356 comments

[ 3.3 ms ] story [ 305 ms ] thread
> But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.

Banks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.

"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."

That can still be gamed by any malicious SEO wizard. People will trust the top Google hit for "bank of america phone number" before they bother with finding it on the website.
I’ve been asked to “call the number printed on the back of [my] card” which would be much harder to spoof.
But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
> But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.

How long are bank cards valid? I'd say they expire within 5 years? Also, if there is a merger, wouldn't they send you a new card with updated branding?

> But numbers can change

They could, but I just tried calling the numbers on the back of two cards from merged/acquired banks and they both forwarded to the acquiring bank. Yes it's a small sample size, but I suspect that there's enough money on the line and enough legacy contracts and systems that banks keep their communication channels active for some time.

Credit cards typically expire after some number of years, and mergers will typically include those phone numbers. If for some reason the acquiring company decides it wants to sunset its acquired phone numbers, it just needs to do so after the expiration date for the last card issued with that number still printed.
Yeah, every time my credit card provider has needed to contact me, they send me an recorded message telling me to call the number on my card.
I've had different cards for 35 years at least, never got a call. What do they call about generally?
Suspicious activity. Suddenly using your card in the UK, when you're in the US. "Swipes" several hundred miles from your normal location, but also occurring in your normal location on the same day.
Ah, I never use my real card on the net, maybe that's why. I used to get a virtual card unique for every purchase but that has been discontinued now. Got a separate card for online usage that I only put money on when I want to buy something. Also needs to be opened up for Internet usage and many places require an electronic signature with the bank id app. Hoping this will be mandatory soon.
Should be solvable by making sure there's an easy, reliable, uniform way to get this info within the call.

> "Hello. Please find the callback number on boa.com/contact. Please enter code XYZ to be connected directly to the agent regarding this matter. Thank you & goodbye."

It's not perfect & you'll still have some percentage of fraud that goes through, but I'd be interested to see the impact this has on fraud rates.

* EDIT: Callback number via the card as the other commentor noted probably works too.

There is a very large number of people who would not be able to do this properly and would completely bone up the process at some point.
Even worse than SEO, fraudsters edited Google Maps bank information directly http://archive.vn/PPJYW
I wouldn't call it worse. Google maps entries seem to receive less scrutiny than search results, but I also suspect that nobody use as a phonebook. Most people would use google search, or the back of their card.
Google Maps is part of Google Search
How is a random fraudster going to suddenly get the top Google result for "Bank of America phone number"?

I'm sure it's possible, but it strikes me as a pretty large hurdle. And even if they manage to pull it off, they also need no one from the bank to notice and report it.

> How is a random fraudster going to suddenly get the top Google result

They pay for it. Most people can't distinguish search ads from search results.

> They pay for it. Most people can't distinguish search ads from search results.

Would the new transparency requirement be useful to go after these fraudsters after the fact? https://news.ycombinator.com/item?id=22955606

"Alexa, make me the number one search result on Google for Bank of America."

"Alexa, confirm."

You've got it backwards.

One gets a call from the bank, they give you a number to ring, you type the number in to Google search, the results come back listing that number and the bank's name -- identity confirmed!?!

The fraudsters just need _a_ website listed by Google.

My insurer called me out of the blue: I said I'd call back. Their number was not listed on any of the companies websites. I called the company, and said what has happened, took them about 10 minutes to confirm they'd called me and that the phone number I was called on was valid.

As it happened someone was trying to commit insurance fraud, saying we'd crashed in to them; but that's by-the-by (ie not relevant to the main story).

You don't need your site to be #1, especially if you can manipulate one that is already high-ranking-- just astroturf GetHuman with fraudulent numbers.

But I admit-- having just done a search for every institution I could think of, it seems Google AMP has done a lot to promote legitimate numbers. It used to be sites like GetHuman competing with or outranking the actual company website for contact information.

I wish the regulators for financial institutions would mandate this. One of the reasons I left, years ago, the much-beloved-for-reasons-I-do-not-understand Pacific Northwest darling credit union BECU is because I got griped at by their customer service rep who called me to ostensibly tell me about fraud on my credit card. When the rep asked me "identity verification" questions, they got most upset when I replied that they should have this information and how do I know I'm actually talking to BECU.

"Sir, I'm just trying to help prevent fraud on your account and I need to know that it's actually you who answered the phone."

(Yes, there legitimately was fraud but I had no way to know it at the time. I closed the account about a month later after another issue.)

Same with my bank. They should be fined for this, because they will refund 0 if you fall for this, and they’re encouraging this behavior
I got a credit card fraud alert sms text once that asked me to call a number that was different than the phone number on my credit card. I called the card number instead and the alert was legit but they still should have used an easily verified phone number.
Hospitals are even worse. They would periodically call me with random information about appointments or prescriptions and whatnot and would always start off by asking me my birth date and PII to identify myself to them! They're the ones calling me!

I told them as much and after a few years they finally started sending me secure emails asking me to call them. Certainly I wouldn't trust "call back at..." messages claiming to be from a medical provider, even though they're indistinguishable from the real thing because that's the same thing the doctor's office does. It's bizarre considering how security conscious they have to be.

I recently missed a bill due to an error on behalf of my utility company. It ended up at a debt collector, who when calling me insisted i share my date of birth, address and full name before they'd tell me what the call was regarding. I refused, they got mad and acted as if I was trying to avoid paying the bill. I assumed the call was fraud.

I found it was in fact not fraud when my credit monitoring service informed me that someone reported I refused to pay a bill. One call to the utility company later, it was resolved...unfortunately i'm still trying to fix the credit report.

If anyone else runs into this, I've heard that you can say you'll pay only if they remove their claim from your credit report. Suposedly it's not legal for them to offer (I guess extorsion), but as far as I know, it's legal for you to ask.

It sounds like that option has passed for the parent comment, but you did just try disputing it right? Force them to come up with the proof.

Presently in dispute, no outcome yet. I didn’t actually know it was going to hit my record as i paid through the service provider and no one threatened that. As someone that’s never not paid a bill, i guess i just needed to learn this lesson.
Did they mail you anything in writing? Not that a letter is worth anything by itself, but if it's asking you for a debt you recognise and asks to call a number that does indeed map back to a debt collection agency (on Google, etc) it's probably legit.

I am not sure whether it's even legal for them to mark you as refusing to pay without making a formal payment demand by mail.

A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
If you hang up, how does that help? Are you talking about them trying to make you think they hung up?

If so, it sounds like a long-shot tactic, especially because everyone uses cell phones now.

