
How I lost control of our bank accounts to a phone scammer - miles
https://robservatory.com/how-i-lost-control-of-our-bank-accounts-to-a-phone-scammer/
======
projektfu
I got a call from Wells Fargo telling me that they had identified a fraud on
my account. Fair enough, I was about to call them to tell them that they
cashed a check against my account that was written for a different name. This
was entirely their own doing, essentially. Then, they ask me to verify my
information before starting the process of fixing this and creating a new
account number.

“With all due respect, you called me. How do I verify you?”

“Well you have to answer the question otherwise we can’t fix this over the
phone.”

“OK that’s fine, just give me some way to contact you when I call the main
number.”

“No, there’s no way to do that. If your don’t answer these questions now,
you’ll have to go to a branch.”

This was entirely surprising to them. In the end I had to go to an office and
show my forms of ID, which I found amusing because they didn’t even bother to
verify that the name on the check matched the account. But anyway. This bank,
at least, is not yet on board with good security practices.

~~~
technion
My real estate agent has a @agentname.com domain which all my previous
communication has run over.

Last week I got an email notice that a payment was due for a household bill.
It came from mailer@constantcontact.com and contained a link to a Google Form
which asked for a credit card number. The form itself even has Google's
warning not to provide credit card numbers down the bottom. It never even
named my agent, where I was living or what the bill was for or anything that
made it believable.

I forwarded it to them and said I wanted to report some potential phishing. A
legitimate person responded from their mailbox noting that they don't accept
excuses like that, and pointing out the bill must be paid and noone else had
ever questioned it.

I work so hard to train users about scams but I just have no idea what to do
about the rest of the world.

~~~
thaumasiotes
> The form itself even has Google's warning not to provide credit card numbers
> down the bottom.

I received a PayPal phishing email once which included PayPal's actual
security footer at the bottom. It helpfully pointed out that communications
from PayPal will always address you by name, never as "Dear customer".

I was amused by this, since the phishing email started off with "Dear
customer".

There must be some population of people out there who are looking for the
footer, but not bothering to think about what it means. (Or possibly a
population of scammers who copy the official formatting without checking
whether it's something they really want.)

~~~
andybak
Don't get me started on Paypal. They send emails from a domain that isn't
paypal.com with login links in the email that point to a domain _that isn 't
paypal.com_

I genuinely can't distinguish official Paypal emails from phishing emails -
and that's because the Paypal emails look like bad phishing emails rather than
because phishing emails are so sophisticated.

EDIT: Good write up here:
[https://cantoriscomputing.wordpress.com/2017/03/04/paypals-e...](https://cantoriscomputing.wordpress.com/2017/03/04/paypals-
emails-encourage-dangerous-habits/)

~~~
avip
I've reported such emails to spoof@paypal.com and never got a reply.
Maddening. I never open mails from PayPal now - better safe than sorry.

Edit:
[https://news.ycombinator.com/item?id=15296425](https://news.ycombinator.com/item?id=15296425)

~~~
steelframe
The last time I attempted to sell something on eBay, twice in a row a scammer
-- presumably in the Ukraine -- won the auction and then proceeded to send me
a spoofed Paypal payment confirmation (from: service@intl.paypal.com) written
in Cyrillic. The mailing address was a drop ship company in New Jersey. Then
they were aggressive about sending me messages like, "I paid, have you sent it
yet??"

I ignored them and sent the spoofed emails to the spoof addresses at both eBay
and Paypal, which seemed to be entirely ignored. After the required amount of
time passed I reported the auction winners as non-paying, and I finally got my
seller's fees "refunded" to my eBay account.

Then, a couple of weeks ago, I attempted to get eBay to actually transfer my
fee credit to my bank account. eBay responded with, "We would really love to
help you out with this. but due to COVID-19 we can't."

Somehow one of the fraudulent buyers has had an eBay account since 2012, and
it's still active and has a 92% positive feedback rating. Their current
auctions include a used gynecological examination chair. It's as if they're
flaunting the fact that they can get away with whatever they're doing without
being held accountable by either eBay or Paypal.

------
_bxg1
The fact that the phone number on your screen cannot be trusted to be the real
one is _completely unacceptable_. It takes a very savvy person to know not to
trust it; any reasonable person would assume it to be correct.

And there is no one to blame but the carriers. I really hope the FCC's new
anti-spam rules kill this problem dead in the water.

