> But he said he still feels like a chump for not observing the golden rule: If someone calls saying they’re from your bank, just hang up and call them back — ideally using a phone number that came from the bank’s Web site or from the back of your payment card. As it happened, Mitch only followed half of that advice.
Banks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.
"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
That can still be gamed by any malicious SEO wizard. People will trust the top Google hit for "bank of america phone number" before they bother with finding it on the website.
But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
> But numbers can change (lapses of mergers), is website would be best as card info can become stale over time —and enterprising outfits could scoop up that number.
How long are bank cards valid? I'd say they expire within 5 years? Also, if there is a merger, wouldn't they send you a new card with updated branding?
They could, but I just tried calling the numbers on the back of two cards from merged/acquired banks and they both forwarded to the acquiring bank. Yes it's a small sample size, but I suspect that there's enough money on the line and enough legacy contracts and systems that banks keep their communication channels active for some time.
Credit cards typically expire after some number of years, and mergers will typically include those phone numbers. If for some reason the acquiring company decides it wants to sunset its acquired phone numbers, it just needs to do so after the expiration date for the last card issued with that number still printed.
Suspicious activity. Suddenly using your card in the UK, when you're in the US. "Swipes" several hundred miles from your normal location, but also occurring in your normal location on the same day.
Ah, I never use my real card on the net, maybe that's why. I used to get a virtual card unique for every purchase but that has been discontinued now. Got a separate card for online usage that I only put money on when I want to buy something. Also needs to be opened up for Internet usage and many places require an electronic signature with the bank id app. Hoping this will be mandatory soon.
Should be solvable by making sure there's an easy, reliable, uniform way to get this info within the call.
> "Hello. Please find the callback number on boa.com/contact. Please enter code XYZ to be connected directly to the agent regarding this matter. Thank you & goodbye."
It's not perfect & you'll still have some percentage of fraud that goes through, but I'd be interested to see the impact this has on fraud rates.
* EDIT: Callback number via the card as the other commentor noted probably works too.
I wouldn't call it worse. Google maps entries seem to receive less scrutiny than search results, but I also suspect that nobody use as a phonebook. Most people would use google search, or the back of their card.
How is a random fraudster going to suddenly get the top Google result for "Bank of America phone number"?
I'm sure it's possible, but it strikes me as a pretty large hurdle. And even if they manage to pull it off, they also need no one from the bank to notice and report it.
One gets a call from the bank, they give you a number to ring, you type the number in to Google search, the results come back listing that number and the bank's name -- identity confirmed!?!
The fraudsters just need _a_ website listed by Google.
My insurer called me out of the blue: I said I'd call back. Their number was not listed on any of the companies websites. I called the company, and said what has happened, took them about 10 minutes to confirm they'd called me and that the phone number I was called on was valid.
As it happened someone was trying to commit insurance fraud, saying we'd crashed in to them; but that's by-the-by (ie not relevant to the main story).
You don't need your site to be #1, especially if you can manipulate one that is already high-ranking-- just astroturf GetHuman with fraudulent numbers.
But I admit-- having just done a search for every institution I could think of, it seems Google AMP has done a lot to promote legitimate numbers. It used to be sites like GetHuman competing with or outranking the actual company website for contact information.
I wish the regulators for financial institutions would mandate this. One of the reasons I left, years ago, the much-beloved-for-reasons-I-do-not-understand Pacific Northwest darling credit union BECU is because I got griped at by their customer service rep who called me to ostensibly tell me about fraud on my credit card. When the rep asked me "identity verification" questions, they got most upset when I replied that they should have this information and how do I know I'm actually talking to BECU.
"Sir, I'm just trying to help prevent fraud on your account and I need to know that it's actually you who answered the phone."
(Yes, there legitimately was fraud but I had no way to know it at the time. I closed the account about a month later after another issue.)
I got a credit card fraud alert sms text once that asked me to call a number that was different than the phone number on my credit card. I called the card number instead and the alert was legit but they still should have used an easily verified phone number.
Hospitals are even worse. They would periodically call me with random information about appointments or prescriptions and whatnot and would always start off by asking me my birth date and PII to identify myself to them! They're the ones calling me!
I told them as much and after a few years they finally started sending me secure emails asking me to call them. Certainly I wouldn't trust "call back at..." messages claiming to be from a medical provider, even though they're indistinguishable from the real thing because that's the same thing the doctor's office does. It's bizarre considering how security conscious they have to be.