The most vulnerable population to fall for scams is seniors. Also the most likely population to still be using land lines.
Most seniors I know have a mobile phone. How else would they be able to show off pictures of their grandkids? Also, that's how hearing aids work these days.
But they might still have landlines.
My 87 year old mother can not figure out how to use a cell phone. I tried and tried.
In the UK landlines almost always start with 01 or 02 so it's easy to identify who is using a landline. You can also go through the phone book (which only lists landlines) looking for "elderly" names. People who don't bother / know how to opt out of the phone book are probably easier targets as well.
I'm not sure I follow. If you've ended the call, and you call the bank number on your card, how exactly would the call get routed to the scammers?
It only works in the UK where the phone call only ends after both sides hang up. The idea is you can hang up go to a different room and resume the conversation. The results are this fraud is possible.

I believe no other country has that feature.

> I believe no other country has that feature.

I'm sure there are other European landline phone systems which behave the same. I don't know about the U.S.

Definitely not the case for Romania. Even though I haven't used a landline in over a decade, if either party would hang up, the call would end.
We used to have this in Norway when I was a kid; I still remember when I found out by accident - it felt like I had been let in on some big secret.
In Sweden both sides had to hang up, not sure how it is now. My mother used it for kids prank calling. She just left it open until the parents came home and wanted to call, then she explained that their kid had been prank calling us.
Definitely used to be the case in Canada. The caller had to hang up: if the receiver hung up it took a (something like 20 second) timeout before the call would terminate. We did used to use that to move to another extension in our house.

Note to kids: we used to have our phones anchored to the wall with these coiled ropes so you couldn't walk away with them To counter that, we had multiple phones in various rooms of the house. They also made the phones so big the wouldn't fit in your pocket as another way to prevent stealing them. They didn't have screens because the vacuum tubes drew too much current and they would get too hot when pressed to your ear.

> I believe no other country has that feature.

Some locations in Brazil worked like that, depending on which timeframe we are talking about. Pretty annoying.

I guess this depends on the equipment used, not the country.

Norway had it, maybe still, have not touched a landline for decades.
The United Kingdom phone system has what is called "far-end supervision" where the circuit-switched landline system will only disconnect the call from the receiving caller if the phone where the call originated hangs up.

This trick only works if the receiving caller is on a landline. It will not work on mobile phones.

Sounds like the perfect attack to target against the elderly, who presumably might be more likely to have landlines
This used to work in the US too. Not sure if it still does.
Only some phone systems in the western part of the US had far-end supervision, so far as I am aware. (This is why movies and TV shows from in and around Hollywood show conversations where the caller hangs up and the callee hears a dial-tone. The phone systems in most of California had only far-end supervision. Tom Scott has a good video on this[0].)

Most of the US uses either near-end, where the recipient hanging up will end the call, or both-end supervision, on POTS/landline systems.

0 - https://www.youtube.com/watch?v=bUIiUXvnkUQ - This video was filmed at the excellent Museum of Telecommunications in Seattle, located in a CenturyLink switching office. When travel is available again, I encourage all phone geeks to come here and check it out.

Sounds wonderfully abusive!

So, say, if I called you and you picked up, I would be able to prevent you from calling anyone else by not hanging up indefinitely?

Just great. Will the system not disconnect if you dial 999, too?

It should disconnect eventually. And the timeframe for "eventually" has been changed in recent years.

Originally there was a grace period because of pulse dialling. Each "pulse" is actually a hangup - so the system had to tolerate that hangup != disconnect. But the grace period was far too long, and eventually end-users adopted it as a feature - if you wanted to take this on your bedroom phone instead of your hallway phone, you could hang up the phone, go up stairs, and pick up the bedroom phone.

So now we have two problems. One is that the bug has been adopted as a feature. The other is that precisely because of 999/e911 systems, the phone system is incredibly backwards compatible. Most exchanges still support pulse-dialling - it's never dropped intentionally (some exchanges don't, because they're too modernized. But it's not a conscious "lets turn this off now" thing.)

There has been a move in recent years to reduce the grace period, precisely because of this abuse. But until it's dropped short enough to be a non-issue, my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). It is a paid service, but I don't like bothering the operator for such things. But if you call 123, and reach your bank, you know summat's up.

> my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). [...] But if you call 123, and reach your bank, you know summat's up.

No no no no no.

Hang up and use another phone. End of. Any advice that you call another number first or whatnot is bad advice. If such advice got widespread, what would scammers do?

Obviously, they would have a DTMF decoder on the other end and they would patch the call through to the number you called. These are sophisticated people who send fake security officers to people's houses to "pick up the compromised card". Call forwarding is trivial.

Just get rid of the land line. When I move house, I'm not going to have one ever again.
Wow, this sounds awful.

Good that the UK is moving away from this "feature".

(I still remember that to take a call on another phone, you could just leave the receiver up on the phone you too the call on, provided you're not too lazy to hang it up later).

So someone could block you from calling an emergency number (like 911 in the US for example?)
Theoretically yes. It was quite annoying back in the days when people used to pocket dial you.

From what I remember, repeatedly pressing the button under the receiver in quick succession eventually disconnects the call.

I wonder if that had something to do with the calling party pays system they use(used?)
They play the sound of someone hanging up, then play the sound of a dial tone, and you dial again, not having hung up yourself.
(comment deleted)
I vaguely remember a phone e experience where if the other person didn't hang up I was stuck with that connection.

Glitchy landline behavior from the 90s?

How can they stay on the line if you hang up?
Because they're not on a mobile. Landlines don't disconnect until both parties hang up.
Landlines [in the UK] don't disconnect until both parties hang up.
A trick I learned to deal with this very thing was just to attempt to call the local time/weather number after getting my dial tone back.

That said, with far-side supervision, I suspect that the call would actually time out after something like 20-30 seconds of either party hanging up. I'd just make it a habit to go put the kettle on and make some tea before placing another call.

If the call doesn't time out, well, it's time to ask BT some hard questions as to why they're allowing that sort of nuisance on their telephone network. AT&T managed to get rid of it here just fine.

> A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.

Sure, but that only works for landlines. Is this still a common thing in the UK?

I haven't had one for 5 years but I think am in the minority. Many households need one for broadband as they can't get cable.
Most broadband "landlines" are not a real BT landline but instead one simulated by your broadband router (it's SIP on the other end). With SIP, once either you hang up or the other side hangs up the session is terminated and there is no way to recover it.
I would be extremely surprised if most UK “landlines” are actually SIP extensions. Do you have a source for this claim?
As far as I'm aware BT still have normal landlines to most areas - the phones are separate from the router, they don't go through it first and even support old pulse dial phones.
Surely that doesn't work in the age of cellphones?
What about if that puts you into an hour long phone queue where the person who you eventually get through to has trouble helping you with what the initial call was about?
Find a bank that doesn't have hour-long phone queues where customer service matters? AMEX has reasonable call response times.
Then switch to a better bank.

also, if someone is calling you, they most likely aren't trying to help you.

> "Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."

This would be great as long as your call back was recognized and immediately routed to the right person instead of being placed on infinite hold, as is usually the case when you call a bank's or credit card company's number.