~~~
projektfu
This is an unfortunate by-product off the easy phone numbers work. It’s
necessary that when I call from one of my N lines, your caller ID says my main
number. Adding in SIP, cellular and other forms of phone mobility makes it
hard to authenticate phones without a central system that was never provided.

~~~
namibj
We don't have spam calls over here in Germany. I _never_ received one. There
were 3 calls I remember that were doing research stuff, but that's all. And
telling them to not call again would have solved it, btw.

It seems to be related to other stuff the US is behind on, but I've given up
on finding out how it could be fixed in the general (last 20 years) political
climate.

~~~
bluerobotcat
I think it might be mostly that you're not in an English speaking country.
Based on accent, a lot of spam calls appear to originate from developing
countries.

~~~
namibj
That would explain maybe a 100x difference on it's own. But that's already way
over, if I aggregate data from close family about how many spam calls they
got.

------
antoncohen
Yesterday a family member got scammed out of banking information in a COVID-19
related scam. These scams are rampant right now. I think it is worth warning
family and friends that might be unaware.

Banks sometimes make it hard to do the right thing. Last year my bank called
me, I didn't answer the unknown number and they left a message. The message
had a phone number to call and a case number. I'm not going to call a number
someone gives me, so I called the main number and asked to be transferred.
After a few transfers to the wrong people, it eventually became clear they
couldn't transfer me to this particular fraud department.

I physically went into a bank branch. A very nice banker there tried to call
them for me, spent 20 minutes on hold and being transferred around. They were
able to confirm the call was real, and what it was about. But the final
conclusion was, there was no possible way to reach the person in this fraud
department, they had to _call me_. We arranged a 1 hour window where they
would call me and I'd be sure to answer the phone.

~~~
antoncohen
I'm going to correct myself. My family member didn't get scammed!

There is a government agency cold emailing people, telling them to fill out a
form that that asks for Bank Name, Account Number, and Routing Number.

[https://imgur.com/a/5loIfnW](https://imgur.com/a/5loIfnW)

Way to teach people to be safe.

At the same time the IRS is telling people to avoid scams by not clicking
links in emails: [https://www.irs.gov/newsroom/irs-issues-warning-about-
corona...](https://www.irs.gov/newsroom/irs-issues-warning-about-coronavirus-
related-scams-watch-out-for-schemes-tied-to-economic-impact-payments)

~~~
projektfu
> [https://imgur.com/a/5loIfnW](https://imgur.com/a/5loIfnW)

That looks super shady.

~~~
npsomaratna
Genuine question here: since the domain name is *.sba.gov, wouldn't that be
enough to consider this legitimate?

~~~
notechback
I don't know the specifics here but many official sites also can have
compromised parts, e.g. a subdomain with an old wordpress install or similar
can get taken over.

------
vxNsr
The persistence is what tells me its fraud. A regular bank would just tell you
the number to call and say "have a nice day."

In fact my bank recently did try to reach me for fraudulent charges and they
did it by text and at the end it said "call the number on the back of your
card" so I would suggest just like the IRS will never call you directly;
assume your bank will never call you. They might text you, email you, have
their app send you a notification but never a call. and they will always say
"call the number on the back on your card"

~~~
xapata
I got a call from my bank earlier today, trying to get me to finish my
mortgage application. I think it was them, but I refused to authenticate,
because I didn't schedule the call.

~~~
gowld
I hated that. When I was buying real estate, it's an endless stream of of
warnings to not give away all your money to scammers, interleaved with a
stream of messages from the bank, brokerage, and escrow company that look and
act _exactly_ the way scammers behave. No security in the phone based
transactions. No challenge-response. Constant handoffs to new associates and
affiliates.

They don't care about security at all; they just want to be able to say "we
warned you" if you get robbed.

