Thursday, February 3, 2022

Hang Up and Call Back

Brian Krebs:

Many security-conscious people probably think they’d never fall for a phone-based phishing scam. But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening. Here’s how one security and tech-savvy reader got taken for more than $10,000 in an elaborate, weeks-long ruse.

Andrew Abernathy:

A problem here in my experience is legit fraud departments leave callback numbers that don’t match the phone number on the back of the credit card; if you call the number on the card they don’t know what you’re talking about. Fraud depts are training us to trust random ass calls.

Pieter Gunst:

Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.

They used this to gain access to the account.

Then read some of my transactions to give the call more credibility

Patrick McKenzie:

Wish more banks would do what Stripe does here: “Log into your account and use the ‘auth a support rep’ feature. I will read you some digits, you verify they match, then read your digits to me.”

Chris Messina:

Apple Support now sends push notifications to your devices to verify that it’s you calling.

Corey Hoffstein:

My bank just called me about something, but couldn’t tell me what it was about unless I answered my security questions.

Sorry, I’m going to assume it’s fraud and hang up 100% of the time.

I called the bank myself. Turns out it was legit.

What a stupid, broken security model.

Oluseyi Sonaiya:

I just received a phone call purporting to be Apple Inc., with a recorded voice telling me my “iCloud account had been breached,” not to perform any actions, and to press “1” to connect with “Apple Support.”

If you receive this call, it’s a scam.


There is some persistent vulnerability in US phone networks that is allowing spammers to spoof the phone numbers and caller ID information of known brands. It shows up as "Apple Inc." on my phone, too.

Brian Krebs:

You may have heard that today’s phone fraudsters like to use caller ID spoofing services to make their scam calls seem more believable. But you probably didn’t know that these fraudsters also can use caller ID spoofing to trick your bank into giving up information about recent transactions on your account — data that can then be abused to make their phone scams more believable and expose you to additional forms of identity theft.

Update (2022-02-04): John Bowdre:

I’ll also add: if you can’t find a company’s support phone number on their website, they don’t want you to call. Use some other contact method. The number you found via search is probably a scam.

3 Comments RSS · Twitter

I always heard that the rule was to never give anyone any information if you did not initiate the call. Always apologize, hang up and call the official number from your card, a statement or the website. This isn't 100% secure, I'm sure, but it's just good practice. (OK, the apology is optional.)

One exception is for "yes" or "no" questions. If they ask for a "yes" or "no" and it doesn't compromise anything, you can say "yes" or "no". You can confirm your name. You can confirm or deny a transaction with a "yes" or "no", but otherwise be taciturn and pay attention. To be honest, this is also good advice for dealing with depositions, arrests and the like. Lawyers, the police and scammers are all experts at gathering information.

Kevin Schumacher

Depositions and interrogations after arrest deal in two different arenas as far as the rights one has to answer (or not) questions.

If you're arrested, you say nothing except to assert your right to not answer questions and ask for a lawyer (hopefully without asking for a lawyer dog, or at least praying that you'll get a judge who understands that you were not actually asking for a lawyer who is also a dog, since that doesn't exist, and were actually expressing a desire to seek counsel).

As far as the topic at hand, you shouldn't be confirming anything--name, transactions, or otherwise--on a call you didn't initiate, either. If someone is determined to do something, they can use the most innocuous of information to do it.

So what I don't understand is why anyone is actually answering the phone. I don't answer any calls unless I am expecting them or they are from my family. If it is a company that wants me to call back I call their official number. End of story.

If I can't get to the person who called me through their regular phone system, I don't talk to them. Large banks and credit card company are very efficient if you use their regular official number. (at least if it is something that they care about, like fraud).

Leave a Comment