>as long as your call back was recognized and immediately routed to the right person

It would be great if more companies had this functionality. It would also be useful in the situations where you get disconnected while talking with someone.

Most contact centers have some sort of virtual hold - i wonder if they can leverage that tech for this type of functionality.
Or use something really old school such as "extension numbers".
Basically, I'd prefer if pbxes used by these companies providing support did the equivalent of storing short-term 'cookies' that remember you had just called rather than requiring remembering and reentering 'share urls'.
The callback number would be special and ask you for a special code.
The callback number can't be "special". It has to be the number on their website, statement, or credit card.
> It would also be useful in the situations where you get disconnected while talking with someone.

Most call centres want you off the phone as soon as possible, regardless of whether the problem is solved or not. Making it easy for you to call them isn't in their best interests.

Good idea. Plus, they could trivially implement this, no? The main phone number's first prompt could be, "If you were told to call this number, please enter the 8-digit code you were given at the prompt."
(comment deleted)
It's not actually required.

As long as the first csr puts a note on the account about what's going on, any csr can resume from there.

i.e. a note like "20200423 - asked customer to call back to discuss recent large transactions on credit card".

> It's not actually required.

Yes, going to exactly the same person is not always required (depends on how good their customer notes are--in my experience there's quite a bit of variability there).

Going to the right department immediately instead of being placed on infinite hold like someone who just randomly called in is required for something like this to work.

"... and call us back with the phone number on the back of your credit card and use code "12345" to get directed back to me immediately."
(comment deleted)
I've had this happen. When the fraud department for my credit card company called and I said I wanted to call them back to verify, they gave me a code to enter after I called to go straight back to the agent. It was great.
I recall the same happening. Capital One, I believe.

I really, really thought it was fraud at first until they basically said "yep, go for it, use the number on the back of your card then give us this code".

This is the right way to do it. Glad to see it actually gets used.
This is especially important now: I just had a credit card company send me a query about a fraud alert. After confirming that it was fraudulent, it tells me to call the 800 number but that now says that you should use the website for anything which isn't COVID-19 related due to very high call volume.
It's just a matter of the company prioritizing that feature. If they think that improved handling of identity fraud will save them money, they will prioritize it.
You could combine it with an extension: "Please call me back using the number on the back of your card and extension NNNN"
Used to be the case with certain CC companies that after they put a note/status in my account, any call I made to the main line would immediately route me to their security/fraud department once I entered my abbreviated auth details (last 4 of card# + zip or somesuch).

So it's definitely possible.

When the police called me they did exactly this but added their extension. This way I could verify that the number belongs to my local police department but still called his number directly. For CSR, they could use one time extensions so that the service rep doesn't get spammed at later times.
A few years ago I got a call from Revenue Canada and around the same time it was extremely popular for scammers to pose as Revenue Canada agents. So immediately I just assumed it was a scam and got extremely annoyed and angry at the person... turns out it was a real Revenue Canada agent and I had somehow forgot to submit my taxes a few years back...
Ha ha same here but I got a call from an FBI agent. I had lost money to someone and 2-3 years later he got caught in some other sting and they wanted me to be another witness since they found my name in his books. For me somehow the connection clicked as soon as the agent mentioned the name of the company (but not when he said I am calling from the FBI). I even got login to I think an FBI website to keep updated on the status. Unfortunately after communication every few months, they decided to not pursue the case, after maybe 2-3 years of elapsed time.
> To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."

Good idea, except now people will think: "yeah, right, that way the call will cost me money".

Where in the world do you still have to pay based on usage of phone minutes?
For people that can't afford a new phone every year with a contract. You can buy cheap button-phones and get a phone card that cost you money every time you call but is free while you don't call.
Aren't most of these numbers toll free?
That would be preferable. I had a call from my bank once that went like this.

> CS: Hello, this is X from Y Bank. Is this Z?

> ME: Yes, this is Z.

> CS: Z, can you confirm your last 4 digits of your social security number so I can confirm who I am speaking to?

> ME: Uh... How do I know you're the bank? I can't just tell any person who calls that information.

> CS: Z, we are from your bank, Y Bank. Please provide the last 4 digits of your social.

> ME: There has to be another way to do this, right?

> CS: Please hold... (puts me on hold for 30 seconds)

> CS: Hi Z, I'm back. Can you look up our phone number on Google and give us a call back and ask for me by name, X?

> ME: Sounds good.

It was them. I got quickly reconnected to the same woman. I'm still concerned that the norm should be something closer to what you commented, even if it adds friction and will probably result in lazier people not calling back for something important. It's better to normalize this than allow for the alternative, which is to normalize people telling random strangers their sensitive, personal information.

Any time this topic comes up, I immediately worry about my parents and grandparents falling for this sort of thing if real scammers are out there trying. I realize the last four digits of my social security number are not as great as the whole thing, but as far as I know, it's enough to be dangerous.

In Sweden the whole personal number is public information. Anyone can just call the tax department and get it without any questions asked. Still some use it as proof that you are you...
lol, something horribly ironic about that. They called your number, but you need to prove it's you. But obviously, they are who they claim to be.
Used to offer this when working on fraud in <a Big Corp>, but have to give them my name so main number switchboard can route call. Very few people did, but those that did appreciated it. Only costs you a few minutes while they find the old time printed phone book, look up <a Big Corp> and call back.
My bank’s policy is simple: we will never call you.
Or, you know, send a letter or e-mail. Not that e-mails are secure per definition, but services like gmail spend a lot of time and effort on detecting and blocking spam and scams.
Why not use reverse verbal passwords (i.e. have the bank give you a secret phrase)? That should eliminate a large amount of issues without the need for a call back.
Side lessons seems to be that scammers have access to a lot of your personal info, which can fool you, and that you should never ever give an OTP over the phone.
How much time and money is lost to this kind of scam?

We need verified identity for phone numbers and email, with consequences attached to bad behaviour.

China likes this.
This should also be a lesson about having $9k in an account tied to a debit card and not following up on suspicious transactions. If the thieves had done an ATM balance check and seen a combined balance of a number of hundreds of dollars that could be counted on one hand they likely would have settled for withdrawing that and wouldn't have bothered hitting Mitch with the advanced scam to gain the bank info needed for a wire transfer. If Mitch had noticed the test withdrawals he could have called his bank and stopped the fraud there.

For how often you need that kind of cash readily accessible it's simply not worth the risk for the overwhelming majority of people.

This was a really sophisticated attack and fooled even a security conscious person but defense in depth (not having the big bucks accessible from your general use card and/or following up on unknown transactions) would have stymied it. With a good security protocol breaking one rule (not hanging up and calling back) shouldn't screw you.

I just had this experience from pnc bank. I don’t even bank with them, but a member of my household does.

The incoming message was automated, asking for (person who lives here) with a visa debit card that has fraudulent transactions. The caller id was a number not listed on the back of the card.