I recently missed a bill due to an error on behalf of my utility company. It ended up at a debt collector, who when calling me insisted i share my date of birth, address and full name before they'd tell me what the call was regarding. I refused, they got mad and acted as if I was trying to avoid paying the bill. I assumed the call was fraud.
I found it was in fact not fraud when my credit monitoring service informed me that someone reported I refused to pay a bill. One call to the utility company later, it was resolved...unfortunately i'm still trying to fix the credit report.
If anyone else runs into this, I've heard that you can say you'll pay only if they remove their claim from your credit report. Suposedly it's not legal for them to offer (I guess extorsion), but as far as I know, it's legal for you to ask.
It sounds like that option has passed for the parent comment, but you did just try disputing it right? Force them to come up with the proof.
Presently in dispute, no outcome yet. I didn’t actually know it was going to hit my record as i paid through the service provider and no one threatened that. As someone that’s never not paid a bill, i guess i just needed to learn this lesson.
Did they mail you anything in writing? Not that a letter is worth anything by itself, but if it's asking you for a debt you recognise and asks to call a number that does indeed map back to a debt collection agency (on Google, etc) it's probably legit.
I am not sure whether it's even legal for them to mark you as refusing to pay without making a formal payment demand by mail.
A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
Most seniors I know have a mobile phone. How else would they be able to show off pictures of their grandkids? Also, that's how hearing aids work these days.
In the UK landlines almost always start with 01 or 02 so it's easy to identify who is using a landline. You can also go through the phone book (which only lists landlines) looking for "elderly" names. People who don't bother / know how to opt out of the phone book are probably easier targets as well.
It only works in the UK where the phone call only ends after both sides hang up. The idea is you can hang up go to a different room and resume the conversation. The results are this fraud is possible.
In Sweden both sides had to hang up, not sure how it is now. My mother used it for kids prank calling. She just left it open until the parents came home and wanted to call, then she explained that their kid had been prank calling us.
Definitely used to be the case in Canada. The caller had to hang up: if the receiver hung up it took a (something like 20 second) timeout before the call would terminate. We did used to use that to move to another extension in our house.
Note to kids: we used to have our phones anchored to the wall with these coiled ropes so you couldn't walk away with them To counter that, we had multiple phones in various rooms of the house. They also made the phones so big the wouldn't fit in your pocket as another way to prevent stealing them. They didn't have screens because the vacuum tubes drew too much current and they would get too hot when pressed to your ear.
The United Kingdom phone system has what is called "far-end supervision" where the circuit-switched landline system will only disconnect the call from the receiving caller if the phone where the call originated hangs up.
This trick only works if the receiving caller is on a landline. It will not work on mobile phones.
Only some phone systems in the western part of the US had far-end supervision, so far as I am aware. (This is why movies and TV shows from in and around Hollywood show conversations where the caller hangs up and the callee hears a dial-tone. The phone systems in most of California had only far-end supervision. Tom Scott has a good video on this[0].)
Most of the US uses either near-end, where the recipient hanging up will end the call, or both-end supervision, on POTS/landline systems.
0 - https://www.youtube.com/watch?v=bUIiUXvnkUQ - This video was filmed at the excellent Museum of Telecommunications in Seattle, located in a CenturyLink switching office. When travel is available again, I encourage all phone geeks to come here and check it out.
It should disconnect eventually. And the timeframe for "eventually" has been changed in recent years.
Originally there was a grace period because of pulse dialling. Each "pulse" is actually a hangup - so the system had to tolerate that hangup != disconnect. But the grace period was far too long, and eventually end-users adopted it as a feature - if you wanted to take this on your bedroom phone instead of your hallway phone, you could hang up the phone, go up stairs, and pick up the bedroom phone.
So now we have two problems. One is that the bug has been adopted as a feature. The other is that precisely because of 999/e911 systems, the phone system is incredibly backwards compatible. Most exchanges still support pulse-dialling - it's never dropped intentionally (some exchanges don't, because they're too modernized. But it's not a conscious "lets turn this off now" thing.)
There has been a move in recent years to reduce the grace period, precisely because of this abuse. But until it's dropped short enough to be a non-issue, my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). It is a paid service, but I don't like bothering the operator for such things. But if you call 123, and reach your bank, you know summat's up.