~~~
paultopia
This is so true! It's absolutely mind-blowing how a fraud warning can be
immediately followed by an impromptu call from someone's assistant using a
cellphone.

This is also more broadly true of the consumer lending industry. One of the
things that totally boggles my mind is that consumer loans are bought and
sold, and then a consumer just receives a random letter one day: "hey, start
sending your payments to me now!" How on earth is the poor consumer to know
that the random person who is demanding money actually holds the note? And
it's not like the student loan or the auto loan or the mortgage loan
originator actually has a phone number one can call where someone actually
reliably will answer the phone and will actually know whether the note was
sold or not (have you tried to get a student loan servicer on the phone?)...

I think probably the only solution for that industry is to legislate rational
security practices at them.

------
stevebmark
Another missed red flag is when the scammer _told_ him his last four of SSN.
No legitimate company who has your DOB or SSN will ever tell you it over the
phone. I'm pretty sure that's a violation of compliance laws. Agents are
trained to ask, not tell.

~~~
mannykannot
Giving it to some random caller does not make _me_ any more secure - so it
would seem that the rational approach is to distrust any incoming call that
mentions the issue, as it does not belong in any security challenge.

~~~
mannykannot
To correct my own claim, it seems reasonable to give this information if you
are confident you have contacted a trusted entity, so that it can do its
verification.

------
cgijoe
My takeaway: Never, ever talk to anyone over an incoming call. Always, always
initiate the call yourself, and to the official number.

~~~
DonaldFisk
If someone claiming to be from your bank calls you, it isn't safe to hang up
and call on the official number, unless you call the bank on a different line.
The original call doesn't end until the calling party hangs up, and they might
spoof a dialling tone and then a ringtone.

~~~
cortesoft
That is only on VERY old land line systems... in fact, I don't think any exist
anymore (the lasts ones were phased out a few years ago)

~~~
miles
New scam keeps fraudsters connected after victim hangs up
[https://www.cbc.ca/news/canada/ottawa/line-in-trapping-
techn...](https://www.cbc.ca/news/canada/ottawa/line-in-trapping-
technology-1.5387822)

"Scammers using line-trapping technology to trick victims, police warn"

~~~
duckmysick
What is line-trapping? The article doesn't explain how it works and which
devices are vulnerable. I tried to look it up but the results aren't helpful.
They are either rewrites of the same article or irrelevant pages about
wildlife trapping.

I suspect they affect landlines, but the articles have confusing photos
showing smartphones.

~~~
RandomBacon
I think I read about it in one Mitnik's books years ago.

Basically, if you hang up your landline, it doesn't sever the connection.

------
kls
I had one of these guys call me and I can tell you they are good, we have a
lot of skimmers on gas terminals, atms, etc. in South FL so it's pretty normal
to get fraudulent transactions calls. But like this article, the guy spoke
perfect English. The cunning part is they really knew the workings of my bank,
they would call 5 minutes after the main line closes for the night. The worst
part about it is, they had my card number but it has been put in cold status
due to legit fraudulent activity, which basically means you can only use it as
a debit card. Their aim was to get my pin from me, and they had a whole script
before that, that they run thru. The scary part is it felt like a legit
fraudulent activity call from my bank and I still suspect that one of the
scammers had inner-working details of my bank. I knew it was not when they
asked me to verify my pin. At which point I realized it was not a legit fraud
activity call. I ask for a call back number and of course the excuse making
started about the main line being closed now (they have a separate fraud line
that is 24 hours). I told them I would call back in the morning, they said
they would have to let these transactions go thru if I did. I said fine but I
dispute them if you are recording and hung up and promptly called the fraud
line. The scammers are getting more sophisticated and convincing.

------
dumbfoundded
Some banks do actually send and then ask for a verification code over the
phone. And it's legit!

They have multiple types of verification codes, like ones for wires and
another verifying your identity if you call customer service.

Avoiding fraud is complicated already and will continue to be a problem
forever. As people get better at identifying scams, the next one will emerge.
As companies create new policies to avoid fraud, "jerk"s will figure out ways
to manipulate it.

I'm not sure a long term solution exists.

~~~
riyakhanna1983
Is it possible to eliminate the phone number? It was needed in old days, and
many people today use over-the-top services like WhatsApp and FaceTime.
Companies use phone number to track us and scammers use it to swindle us.

~~~
dumbfoundded
Probably not. If a phone number is replaced with a hash or a username, similar
if not identical problems will emerge. Look at the numerous bitcoin scams.

I think the only thing that helps is time. The longer a technology has been
around, the harder it is to fake. Fraudulent gold or currency is pretty tough
to do and the people tasked with tracking down the offenders are effective.
With most internet-based scams, the technology is emerging. It will take a
long time for detection and mitigation to catch up.

------
jeffdavis
One lesson is that it's not a certain type of person that falls for a scam.
It's anyone when they are in the wrong frame of mind.

Obviously there are ways to prepare yourself, and rules to follow, and red
flags to watch for. But you won't really follow the rules unless you believe
that "yes, it can happen to me". It might be when you are busy or fatigued or
in the middle of a big transaction or whatever.

~~~
AdrianB1
There are 2 types of a person that falls for a scam: the one who does not know
how things work and the one that ignores the red flags.

Writing the story is good for the ones that don't know.

------
robenkleene
The author is Rob Griffiths of the venerable Mac OS X Hints
([http://macosxhints.com](http://macosxhints.com)) and Many Tricks Software
([https://manytricks.com/](https://manytricks.com/)).

~~~
rsync
I chuckle because rsync.net purchased a few "Witch"[1] licenses and my
accountant's auditor who was going through last years expenses came across a
charge from "manytricks.com" and sort of sheepishly said " ... I think this
might not be a business expense ...".

I had to explain that it was, in fact, and showed her the software that we had
licensed ...

[1] [https://manytricks.com/witch/](https://manytricks.com/witch/)

------
litoE
A couple of months ago my wife fell for a similar scam. Caller on her cell
phone said he was from our cellular carrier. She was sent a text message with
a code, which she read back to him. Caller proceeded to access our on-line
account at the carrier, using her cell phone number as the user ID, and
purchased two top of the line iPhones, to be shipped to a hotel a couple of
blocks from our house under her name and, of course, billed to us.

Fortunately, the carrier put the order on hold and sent her a text message
asking her to confirm the order, so I was able to regain access to the account
and reverse the purchase.

I called the carrier's security, told them the story and gave them the address
of the hotel where the scammer would be picking up the phones he had ordered,
but they were not interested in following up.

~~~
maccard
> but they were not interested in following up.

Why would they be? All they're interested in is avoiding transactions that
might be marked as fraudulent, they're not interested in actually fixing the
issue. Thats the polices issue, not your carrier.

~~~
Nextgrid
Following up and putting the scammer in legal trouble means he's no longer
going to be around to retry the scam on the next victim (who might actually
fall for it).

------
libraryatnight
Why do people answer the phone at all when it's not an actual person (family
or friend)? There's no reason for a business to call you. My phone sends any
call that's not from a number in my contacts straight to voicemail - if a
voicemail even gets left that's not just someone hanging up, you can return
the call to a number you know is real. The IRS deals almost exclusively by
mail, banks have apps with account notifications. There's not many good
reasons to answer unexpected calls from businesses.

~~~
xenocyon
Presumably you have never interacted with a doctor :-)

~~~
libraryatnight
My doctor interacts via a patient portal online.

------
chrischen
Even with new tech companies like Plaid they're designing patterns that will
compromise security down the line. Plaid has you enter your bank login
information right on some third party website. While Plaid can be trusted,
there's no reason to trust the third party with my bank login info. My
password manager right doesn't work on these pages since it doesn't recognize
the domain. But a less astute user may unwittingly give out their bank login
info to some random site that makes a fake Plaid UI.

~~~
LordOfWolves
Please correct me if I’m wrong, but I believe Plaid uses an OAuth-Luke
experience via an external tab/window to an encrypted sub domain of their
website for authentication (so no middle man sniffing technically possible).