Pressing “1” puts you into the next phase, which asks you to “verify” your identity by - guess what - typing in your full 16 digit debit card number!

At this point I am convinced this is a scam. You google the phone number and you see tons of links saying it’s a scam.

The person calls their regular number on the back of her card and they claim no fraudulent activity.

A few days later I still get these calls so I decide to investigate. Pressing zero a bunch and asking for an agent finally gets me to a live individual. He claims they’re from pnc and they are a different section not connected to the “main” number. He’s able to recite details about the account that only pnc would know, so now I’m not sure.

I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)

I did get a response - good! But they didn’t actually change the site ... so I suppose in this case anyone who receives notification of fraud on their pnc debit card should email abuse@pnc.com to validate the calls are legitimate?

> I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)

Note that faking the number you are calling from is fairly trivial, so do not trust the callerid as proof of identity.

I should have clarified: I called the number back (from the caller ID)
> He’s able to recite details about the account that only pnc would know, so now I’m not sure.

That's the creepy part. There is so much of our info available on the darkweb that even engaging with scammers potentially verifies it and makes it more valuable, although it is unlikley a purchaser of a phishing database is going to provide feedback to the point of origin, they may feed it forward if they resell and augmented dbase. [For example, if someone buys 1,000,000 phone numbers, and that person finds 250,000 are bogus, they can sell the "cleaned" database again claiming it's been slightly sanitized. DefCon has taught me to fear the world.]

My company expense card is from pnc. I’ve had many bad experiences with it that make them seem very unprofessional and not competent technically. First time I needed to update my pin to use the card and their databases were down...

But yeah their fraud detection is lacking and reporting it was a pain, and they are slow to resolve anything. They did not detect the fraud at all.

Your experience reinforces my impression.

Banks do this themselves too I think. I seem to have the recent memory where I called Chase, then they called me back. For the life of me I can't remember what I as calling about though
That's what I always told my older family.

If it is about finances, YOU call them at a number on your billing statement that you know is correct, or just go to the bank.

Never make a decision / give info if "they" called you.

> he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines

How is it possible for someone not to check his/her bank account all this time? There were unknown transactions for several weeks and no one noticed?

IMHO not having alerts for your cards/accounts and not noticing strange transactions is a bigger security risk than trusting the telephone number calling you.

I fully agree that we should call back on the official number for any banking issues and don’t blindly trust whoever is pretending to be from the bank.

Most people I know check their credit card, debit card, and/or bank statements once a month, if ever.

You and I are the outliers, my friend.

Count me in. Text alerts on all financial institutions to a google voice # and monthly reconciles of all acounts plus weekly investment checks.

I have had two fraudulent CC charges in 25+ years, and they both were reversed immediately so I'm not worried about that. More worried about my credit union so I keep as little in there as possible. (Interest rates are a joke so it doesn't matter.)

This also applies to offline solicitation. Someone came to my door and asked me to sign on to switching my gas supplier. He said it is a supply chain change and will not affect anything beyond I getting a smaller monthly bill, still coming from PG&E. I told him that it sounds wonderful but this is the first I'm hearing of such a thing and I need to research online what it is about before signing anything. He said he has all the details in his paper folder and I can read it. I insisted on doing my own research. He said the deal is off once he leaves and it is my last chance. I told him, "so be it, such is life".

Did a quick Google search the next day and figured the process is legit but people out there have gotten higher bills than before.

Moral is to fight the human-interaction pressures and be adamant on doing your own research. No shame in that.

My standard response to that sort of thing is, "Sorry, but my personal policy is to not make any decision without sleeping on it first." That usually gets them right to the "deal is off" phase quickly, since there's really no good rebuttal for that. Or they leave their materials. Either way, they leave me alone.
You can in fact close the door on people. This is also effective.
The fact that people even open the door to strangers with clipboards is hard for me to comprehend.

If you don't have a badge and a gun, I'm not opening the door for any reason. If you have a badge and a gun, I'm probably not opening the door.

If they have a badge and gun demand that they slip the warrant under the door first. Then call the watch commander to verify it.
Do they just wait around to let you take your time to go back and call to verify?
I don't know, never been served a search warrant.

Obviously this isn't legal advice, but it's what defense lawyer friends have suggested if it ever comes up.

I think that popular video about "never talk to cops" mentions something like it too?

I assume if they don't wait, it helps your court case. They could always go with the "probable cause" argument, but again this can help your case if you can prove they didn't have actual cause.

I'm less worried about the court case and more worried about what can immediately go wrong if you look like you're stalling.
> ... this can help your case if you can prove they didn't have actual cause.

Pro-tip: if they're at your door with a warrant, they have probable cause.

Yeah but if they're robbers with a fake badge and gun, how will I know? At least when they barge in I'll already be on the phone with the cops.
Your threat model is imaginary, if they are robbers posing as cops, they wouldn't knock and wait patiently, they'd just serve you a fake "no knock warrant" (kick open your door and bust in with flash bang grenades).
I'm sorry, this comment is not necessarily a reply to you directly but to the thread in general--are we talking about the real world or some fictional TV show? Genuine question, is this something a "normal" HN reader should be worried about? Is there any evidence of such incidents happening ("kick open your door and bust in with flash bang grenades")?
I see no reason why a robber posing as a cop would want to draw more attention to themselves than necessary.
My understanding is a valid warrant (which as someone else mentioned does not have to be a physical piece of paper) grants them immediate access and they don't have to wait to verify. If you don't open the door, it will be opened for you by battering ram - demanding you open it is more of a courtesy.

Think about it: say someone has a bunch of drugs, you wouldn't want to give them time to start flushing it down the toilet while they call up and verify the warrant is valid. You kick the door in, arrest them, and secure the scene for forensics and evidence collection.

I assumed something along those lines, but I think they have to knock unless there's a no-knock warrant? I just don't expect they'll be amused if you tell them to hang on for a few minutes while you "verify" the warrant.
There's a lot that go wrong with this approach, and the upside is pretty obviously dwarfed by the (small to minuscule, depending on many many factors) chance of getting murdered while puffing about your rights. Whose front door has a gap underneath it, anyway?

Assuming they knock and announce they have a warrant as opposed to knocking the door down, you open the door and they start coming in immediately. You can read the warrant, they'll likely shove it in your face. You should be on the phone to an attorney or the local bar association before the last officer in past the threshold, anyway.

I'm pretty shocked an attorney would suggest doing something that can very likely be construed as stalling for time when tensions are likely pretty high.

You're aware that -- regardless of what you might have seen on TV or the movies -- they don't actually have to present a physical warrant, right?

Nor do they have to allow you time to call a "watch commander to verify it".

What is likely, however, is that you're gonna be shopping for a new front door if you don't open up by about the second knock -- if they give you that long.