> my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). [...] But if you call 123, and reach your bank, you know summat's up.
No no no no no.
Hang up and use another phone. End of. Any advice that you call another number first or whatnot is bad advice. If such advice got widespread, what would scammers do?
Obviously, they would have a DTMF decoder on the other end and they would patch the call through to the number you called. These are sophisticated people who send fake security officers to people's houses to "pick up the compromised card". Call forwarding is trivial.
Good that the UK is moving away from this "feature".
(I still remember that to take a call on another phone, you could just leave the receiver up on the phone you too the call on, provided you're not too lazy to hang it up later).
Not both parties, the caller. And there's a timeout which these days is set to about 2 seconds. Here's the BT Openreach (the last mile provider and thus de facto the supplier of landline telephone service to almost all of the UK) write-up for when it was reduced to 10 seconds in 2014.
A trick I learned to deal with this very thing was just to attempt to call the local time/weather number after getting my dial tone back.
That said, with far-side supervision, I suspect that the call would actually time out after something like 20-30 seconds of either party hanging up. I'd just make it a habit to go put the kettle on and make some tea before placing another call.
If the call doesn't time out, well, it's time to ask BT some hard questions as to why they're allowing that sort of nuisance on their telephone network. AT&T managed to get rid of it here just fine.
> A favourite trick in the UK is for scammers to stay on the line when you hang up, and play simulated noises for a dial tone and connection, then pretend to be your bank when you call the number on your card.
Sure, but that only works for landlines. Is this still a common thing in the UK?
Most broadband "landlines" are not a real BT landline but instead one simulated by your broadband router (it's SIP on the other end). With SIP, once either you hang up or the other side hangs up the session is terminated and there is no way to recover it.
As far as I'm aware BT still have normal landlines to most areas - the phones are separate from the router, they don't go through it first and even support old pulse dial phones.
Just yesterday there was an article on HN about a guy who was called by someone from the NSA who gave him detailed instructions on how to get back to him through publically availible information like 411
What about if that puts you into an hour long phone queue where the person who you eventually get through to has trouble helping you with what the initial call was about?
> "Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
This would be great as long as your call back was recognized and immediately routed to the right person instead of being placed on infinite hold, as is usually the case when you call a bank's or credit card company's number.
>as long as your call back was recognized and immediately routed to the right person
It would be great if more companies had this functionality. It would also be useful in the situations where you get disconnected while talking with someone.
Basically, I'd prefer if pbxes used by these companies providing support did the equivalent of storing short-term 'cookies' that remember you had just called rather than requiring remembering and reentering 'share urls'.
> It would also be useful in the situations where you get disconnected while talking with someone.
Most call centres want you off the phone as soon as possible, regardless of whether the problem is solved or not. Making it easy for you to call them isn't in their best interests.
Good idea. Plus, they could trivially implement this, no? The main phone number's first prompt could be, "If you were told to call this number, please enter the 8-digit code you were given at the prompt."
Yes, going to exactly the same person is not always required (depends on how good their customer notes are--in my experience there's quite a bit of variability there).
Going to the right department immediately instead of being placed on infinite hold like someone who just randomly called in is required for something like this to work.
I've had this happen. When the fraud department for my credit card company called and I said I wanted to call them back to verify, they gave me a code to enter after I called to go straight back to the agent. It was great.
I recall the same happening. Capital One, I believe.
I really, really thought it was fraud at first until they basically said "yep, go for it, use the number on the back of your card then give us this code".
This is especially important now: I just had a credit card company send me a query about a fraud alert. After confirming that it was fraudulent, it tells me to call the 800 number but that now says that you should use the website for anything which isn't COVID-19 related due to very high call volume.
It's just a matter of the company prioritizing that feature. If they think that improved handling of identity fraud will save them money, they will prioritize it.
Used to be the case with certain CC companies that after they put a note/status in my account, any call I made to the main line would immediately route me to their security/fraud department once I entered my abbreviated auth details (last 4 of card# + zip or somesuch).
When the police called me they did exactly this but added their extension. This way I could verify that the number belongs to my local police department but still called his number directly.
For CSR, they could use one time extensions so that the service rep doesn't get spammed at later times.