Disclaimer: I do not work for Plaid, but have used it in the past.

~~~
chrischen
If it is implemented that way there’s no way to tell from the user side. It
just looks like it’s a part of whatever website you are on. My password
manager even refuses to autofill.

------
grecy
I steadfastly have the stance I will never talk to anyone over the phone
unless I initiated the call, and this is a great reminder to stick to that, no
matter what they say.

~~~
lucb1e
Just to be clear, that's in the context of talking to companies, not when a
friend calls you up? Because I'm not sure if it's because I'm just thick or
because I'm not natively English but it can be understood (as my sibling
comment seems to do) as literally never talking to anyone unless you called
them.

~~~
CarlRJ
If two friends both had that policy, it'd be a standoff. They'd never get to
talk on the phone.

~~~
markdown
This is why call centres based in Mexico always fail.

------
icedistilled
He still failed to notice a huge red flag. Companies are not supposed to call
people up and tell them your last 4 SSN digits, let alone the entire thing.

If your bank every does that to you, close your accounts and switch banks.

Why did he not realize this after the fact and point it out as a missed red
flag? Has anyone had their bank read them their SSN over the phone? That
sounds like a massive PII compliance issue.

------
gowld
> Here’s the tl;dr version: Do not ever, as in never ever, give out a
> verification code over the phone.

The deeper lesson here is the power of cognitive dissonance. If you get even
slightly fooled, your egotistic brain will Stockholm Syndrome you into working
_for_ the attacker, to postpone the embarrassment of acknowledging to yourself
you got a little bit fooled. The worse it gets the deeper your denial will
grow to stop you from cutting off the attack.

------
ipv6ipv4
I read these accounts of scams and I can’t imagine any legitimate scenario
where I could possibly expect a call from a bank about any of my accounts -
checking, savings, brokerage, CC, mortgage.

With everything available online, there is no reason to step into a branch or
have an ongoing phone ‘relationship’ with a bank. I can’t remember the last
time a financial institution called me about an account. Even credit cards
have moved away from fraud check calls to simple and foolproof yes/no
verification messaging.

Outside of non-specific marketing and upsell calls, any call I get out of the
blue can only be a scam.

------
1024core
Why do phone companies allow phone number spoofing? I can't spoof just
anybody's IP address; why can I spoof a phone number?

~~~
cerberusss
Of course you can spoof anybody's address. Depending on the protocol, you may
not be able to get it working. But if it's UDP, you can definitely spoof
someone's IP address.

~~~
Tepix
Quite a few ISPs will not let you use IP addresses that do not belong to them.

------
tdy721
At the end he mentioned he had 2fa activated. How did the scammer defeat that?
Did he read another code out to them and gloss over it?

~~~
bowmessage
That may have been the 'second code' referred to as a typo by the article, but
was perhaps the standard 2fa token that came in after the original password
change token? Nice catch.

------
NightlyDev
No doubt that this person made a huge mistake, but...

Is this seriously a thing? A bank that uses one-factor login? Not only that,
but a weak one too? This seems absolutely ridiculous. Why would anyone use
such a terrible bank? Isn't the bank at least required to try to protect the
customers money? It's usually not that hard to get a hold of a number
belonging to someone else. Where in the world is this?

~~~
DangitBobby
Isn't this two-factor login? Something you know (username) and something you
have (phone)? There's also a good chance that the scammers had a set of leaked
security questions on hand. I'm sure some banks even use SSN as an
authentication factor.

~~~
NightlyDev
No, it's not. A username is rarely a secret used for anthentication. In this
case it seems the user got tricked into giving away a password reset code
given over SMS. So the first factor(password) was skipped. If an SMS code and
the password would have been needed then it would be 2 factors.

SSN is alsp a stupidly bad usage as an authentication factor. A lot of people
have access to it, it's not unique to the service and you can't just change it
whenever you want.

------
greendestiny_re
If you suspect you're talking to a scammer, the best solution is to—waste
their time.