What a weird, paranoid idea. Typically people come to my door for legitimately useful or appropriate purposes.
It's not paranoid, I don't think everybody knocking is coming to get me or anything. I'm just not interested in whatever it is they have to offer.

If I'm in the market for a service, I'll do the research and reach out.

The only people who come to my door are gas people saying that they're going to be turning it off for a period/back on, window washers coming to clean the windows they can't reach from the outside, and similar things. I do want what they offer, because it's useful/important.
He also lives in the US, where current laws and general social norms and expectations means there's a much higher perceived/actual risk to opening your front door to a random stranger, so it's less surprising to hear this..

This problem, at least at that level of magnitude, does not exist in other parts of the world.

Have you ever lived in the US? You're statement is probably only somewhat valid in the worst neighborhoods. People don't shoot you in the face when you open the door...
People come to the door in my neighborhood for only a few reasons:

- to sell me on religion

- to solicit money for some kind of commercial service, charity, non-profit fundraiser

- to sign me up for political stuff

And they do this several times a week (pre-COVID). So I never open the door to surprise strangers. It's not paranoia; it's just preventing the waste of my time and emotional energy. I'm not interested in worshipping a sky demon. It's not incumbent on me to figure out whether the service is legit, rent-seeking grift on top of a legit service, or a total scam. I don't have to figure out how to gently turn them down just to keep junk food out of the house.

I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.

I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind.

The only people who ever come to my door are salespeople and religious nuts
What? What if it's a neighbour you haven't met asking you over for a bbq? Or somebody who noticed your garage door was swinging open and wanted you to know they'd closed it?

Or OMG what if somebody needs a boost because their car battery is dead? Oh man, I couldn't bear it if I became that guy who didn't give someone a boost.

Signed, A Canadian HN user

I’d hope none of your hypotheticals would require a “clipboard in hand”, which is the red flag GP mentions - likely it’s a cold calling solicitation.
"If you don't have a badge and a gun, I'm not opening the door for any reason"
That was with the pretext of it being a person standing at your front door with a clipboard--if such a person did not also have a badge and a gun, GP wouldn't open the door.
This really hit me for some reason. I’m a non white American, and not to exaggerate, afraid of knocking on a stranger’s door.

I’d be quite worried if I ever became stranded in a white neighborhood and had to knock on a random door for assistance.

I hope you'll consider changing your media diet, because your current selection is filling you with irrational racist fear. That's not how the real world is. Consider lolc's comment below:

"I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.

I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind."

It is what it is. I’d rather be overly cautious than the potential alternative.

My concern is neither racist or irrational, based on my particular racial mix and phenotype.

I think your comment might have had a useful alternative perspective if it could have been made without calling the parent racist and irrational. ISTM difficult to change someone's mind while disparaging their reason and character.
With all the news I keep hearing from the US, I can't say I blame you. It's sad, though. I want to live in a society where people can knock on each other's door, and open the door trusting it's a legitimate friendly talk or person in need, and not a threat or someone looking to take advantage of me.
if you have a gun and badge, i'm probably already out the back door.
If you don't have a badge and a gun, I'm not opening the door for any reason.

Then when your irrigation system has sprung a leak and is spewing water all over the side of my house, I'm going to go to the valve on the sidewalk in front of your house and turn off the water to your house while your family is trying to shower and make breakfast.

That's exactly what happened when my neighbor refused to answer his door one morning at 6am.

You guys have valves on the sidewalk that anyone can just shut off?
Yep. They're metal lids labeled "water" that you lift up and inside there is a valve that can be turned. They're very common in most cities in which I've lived.
There's usually an internal and an external shutoff valve. Inside is easier when you're working on things inside, but the water company may need to turn off your water, and they can't depend on being able to get inside. So valve on the sidewalk (or in the lawn as the case may be).
What do guns have to do with anything? Why would a badge alone not be enough? Why are you trying to sound so epic? What are you trying to prove? Are you the type of person who brings assault rifles to a protest to make some sort of cowboy-style point?

I totally get not wanting to talk to people who are trying to sell you something, but if you are such a bad ass, living in your wild west world, why don't you try bringing up the courage to just tell someone at your door that you won't buy anything from them? Seems easy enough to me.

> You can in fact close the door on people.

Hence the saying "get your foot in the door" for getting an opportunity to talk to someone.

Hopefully ensuring that anyone who tries that just happens to subsequently suffer foot pain will work as a deterrent...
Though less socially acceptable. I find that to be the primary advantage of gp's approach.
Yep, I have a standing rule that I don't buy anything marketed by someone standing at my front door (I will make an exception for Girl Scout cookies). Someone at your front door is interrupting you, and creating a power imbalance leveraging long standing cultural norms that you invite people in and are courteous. That may apply to neighbors and friends, but not to salespeople.
True on cultural norms. Myself I have found myself being rude and when I answer the door, I point at the "No Soliciting" sign directly below the door bell and keep repeating "No Thank You" until they leave or I decide to close the door if they persist.
As an urbanite: Lol good luck. If you ain’t texting “here” , I ain’t opening the door. What’s a doorbell? :D
This is exactly the reason why there are specific limitations on so called "Haustürgeschäfte" (sales made on the perch of your own home) in German and European law. For example you get a reasonable time period to rethink those sales without any charges.
Yes exactly (I've lived in Germany). And where I live now in southern California, thank goodness, it's actually against the law to "solicit door to door" (I think that's how the law is written).

Before I lived "here", every weekend, guaranteed, at least 4-5 knocks on the door on Saturday & Sunday afternoon (combined). Trying to sell me something that I didn't need, didn't want, and often it felt like a scam.

A good more general rule is not ever to buy anything from anyone who has initiated the first contact. Not sure that's going to be an entirely popular thought on a forum of entrepreneurs who live and die by their marketing to an extent, but from a recipient's point of view I do advocate it.
I try not to buy anything that I haven't of my own free will realized I needed or really wanted and then sought out a solution for.
And this is why I canceled my amazon prime membership
On the flip side, it’s far easier to sell to someone that comes to you. In fact, many businesses do just that and don’t even bother with cold sales. This is trivially true in the case of stores but also marketing companies, SaaS offerings. And really it’s better that way. It’s not unsolicited, both have mutual interest and the buyer clearly sees value enough to talk to somebody on the expectation it’ll cost.
This works extremely well as a tourist too. If someone is walking up and offering something to me that is almost always a no. Scams frequently depend on seeking out targets.
Indeed. I always think to myself: if it’s worth coming to my door or cold-calling me there must be a pretty margin. And then they claim it’ll be so much cheaper than my well-researched current contract. Yeah, right.

The only thing that will sometimes peak my interest enough to listen to the pitch, is if they offer non-monetary upside.