A few years ago I got a call from Revenue Canada and around the same time it was extremely popular for scammers to pose as Revenue Canada agents. So immediately I just assumed it was a scam and got extremely annoyed and angry at the person... turns out it was a real Revenue Canada agent and I had somehow forgot to submit my taxes a few years back...
Ha ha same here but I got a call from an FBI agent. I had lost money to someone and 2-3 years later he got caught in some other sting and they wanted me to be another witness since they found my name in his books. For me somehow the connection clicked as soon as the agent mentioned the name of the company (but not when he said I am calling from the FBI). I even got login to I think an FBI website to keep updated on the status. Unfortunately after communication every few months, they decided to not pursue the case, after maybe 2-3 years of elapsed time.
For people that can't afford a new phone every year with a contract. You can buy cheap button-phones and get a phone card that cost you money every time you call but is free while you don't call.
That would be preferable. I had a call from my bank once that went like this.
> CS: Hello, this is X from Y Bank. Is this Z?
> ME: Yes, this is Z.
> CS: Z, can you confirm your last 4 digits of your social security number so I can confirm who I am speaking to?
> ME: Uh... How do I know you're the bank? I can't just tell any person who calls that information.
> CS: Z, we are from your bank, Y Bank. Please provide the last 4 digits of your social.
> ME: There has to be another way to do this, right?
> CS: Please hold... (puts me on hold for 30 seconds)
> CS: Hi Z, I'm back. Can you look up our phone number on Google and give us a call back and ask for me by name, X?
> ME: Sounds good.
It was them. I got quickly reconnected to the same woman. I'm still concerned that the norm should be something closer to what you commented, even if it adds friction and will probably result in lazier people not calling back for something important. It's better to normalize this than allow for the alternative, which is to normalize people telling random strangers their sensitive, personal information.
Any time this topic comes up, I immediately worry about my parents and grandparents falling for this sort of thing if real scammers are out there trying. I realize the last four digits of my social security number are not as great as the whole thing, but as far as I know, it's enough to be dangerous.
In Sweden the whole personal number is public information. Anyone can just call the tax department and get it without any questions asked. Still some use it as proof that you are you...
Used to offer this when working on fraud in <a Big Corp>, but have to give them my name so main number switchboard can route call. Very few people did, but those that did appreciated it. Only costs you a few minutes while they find the old time printed phone book, look up <a Big Corp> and call back.
Or, you know, send a letter or e-mail. Not that e-mails are secure per definition, but services like gmail spend a lot of time and effort on detecting and blocking spam and scams.
Why not use reverse verbal passwords (i.e. have the bank give you a secret phrase)? That should eliminate a large amount of issues without the need for a call back.
Side lessons seems to be that scammers have access to a lot of your personal info, which can fool you, and that you should never ever give an OTP over the phone.
This should also be a lesson about having $9k in an account tied to a debit card and not following up on suspicious transactions. If the thieves had done an ATM balance check and seen a combined balance of a number of hundreds of dollars that could be counted on one hand they likely would have settled for withdrawing that and wouldn't have bothered hitting Mitch with the advanced scam to gain the bank info needed for a wire transfer. If Mitch had noticed the test withdrawals he could have called his bank and stopped the fraud there.
For how often you need that kind of cash readily accessible it's simply not worth the risk for the overwhelming majority of people.
This was a really sophisticated attack and fooled even a security conscious person but defense in depth (not having the big bucks accessible from your general use card and/or following up on unknown transactions) would have stymied it. With a good security protocol breaking one rule (not hanging up and calling back) shouldn't screw you.
I just had this experience from pnc bank. I don’t even bank with them, but a member of my household does.
The incoming message was automated, asking for (person who lives here) with a visa debit card that has fraudulent transactions. The caller id was a number not listed on the back of the card.
Pressing “1” puts you into the next phase, which asks you to “verify” your identity by - guess what - typing in your full 16 digit debit card number!
At this point I am convinced this is a scam. You google the phone number and you see tons of links saying it’s a scam.
The person calls their regular number on the back of her card and they claim no fraudulent activity.
A few days later I still get these calls so I decide to investigate. Pressing zero a bunch and asking for an agent finally gets me to a live individual. He claims they’re from pnc and they are a different section not connected to the “main” number. He’s able to recite details about the account that only pnc would know, so now I’m not sure.
I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)
I did get a response - good! But they didn’t actually change the site ... so I suppose in this case anyone who receives notification of fraud on their pnc debit card should email abuse@pnc.com to validate the calls are legitimate?
