Hey all! This post won't be long, and I'm sorry but it won't be terribly technical either.
Tonight I had an encounter with a scam artist which was attempting to steal my Apple ID and credit card information. The scam was rather sophisticated, and they had a lot of information about me already. This scam attempt even involved an actual fraudulent credit card transaction.
They didn't get me, and they shouldn't get you either. Here are some tips to avoid falling prey to these sorts of scammers.
If your a secure data vendor calls you, just tell them that you will hang up and call them back at their official support number. Never trust the person who calls you, not even if the caller ID matches!
- Credit card company
- Any financial institution (bank, mortgage company, etc)
- Any insurance company (title insurance, etc)
- Utility company or ISP
- As an extra precaution, this should also include anybody from "HR" or "payroll" at work if you don't know who they are
- The back of your card (credit card, insurance card, etc)
- Your financial statements from that institution
- If work-related, check your company contact lists or corporate email
Your passwords will only protect you so much. There's no such thing as an unbreakable password. Even if it can't be brute-forced it could be otherwise compromised. MFA is annoying, I know, but it really helps improve your security.
Nobody, in the course of legitimate business, will ever ask for your MFA token. Never give it out.
There are only two groups of people who ask you for your password.
- Your friends and family trying to "share" your Netflix account (you probably shouldn't do this)
- People trying to steal your information and/or money.
A legitimate customer service representative has received a number of messages reinforcing that they should never ask for a password.
If someone else knows your password, and you didn't give it to them, they have compromised your password. All valid service providers and financial institutions store your password in ways which prevent them from being able to see it. They won't know your password.
Many scammers have weird tells. They will have some correct information, but not other correct information. They will know some things about you but not know other things that would normally be collected at the same time.
For instance, if you have given them money in the past, they should have your address and postal code (if appropriate for your region). They shouldn't need to ask you for an email address or a phone number.
If something feels wrong, hang up and verify the official number, and call that number. Confirm that they're the ones who spoke with you just now.
I just changed all of my important passwords because of this. Any time I encounter suspicious stuff like this, I change my passwords. I also change my passwords with some regularity for things like Apple, Google, PayPal, Venmo, my banks, etc. It's super important to change your passwords at least once a year (every 90 days is best).
The job of a customer service representative is to take care of business in a non-threatening and safe manner. They're supposed to make you feel good about doing business with their organization.
A scammer is trying to manipulate you. They may try to scare you, or flatter you. They may behave strangely in a way that seems like manipulation (lying, name-calling, judgemental tones, abuse), it might not be a customer service representative.
Always hang up and call the official support number.
Scammers rely on people feeling embarrassed or ashamed of being targeted or victimized. They count on people not disclosing the things that fooled them. Don't fall into that trap.
Talk to your friends, family, loved ones, colleagues, and neighbors about what happened. By letting folks know that scams happen to people they know, you are helping them to be aware that scammers could target them, too.
Go into the account settings for your various things, and make sure that you don't have any devices that you don't recognize. While you're in there, make sure you revoke any old devices you don't recognize.
Given that both text message and telephony protocols have numerous back-doors and security holes (some just don't have any authentication at all, so you can spoof super easily), you cannot trust any incoming text message or phone call. Just don't.
If a text message comes in and you don't know who it is, don't respond. If it's your bank, call your bank and ask them if they just sent it.
Keep in mind, these people aren’t just trying to scam you. They may be using you to scam someone else. They may be trying to go after your employer.
Remember: they called you. They shouldn’t have to confirm anything if they called you.
Mark Rober (yes, that Mark Rober) put up this video last month that covers some of the complexity that goes into these scams. I highly recommend you watch it.
I hope that this in some way helps y'all.
UPDATE: Added #10