I remember my dad telling me about a farmer he knew, who said to him once, (pointing at his lane), "Any time Jim, I see a f*er driving in that road I know he's not doing it for my benefit"
Last time I just opened the door and spoke first: "Sorry I don't have time to talk to strangers right now" and closed the door before he could say one word.

I'm thinking of preparing an mp3 of a chaotic household (think 10 kids screaming and fighting) for improved effect in the future.

I do something similar.

Before they can speak, I say, "Are you selling solar, politics, or religion?"

They always protest, "But I'm not selling anything..." and go into their sales pitch.

I interrupt with again with, "Solar, politics, or religion?"

90% of the time it's solar. I tell them I rent, and they go away.

this is absolutely true and any product or service that requires sending people to knock on doors in order to sell it is by definition not worth buying, because if it were, they'd sell plenty using regular advertising. anyone that comes to my house to sell something is automatically a scam in my perspective and it is usually those fake electric company / gas people, though sometimes someone offering to redo my driveway.
I outright reject anyone trying to sell me a subscription model at the door - a lot of charities do that, and their sales talk nowadays includes that I can cancel at any time.

But the caveat there is that if I were to do a one-time donation, they would still have my information and the permission to receive mail on file.

Charities are marketing companies; they collect money and advertising permission, and give you direct mailed marketing in return.

"We do not give money at the door"

"We do not buy things at the door"

Exact same experience about a year ago, I also passed up the deal and ultimately concluded later that it was legit. I then emailed PG&E telling them that whoever is doing this is training people to trust a random, pushy person at the door who shows nothing other than a badge and iPad full of content.
These people work on commission or quota, which is why they're so pushy.
There seems to be a huge margin on those things, which bring all kinds of sleazy tactics for third party marketing companies.

I had a call from a guy claiming to be from PECO (my power co) with a good deal to switch off of PECO. Indeed we do have alternate generation supplier options, but this smelled. So I asked him several times if he worked for them and he insisted. Finally i agreed and he wanted to route me to a neutral, recorded line, agreement gathering company, but he said it would identify as "xyz energy". Whoops, deal's off, fat liar.

It's legal, but it's not legit. They are trying to rip you off and they are lying to you.
I have a friend who does this. Makes 6 figures, kinda crazy when you think about it. He waS getting close to 20 people a day before the corona virus.
If someone knocks on my door and I haven't invited them over I don't even consider answering it. It doesn't matter to me what sort of uniform they are wearing. The same goes phone calls. I don't understand the obligation people feel to engage in unsolicited meetings and conversations.
> I don't understand the obligation people feel to engage in unsolicited meetings and conversations.

If they get you on the line, you're going to fight against a professional liar on an uphill territory made of cultural norms and basic politeness. Turns out disengaging from a conversation isn't easy. But how do they get you on the line in the first place?

Like anyone, you probably have frequent periods of time when you have a lot of errands in progress. Maybe you've ordered a bunch of things on-line, booked a trip, just sent documents to your accountant, and posted your car for sale. Any of these can face roadblocks that generate a phone call. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.

For the bad actors (marketers), it's a numbers game. Personally, I also don't take calls from numbers I don't know... except whenever I run any kind of errand remotely, which is when they usually manage to catch me (only for me to wait until they tell me what they want, at which point I hang up).

Just say "hang on a minute" and mute the phone without disconnecting. Waste more of their time than they wasted of yours.
I do this to some extent. Usually if they get me on the line, I have them wait, then come back after a few minutes, then have them wait, pretend I can't hear them well, pretend I don't understand their questions, etc. It's a bit of a burden, but kind of fun. But really my reasoning is that if they weren't on the phone with me, someone who won't fall for their scam, they would be on the phone with someone more likely to fall for their scam, so better me waste some of my time and have a little fun than the next person losing a bunch of money to a scam.
If you answer the call at all you will be put on the "Answers calls" list and sold to the next company. It's a way of cleaning calling lists from dead numbers.
>. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.

I haven't picked up an unsolicited phone call or answered the door in 25 years and I never had a problem with it.

(comment deleted)
Learning to say no to solicitors gives you the freedom to make new connections with your neighbors. People enjoy that freedom.
I second this. If I’m not expecting it then I don’t bother. If something is important then they'll call a second time and leave a voicemail or come knocking again but that has rarely happened.
Because a world in which people are unwilling to answer their doors is depressing, and answering the door is only going to cost you like 30 seconds of your time.
I get what you're saying, but I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.

I've been in situations when I don't have access to my cell phone and I need help from friends, so I call from a stranger's cellphone. I never get an answer. I have to text them from the stranger's phone (and see their text messages), wait for them to see the message, then accept the call. It's incredibly frustrating.

One problem here is that by answering at all, you're confirming your phone number as one with a real live person on the end. They track this and will keep calling. Anecdotally I noticed after I stopped picking up, the number of calls I was getting decreased.
I like to pick up and immediately hit mute. If they say something, maybe I reply, but typically the spam callers just hang up after a few seconds. I read somewhere that picking up but not saying anything can take you off the rotation or something
I've done the same for a span of a couple months--immediate mute, no interaction. It didn't seem to make a difference one way or other other though with regard to call frequency.
It's just a machine calling. If you pick up and make a sound, you will be immediatelly connected to a person. If no person is available it will just drop the call and call again later. Only way is to not answer.
I maintain voicemail for that purpose and would call you right back. And call blocking doesn’t work well, since caller id is easily spoofed.
I block all calls from non-contact numbers, and I have never experienced a spoofing of a contact number, so IME call blocking works very well.
> ... I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.

I'd like for you to spend a day at my grandmother's house.

She's had the same landline number for probably 50 years and gets - no kidding -- probably 20 of these calls a day. It may not "take more than 5 seconds" but it gets real f'in' annoying real f'in' quick.

She now only answers calls from numbers she recognizes. She will pick up if you yell at her on the answering machine, though!

Also, as of iOS 13 (or whenever it was they introduced the feature), I am -- thankfully -- no longer even aware of calls or text messages from numbers that aren't in my contacts until I pick up my phone and look. My phone doesn't beep, ring, or ding if I receive a call or text from an "unknown number" -- and I could not be happier about that!

Doesn't Google have an automatic call screening thing? Maybe it was related to Voice and/or a pilot program they cancelled. But I'd expect people around here to know about it.
Thanks for sharing. Questionable whether it's legit since they're apparently making false verbal promises of a lower bill. Hard to prove, yes. It's not right just because a corporation does it.
Just an FYI, my town (in Pennsylvania) passed an anti-peddling / door-to-door sales ordinance to get these high pressure utility sales guys off our streets. You might want to talk to your city council about doing the same.

At this point we can call the cops on them and the cops can issue a citation. I haven't seen them since the ordinance was passed.

My town (in New Jersey) has a similar law. We have a list at town hall. You can ask to be put on the list. Salesman must not go to your door if you are on the list. Only problem is that charities and politicians are exempt from the requirement.
Nothing is ever that urgent. If they insist on immediate purchase, I invariably walk.
My policy is before any time sensitive decision is to determine if it is manufactured time sensitivity, that is the company created the time sensitivity. I refuse to act on things that are only time sensitive because someone else decided it should be. Those are traps.
> Nothing is ever that urgent

It took me decades to learn this. I mean, to really learn it.

Barring emergencies (like blood squirting out of puncture wound, or part of your house is on fire):

NOTHING is ever urgent.

You set the pace of your life. You speak when you are ready. You act when you are ready. Take as much time as you need to think.

We would only put up our Christmas tree on Christmas Eve when I was growing up, and it was ever so stressful watching my father haggle on the tree lot.

My dad: "It's worth nothing to you tomorrow."

Tree guy: "You're not gonna have Christmas?"

"No, I will buy a plastic tree for the same price and never buy from you again."
That is an excellent example. Who really has the upper hand? Depends on how close the competition is, I guess. And how close the competition is to their competitors..
Tree guy, you can have Christmas without a tree. I hate Christmas trees. They take up space I don't (didn't; I have more space now) have, and spread needles everywhere. And I'm Christian, so I'm not that big on the pagan symbols anyway.
This is why I've done my damnedest to avoid jobs that require additional on-call time. It invites abuse where everything has to be a crisis. I worked in e-commerce ONCE. Grandma can't buy shoes at 2am because part of the site isn't working? This is not an urgent situation.

Unless it's the Joint Chiefs calling me up from the war room to stop a meteor from destroying the planet, I'd rather go back to sleep. Even then I still might: they can fire me in the morning if there is one.

"Exploding offers" (the deal is off when he leaves) and other hard-sell tactics are big red flags in general, IMO. If I get a whiff of hard-sell it's an automatic and unconditional "no."
"Oh, do you need me to make an emotional decision? Right now? Hang on a minute--how do you think this is going for us both?"
I've been working on this over the years, since I noticed a tendency to just go along to make the uncomfortable situation go away. Just having a mental flag helps a lot: "this is probably BS, don't agree to anything."
Pressure sales are an automatic 'no'.

Saves so much time and energy, and you rarely if ever actually miss out on anything good.

I would tell them to fuck off and go back to sales school - these tactics don't work in today's day and age, they worked when information was opaque, you got the world's information at your fingertips now.
Those tactics still work for most people who don't know any better. Most people are still too lazy (even when you tell them it's so easy to save money).
Yeah, sadly there is a sucker born every minute.
Speaking of school, being aware of sales/marketing/scam tactics and how to defend against them should be taught very early on.

I have yet to find a use for some advanced math school tried to teach me when I was a teen, while basic life skills like how to manage finances, deal with scams, etc are invaluable.

When someone tells me the offer expires when I walk out the door etc, I just reply "It must not be that good of a deal if you don't want me to comparison shop." I've never run into a salesperson that had a good/any comeback to that.
Used to work for a sales company, impulse is a textbook tried-and-true sales tactic. For everyone like yourself that decides to sit on it another jumps at the offer.
The ol' reverse psychology eh? I don't want this deal. Oh yeah, well you can't have this deal. WHAT!? I'LL TAKE IT IMMEDIATELY!
> He said the deal is off once he leaves and it is my last chance

Standard sales pitch tactic: "manufacture a sense of urgency"

"I have to talk to my wife/husband/SO/roommate". Works for practically any decision that you need time to make.
"No." is a complete sentence.
Some people like non-confrontational ways of saying "No.".

Sometimes you really do need to think things over before making a decision. "No" closes doors before you've had a chance to consider.

It prevents weasley salesdroids from seizing an opportunity to take you to the cleaners.
(comment deleted)
Please read what I wrote again.

How does "I'll get back to you after considering" let "weasley salesdroids" take advantage, as long as you hold firm? If you're not the type of person to hold firm after saying that, you won't hold firm after saying "No" either.

Because people don't hold firm. You're just inviting them to pull out another one of their lines.
I think you either fail to read comments in their entirety or just focus on one thing. So I'll say it again "Someone who can't hold firm won't hold firm. It doesn't matter if they 'No', or 'I need to think about it'".
A simple "No Soliciting" sign can help ward off many such ruses given the further illegality of proceeding with soliciting when such a sign is visible. (This also may signal you are not as easy a mark and therefore not worth their time.) Doorbell cams + Nextdoor/Citizen make this even harder since one skeptic can poison a neighborhood.
Plenty of companies here that are like subletters for utilities; they claim to be able to offer you a lower energy bill because they buy up electricity in bulk, but when I looked into it it turns out that in practice they're only cheaper the first year. These aren't energy companies, they're marketing / sales companies.

Anyway I went with one of the "source" power suppliers who instead offer a loyalty discount that builds up over time. I'm sure switching suppliers every year will be a bit cheaper in the long run but I choose reliability and convenience in this case. Also because the reseller companies tend to pop up and be bought up / merge constantly. Besides, it gives me some moral peace of mind that I'm paying the company producing electricity directly instead of a marketing middle man.

Maybe if banks and other companies didn't have a 10-level nested phone tree, we would.
(comment deleted)
If phone companies had any initiative or product brains at all, they would have initiated 'real caller ID' a decade ago.
>But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening.

My response is not picking up the phone at all.

So the scammers expected the victim to callback the bank to get the secret code? That is pretty sophisticated. But when they first called they knew about fraudulent discharges, and presumably had caused them, right? Or did they break into the victim's computer? Tbh., something is missing in that story.
You got me thinking, so I went back to the report. The victim's call to the bank is something of a red herring, in that the scammers neither need the victim to make that call, nor to know that he did so (and I assume they did not know that.) I am guessing that the bank texted the code to the victim's phone in response to the call made by the fraudulent team, who were just hoping that he would read it back to them... which he did.

The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.

So, seems that the scammers knew about the fraudulent ones, but apparently not the regular ones. So: 1 - do fraudulent transactions 2 - call card holder and say that those charges might be fraudulent. 3 - because you know the fraudulent charges, card holder believes you are from the bank 4 - profit
I think the attackers had Mitch’s bank card and PIN and was making those fraudulent charges to see if Mitch would notice. If he did, the attackers would have been shut out then and there.

Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”

Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.

At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.

This is exactly what I meant. If the attackers already could make fraudulent discharges, then why should they put up such a complicated and risky attack? Could they not simply have gotten the money via the debit card?
Probably not anything like $9,800 dollars in one go - there's usually a daily limit. And the scammers may know (e.g. from doing it before) that after a few small transfers, the victim's bank will call him if he had not already noticed, in which case they preempted that call and effectively subverted it for their purpose.

The risk of the scheme not working might be high, but I am not sure that the risk of being caught is much increased.

Does anyone know any good guides for being aware of these things, strategies used by scammers, and what to be suspicious of? Something that isn't patronisingly simple, but not aimed at teach expert users either.

> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.

This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.

Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"

About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)

They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.

I think the attacker called the bank and Mitch at the same time. The attacker knew that the bank would send Mitch a SMS code so the attacker asked the bank to send it, Mitch told the attacker, the attacker told the bank.

The bank was on the phone with Mitch and the attacker at the same time. Mitch thought the “other Mitch” was himself on the other line.

Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities. [0]

Getting you to browse your computer for 10-20 minutes and then log into your bank account could be enough to gain access to your account.

And 2FA is proven insecure with SIM hijacking. These methods have a high up front time investment but will take even less effort than Mitch's gambit once deployed.

https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf [0]

Do you think a phone call is high enough bitrate for these attacks, or are you implying parabolic microphones could be used to make this happen?

The mentioned paper contains a remark:

> While recording from the third keyboard, we get several seconds of unexpected noise from a cellphone nearby.

But that's the only mention of a phone in the paper ...

I don't think the techniques and technology have become quite refined enough for this to be widely deployed, at most people are simply experimenting with the idea. But people are taking this seriously because it represents quite an attack vector once things fall into place. The thing is we won't know when we've reached that threshold until the first news stories about a widespread phishing scam using the technique emerge.

It seems VoIP will be the first low-hanging fruit: https://arxiv.org/pdf/1609.09359.pdf

Google Voice for 2FA. Some companies still have issues with Google Voice SMS (Paypal, I'm looking at you), but it is preferable.
> Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities.

Huh, this reminds me that a major US bank verifies people on the phone by asking them to log on to online banking.

I love the convenience, but it's never crossed my mind that it was a huge vulnerability waiting to happen.

It will take a series of high profile hacking incidents to finally wake the public up to the need to develop mitigations. We won't see the problem until it's widespread.
I don't think that method is very reliable for pulling credentials.

Google is one example of companies that asks its GSUITE admins to login to confirm support ticket codes.

A password manager makes this attack vector useless. The sound of my typing my password on any site is the keyboard shortcut to activate it, my finger silently passing Touch ID, and the "enter" key.
You just need to mute the call before authenticating.
VoIP has not been worth the billions in thefts that it has enabled via easy call id spoofing. I would happily give up VoIP to have restored trust in the telephone network. But unfortunately that is not where our captured regulators are heading.
That's interesting, I come to the exact opposite conclusion (I am admittedly not a telephone network expert, maybe I am missing some important things).

But I don't see why having voice conversations over the internet is the issue. The issue is these systems keeping compatibility with old telephone networks which prevents solving these problems. If we dropped that compatibility requirement we could require a certificate authority and be able to verify callers and use end-to-end encryption, just like with https.

Or maybe better would be a compromise where all these systems can still fall back to unencrypted/unsigned connections, but on any modern phone or cell phone it would show a big insecure warning like modern browsers do for http.

> Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.

Whoa, a double-tap attack

But how...

Isn't bank cards designed to be non-cloneable (with crypto chips)?

An anti nuisance call policy that has served me well and I try to get my folks to adopt is that if there is the merest hint of a delay between my hello and the caller's response, I put the phone down immediately.

I don't think I've ever had an identifiable repeat call, from which I conclude it's both effective and has a low false positive rate.

I take this a step further and don't say anything for the first few seconds if I pick up a call from a number I don't recognize. I used to not pick up those calls at all, but now that spam callers are using local area code caller IDs more and more, that is getting more difficult.
"He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity."

If, in retrospect, you feel someone was attempting to scam you, a better option - I hope - might be to contact the bank's fraud line, explain that you are suspicious, and have them look for suspicious activity.

Mitch was satisfied thinking that the bank was already looking into it, since the attacker pretending to be the bank didn’t ask for any details /raise any flags.
For the point I am making, it does not really matter what Mich was thinking, but his behaviour over the weekend suggests that he was not entirely comfortable with the outcome. What do you suppose he was checking for? I would guess that he did not need to see his balance more than once.

He says that his suspicions were tweaked, near the end of the call, by the scammer giving an old address for him, and apparently his girlfriend was a good deal more suspicious: "Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”

On first read, I didn't understand how the call to the bank's customer service department went wrong.

Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.

“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”

What happened is that the attackers made one call to Mitch, and another call to the bank posing as Mitch. When Mitch called the real bank to check up if there was a call in progress, they said yes (the call with the attackers).

I don’t know if I’m just really tired or if the post was just badly written, but I’ll go with the latter since you were confused too.

My understanding is this happened:

1. Attacker got a hold of Mitch’s bank card, PIN, and some personal details.

2. Attacker starts pulling out money and buying things here and there to see if Mitch ever notices.

Mitch never notices so...

3. Attacker calls Mitch on Friday and pretends to be Mitch’s bank. Attacker doesn’t ask for any details, just alerts Mitch that something was going on with his account to get him to think the bank was looking into it.

4. Attacker calls Mitch’s bank and also Mitch at the same time the next day.

5. Attacker asks the bank to send the SMS verification code to Mitch.

6. Mitch gets the code and reads it back to the Attacker.

7. Attacker repeats code to the bank.

Especially with deepfake voices. That CEO instructing you to move cash right now might now because of an emergency...
At this point, we should really throw away the current phone system and use an authenticated model. There should also be laws forcing the phone companies to not allow this. I get at least 2 spam/scam calls a day and there is no hope that it will reduce.
Actually, there is a (small) bit of hope: SHAKEN/STIR [0]!

> STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.

> ...

> As of 2019, SHAKEN/STIR is a major ongoing effort in the United States, which is suffering an "epidemic" of robocalls. The Federal Communications Commission is requiring use of the protocols by June 2021.

---

[0]: https://en.wikipedia.org/wiki/STIR/SHAKEN

Tips from my experience:

1. If someone who calls you asks you for ANY sensitive personal info, just tell them that your policy is to not give any personal info to those who called you, but you’re happy to call the official number. That stops it right there

2. Use email aliases instead of your actual email when creating accounts with eg Amazon Web Services. An email alias is like me+somethinghere@gmail.com — this way the attacker can’t get the customer service rep to give them access to your account easily.

3. If you use your phone as a 2FA, be on the lookout for sim porting - that’s when they trick the rep into porting your phone number.

I had the third one happen, luckily I acted fast. The attackers couldn’t get into my G Suite email but they got into godaddy to port the domain and MX records to their servers. So they could receive email sent to me, and send email as me. They also changed my GoDaddy password. I had my phone as the 2FA at the time. Better to not have one at all, or use an authenticator app.

I called in and luckily GoDaddy restored my account. Too bad they had no tool to check what changed so I had to check every domain manually.

The attacker was too slow in that regard. But it was telling that I received an email with the subject “Test”. That’s what tipped me off.

TL;DR: Always hang up, look up, and call back.