> I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)
Note that faking the number you are calling from is fairly trivial, so do not trust the callerid as proof of identity.
> He’s able to recite details about the account that only pnc would know, so now I’m not sure.
That's the creepy part. There is so much of our info available on the darkweb that even engaging with scammers potentially verifies it and makes it more valuable, although it is unlikley a purchaser of a phishing database is going to provide feedback to the point of origin, they may feed it forward if they resell and augmented dbase. [For example, if someone buys 1,000,000 phone numbers, and that person finds 250,000 are bogus, they can sell the "cleaned" database again claiming it's been slightly sanitized. DefCon has taught me to fear the world.]
My company expense card is from pnc. I’ve had many bad experiences with it that make them seem very unprofessional and not competent technically. First time I needed to update my pin to use the card and their databases were down...
But yeah their fraud detection is lacking and reporting it was a pain, and they are slow to resolve anything. They did not detect the fraud at all.
Banks do this themselves too I think. I seem to have the recent memory where I called Chase, then they called me back. For the life of me I can't remember what I as calling about though
> he quickly logged into his account and saw that there were indeed multiple unauthorized transactions going back several weeks. Most were relatively small charges — under $100 apiece — but there were also two very recent $800 ATM withdrawals from cash machines
How is it possible for someone not to check his/her bank account all this time? There were unknown transactions for several weeks and no one noticed?
IMHO not having alerts for your cards/accounts and not noticing strange transactions is a bigger security risk than trusting the telephone number calling you.
I fully agree that we should call back on the official number for any banking issues and don’t blindly trust whoever is pretending to be from the bank.
Count me in. Text alerts on all financial institutions to a google voice # and monthly reconciles of all acounts plus weekly investment checks.
I have had two fraudulent CC charges in 25+ years, and they both were reversed immediately so I'm not worried about that. More worried about my credit union so I keep as little in there as possible. (Interest rates are a joke so it doesn't matter.)
This also applies to offline solicitation. Someone came to my door and asked me to sign on to switching my gas supplier. He said it is a supply chain change and will not affect anything beyond I getting a smaller monthly bill, still coming from PG&E. I told him that it sounds wonderful but this is the first I'm hearing of such a thing and I need to research online what it is about before signing anything. He said he has all the details in his paper folder and I can read it. I insisted on doing my own research. He said the deal is off once he leaves and it is my last chance. I told him, "so be it, such is life".
Did a quick Google search the next day and figured the process is legit but people out there have gotten higher bills than before.
Moral is to fight the human-interaction pressures and be adamant on doing your own research. No shame in that.
My standard response to that sort of thing is, "Sorry, but my personal policy is to not make any decision without sleeping on it first." That usually gets them right to the "deal is off" phase quickly, since there's really no good rebuttal for that. Or they leave their materials. Either way, they leave me alone.
Obviously this isn't legal advice, but it's what defense lawyer friends have suggested if it ever comes up.
I think that popular video about "never talk to cops" mentions something like it too?
I assume if they don't wait, it helps your court case. They could always go with the "probable cause" argument, but again this can help your case if you can prove they didn't have actual cause.
Your threat model is imaginary, if they are robbers posing as cops, they wouldn't knock and wait patiently, they'd just serve you a fake "no knock warrant" (kick open your door and bust in with flash bang grenades).
I'm sorry, this comment is not necessarily a reply to you directly but to the thread in general--are we talking about the real world or some fictional TV show? Genuine question, is this something a "normal" HN reader should be worried about? Is there any evidence of such incidents happening ("kick open your door and bust in with flash bang grenades")?
My understanding is a valid warrant (which as someone else mentioned does not have to be a physical piece of paper) grants them immediate access and they don't have to wait to verify. If you don't open the door, it will be opened for you by battering ram - demanding you open it is more of a courtesy.
Think about it: say someone has a bunch of drugs, you wouldn't want to give them time to start flushing it down the toilet while they call up and verify the warrant is valid. You kick the door in, arrest them, and secure the scene for forensics and evidence collection.
I assumed something along those lines, but I think they have to knock unless there's a no-knock warrant? I just don't expect they'll be amused if you tell them to hang on for a few minutes while you "verify" the warrant.
There's a lot that go wrong with this approach, and the upside is pretty obviously dwarfed by the (small to minuscule, depending on many many factors) chance of getting murdered while puffing about your rights. Whose front door has a gap underneath it, anyway?
Assuming they knock and announce they have a warrant as opposed to knocking the door down, you open the door and they start coming in immediately. You can read the warrant, they'll likely shove it in your face. You should be on the phone to an attorney or the local bar association before the last officer in past the threshold, anyway.
I'm pretty shocked an attorney would suggest doing something that can very likely be construed as stalling for time when tensions are likely pretty high.
You're aware that -- regardless of what you might have seen on TV or the movies -- they don't actually have to present a physical warrant, right?
Nor do they have to allow you time to call a "watch commander to verify it".
What is likely, however, is that you're gonna be shopping for a new front door if you don't open up by about the second knock -- if they give you that long.
The only people who come to my door are gas people saying that they're going to be turning it off for a period/back on, window washers coming to clean the windows they can't reach from the outside, and similar things. I do want what they offer, because it's useful/important.
He also lives in the US, where current laws and general social norms and expectations means there's a much higher perceived/actual risk to opening your front door to a random stranger, so it's less surprising to hear this..
This problem, at least at that level of magnitude, does not exist in other parts of the world.
Have you ever lived in the US? You're statement is probably only somewhat valid in the worst neighborhoods. People don't shoot you in the face when you open the door...
People come to the door in my neighborhood for only a few reasons:
- to sell me on religion
- to solicit money for some kind of commercial service, charity, non-profit fundraiser
- to sign me up for political stuff
And they do this several times a week (pre-COVID). So I never open the door to surprise strangers. It's not paranoia; it's just preventing the waste of my time and emotional energy. I'm not interested in worshipping a sky demon. It's not incumbent on me to figure out whether the service is legit, rent-seeking grift on top of a legit service, or a total scam. I don't have to figure out how to gently turn them down just to keep junk food out of the house.
I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind.
What? What if it's a neighbour you haven't met asking you over for a bbq? Or somebody who noticed your garage door was swinging open and wanted you to know they'd closed it?
Or OMG what if somebody needs a boost because their car battery is dead? Oh man, I couldn't bear it if I became that guy who didn't give someone a boost.
That was with the pretext of it being a person standing at your front door with a clipboard--if such a person did not also have a badge and a gun, GP wouldn't open the door.
I hope you'll consider changing your media diet, because your current selection is filling you with irrational racist fear. That's not how the real world is. Consider lolc's comment below:
"I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind."
I think your comment might have had a useful alternative perspective if it could have been made without calling the parent racist and irrational. ISTM difficult to change someone's mind while disparaging their reason and character.
With all the news I keep hearing from the US, I can't say I blame you. It's sad, though. I want to live in a society where people can knock on each other's door, and open the door trusting it's a legitimate friendly talk or person in need, and not a threat or someone looking to take advantage of me.
If you don't have a badge and a gun, I'm not opening the door for any reason.
Then when your irrigation system has sprung a leak and is spewing water all over the side of my house, I'm going to go to the valve on the sidewalk in front of your house and turn off the water to your house while your family is trying to shower and make breakfast.
That's exactly what happened when my neighbor refused to answer his door one morning at 6am.
Yep. They're metal lids labeled "water" that you lift up and inside there is a valve that can be turned. They're very common in most cities in which I've lived.
There's usually an internal and an external shutoff valve. Inside is easier when you're working on things inside, but the water company may need to turn off your water, and they can't depend on being able to get inside. So valve on the sidewalk (or in the lawn as the case may be).
What do guns have to do with anything? Why would a badge alone not be enough? Why are you trying to sound so epic? What are you trying to prove? Are you the type of person who brings assault rifles to a protest to make some sort of cowboy-style point?
I totally get not wanting to talk to people who are trying to sell you something, but if you are such a bad ass, living in your wild west world, why don't you try bringing up the courage to just tell someone at your door that you won't buy anything from them? Seems easy enough to me.
Yep, I have a standing rule that I don't buy anything marketed by someone standing at my front door (I will make an exception for Girl Scout cookies). Someone at your front door is interrupting you, and creating a power imbalance leveraging long standing cultural norms that you invite people in and are courteous. That may apply to neighbors and friends, but not to salespeople.
True on cultural norms. Myself I have found myself being rude and when I answer the door, I point at the "No Soliciting" sign directly below the door bell and keep repeating "No Thank You" until they leave or I decide to close the door if they persist.
This is exactly the reason why there are specific limitations on so called "Haustürgeschäfte" (sales made on the perch of your own home) in German and European law. For example you get a reasonable time period to rethink those sales without any charges.
Yes exactly (I've lived in Germany). And where I live now in southern California, thank goodness, it's actually against the law to "solicit door to door" (I think that's how the law is written).
Before I lived "here", every weekend, guaranteed, at least 4-5 knocks on the door on Saturday & Sunday afternoon (combined). Trying to sell me something that I didn't need, didn't want, and often it felt like a scam.
A good more general rule is not ever to buy anything from anyone who has initiated the first contact. Not sure that's going to be an entirely popular thought on a forum of entrepreneurs who live and die by their marketing to an extent, but from a recipient's point of view I do advocate it.
On the flip side, it’s far easier to sell to someone that comes to you. In fact, many businesses do just that and don’t even bother with cold sales. This is trivially true in the case of stores but also marketing companies, SaaS offerings. And really it’s better that way. It’s not unsolicited, both have mutual interest and the buyer clearly sees value enough to talk to somebody on the expectation it’ll cost.
This works extremely well as a tourist too. If someone is walking up and offering something to me that is almost always a no. Scams frequently depend on seeking out targets.
Indeed. I always think to myself: if it’s worth coming to my door or cold-calling me there must be a pretty margin. And then they claim it’ll be so much cheaper than my well-researched current contract. Yeah, right.
The only thing that will sometimes peak my interest enough to listen to the pitch, is if they offer non-monetary upside.
I remember my dad telling me about a farmer he knew, who said to him once, (pointing at his lane), "Any time Jim, I see a f*er driving in that road I know he's not doing it for my benefit"
Last time I just opened the door and spoke first: "Sorry I don't have time to talk to strangers right now" and closed the door before he could say one word.
I'm thinking of preparing an mp3 of a chaotic household (think 10 kids screaming and fighting) for improved effect in the future.
this is absolutely true and any product or service that requires sending people to knock on doors in order to sell it is by definition not worth buying, because if it were, they'd sell plenty using regular advertising. anyone that comes to my house to sell something is automatically a scam in my perspective and it is usually those fake electric company / gas people, though sometimes someone offering to redo my driveway.
I outright reject anyone trying to sell me a subscription model at the door - a lot of charities do that, and their sales talk nowadays includes that I can cancel at any time.
But the caveat there is that if I were to do a one-time donation, they would still have my information and the permission to receive mail on file.
Charities are marketing companies; they collect money and advertising permission, and give you direct mailed marketing in return.
Exact same experience about a year ago, I also passed up the deal and ultimately concluded later that it was legit. I then emailed PG&E telling them that whoever is doing this is training people to trust a random, pushy person at the door who shows nothing other than a badge and iPad full of content.
There seems to be a huge margin on those things, which bring all kinds of sleazy tactics for third party marketing companies.
I had a call from a guy claiming to be from PECO (my power co) with a good deal to switch off of PECO. Indeed we do have alternate generation supplier options, but this smelled. So I asked him several times if he worked for them and he insisted. Finally i agreed and he wanted to route me to a neutral, recorded line, agreement gathering company, but he said it would identify as "xyz energy". Whoops, deal's off, fat liar.
If someone knocks on my door and I haven't invited them over I don't even consider answering it. It doesn't matter to me what sort of uniform they are wearing. The same goes phone calls. I don't understand the obligation people feel to engage in unsolicited meetings and conversations.
> I don't understand the obligation people feel to engage in unsolicited meetings and conversations.
If they get you on the line, you're going to fight against a professional liar on an uphill territory made of cultural norms and basic politeness. Turns out disengaging from a conversation isn't easy. But how do they get you on the line in the first place?
Like anyone, you probably have frequent periods of time when you have a lot of errands in progress. Maybe you've ordered a bunch of things on-line, booked a trip, just sent documents to your accountant, and posted your car for sale. Any of these can face roadblocks that generate a phone call. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.
For the bad actors (marketers), it's a numbers game. Personally, I also don't take calls from numbers I don't know... except whenever I run any kind of errand remotely, which is when they usually manage to catch me (only for me to wait until they tell me what they want, at which point I hang up).
I do this to some extent. