts me and sticks his hand into a double-ended pocket and my hand, resting in the other side, instinctively grabs his; a trigger-happy hand-shaking mechanism and a bad choice of pocket. I quickly walk off because his grumpy friend looks like someone who would stab you.
Another time I'm running for the bus, my phone is thrashing forth and back in my pocket, so while running, I quickly grab the phone and stick it in another pocket; two seconds later, a young guy bumps into me, and his hands reach all the way down in the now empty pocket. We land, we stare at each other, and I run for the bus rather than him; I'd have no chance catching him anyways.
So... with some humility: The only way to stay out of trouble is to apply really dumb protocols.
[+] [-] KT-222|4 years ago|reply
The landline caller ID showed "Madison Police Dept" - the local police. The caller introduced themselves as an investigator working a case with counterfeit bills. "Don't contact your boss/owner because we are not sure if they are in on it." The caller knew details like employees names and the layout of the store. The manager was going through the cash in the back "confirming" serial numbers when the owner got in touch and cleared things up.
I was confused about the end game for the scam, but online I've read a version where they send a courier to pick up the "counterfeit" bills. There's also a version where they convince the employee to purchase moneypak cards to be deposited into an account so that the 6AM audit shows balanced books making up for the counterfeit bills that will be confiscated. [1]
To a person that doesn't know caller ID can be spoofed, getting a call that shows up as coming from the local police department can put you in a mental state that it 100% is the police, and it will take a lot of counter information to realize that it isn't. Between that and the convincing reason to "don't tell your boss", I'm afraid this might be an effective scam until it's more widely known.
[1] https://old.reddit.com/r/Scams/comments/ryp4fg/i_got_scammed...
[+] [-] dade_|4 years ago|reply
Standard procedure for everybody in the last 20 years should be: Whenever I get a call about security or fraud from the bank, I thank them for the notification and tell them I will call them back, and hang up. Then I call the number on my credit /bank card, not the number I was called from. Fortunately there is a lost or stolen cards so there is no queue time and tell them I received a fraud alert notification.
[+] [-] BaseballPhysics|4 years ago|reply
They... said that:
> The caller ID showed the correct name and number for my bank, but caller ID data is so hilariously easy to spoof that it might as well not even exist.
Honestly, what is with the low quality comments attempting to undermine this person's credibility?
[+] [-] mekoka|4 years ago|reply
[+] [-] vmception|4 years ago|reply
you can purchase FULLZ from darkweb marketplaces, these contain name and address and social security number and often come with credit card details too
with that, you can do social engineering like this, you can also remote desktop into any computer nearby to their zipcode (from a different darknet marketplace of compromised computers being rented out) and purchase things online from that, making it less likely to be flagged
the idea that "scammers intentionally do obviously red flag things to weed out discerning people and just target susceptible people" is just one segment of the market. doing smarter more cunning things is entirely available and entirely lucrative
[+] [-] boznz|4 years ago|reply
[+] [-] js2|4 years ago|reply
I recently had to speak with the Zelle FPD because it had frozen my ability to send (but not receive) after I had made some small trial transactions. Also, I use a Google Voice number with Zelle, which Zelle seems not to like.
I was shocked at the depth of questions that the Zelle FPD agent asked me. My SSN, DOB, address and recent transactions were expected. But then it went deeper: state where my birth certificate was issued. Fine. Car loans I had. Okay, this is all stuff on my credit report. But then it went past me: where my kids were born and their DOBs; my brother's DOB and age; my wife's DOB and age; my mother-in-law's (!) maiden name. Keep in mind this all after I've authenticated myself to my bank including a phone password I have setup. And, it's for a secondary checking account that I have less than $1000 in.
Real bank FPDs have a crazy amount of information on not just you, but also your family members.
I personally would hang up if any of my financial institutions called me and I'd call them back.
[+] [-] anonymousisme|4 years ago|reply
I thought it was really unprofessional of them to operate this way.
[+] [-] ale42|4 years ago|reply
> I've never heard of a call center system that can accept touch tones seamlessly while a call is active, and it would take extremely sophisticated audio processing capabilities to be able to do that, since the frequencies used by touch tone keys heavily overlap the frequencies of human speech.
It's actually happening all the time. VoIP systems _do_ extract touch tone (DTMF) from the call and convert them to appropriate out-of-band messages (either on RTP or SIP, there are multiple standards). This might also happen with VoLTE, although I didn't verify it myself.
So, while the request was indeed weird, there's nothing technically strange about typing touch tones at any point in a call. Regarding the fact that those frequencies overlap with human speech, it's expected because they were designed to be transferred over phone lines, which are made for human speech frequencies. Since landlines here in Switzerland have been converted to VoIP several years ago, I often hear DTMF tones appearing from nowhere in the middle of a call and covering the voice of the other person. The reason is easy: some intermediate system detected a tone and sent the corresponding SIP/RTP message, while also filtering the tone out of the audio. On the other end of he line, that out-of-band message triggered the generation of an actual in-band tone, whence the result.
[+] [-] feanaro|4 years ago|reply
[+] [-] whimsicalism|4 years ago|reply
[+] [-] iforgotpassword|4 years ago|reply
Then you must not underestimate the pressure under which you then are, because either way is not a pleasant situation (getting scammed or having been scammed already trying to contain the damage). I fully believe the author that they only skimmed that mail and weren't even aware that this is 2FA. It must have seemed like "just some one-off verification code".
Then I think there is also this phenomenon where experts think that just by being an expert on something, they are immune to it. Not consciously, rationally, but lingering in the subconsciousness. It reminds me of the show "the good doctor" where a seasoned oncologist is diagnosed with a brain tumor and completely blocks off any conversation about it and rejecting treatment. I think that very well illustrates what I mean.
Another anecdote to add here if that Jim Browning, a YouTuber focused on finding scam call centers, getting into their systems to gather information and shutting them down in the end got his YouTube account taken away from him through a scammer on the phone. So I'd be careful with claiming this could never happen to me because I'd never do X. Until the day you do without realizing.
[+] [-] unixbane|4 years ago|reply
[+] [-] agentdrtran|4 years ago|reply
[+] [-] throwra620|4 years ago|reply
[deleted]
[+] [-] jcoq|4 years ago|reply
[+] [-] dwild|4 years ago|reply
This tactic is actually used by so many scammer, it's weird that a scam prevention expert is saying that kind of things. His sentence prove how effective transferring it to someone else is powerful, how could they transfer us to a supervisor?!
They are working in call centers, they just give their phone to someone else, often time someone with more experience with scams thus better to convince you. In some case I have seen situation where they use that tactic as good cop / bad cop, where the first one is threatening, this bad thing will happens if you don't act quick, etc... and the next one is more on your side, he believe you, but you need to works with him. I even seen some where they say that they have no other choice but to open a police report with your local police, and ask you your local police phone number, act like they talk with them on a second phone (as if they couldn't put you on hold and initiate the call directly on their system) and then say that the police want to talk with you and they will call you directly (I guess using fake caller id again but with the police phone number).
It's all part of their tactic.
[+] [-] smeej|4 years ago|reply
The critical difference, though, is that he reported the scammer read off a list of his actual recent transactions.
That part, especially when combined with this second story so soon afterward, makes me think some third-party budgeting tool or something was recently breached and just hasn't announced it yet.
[+] [-] sevenf0ur|4 years ago|reply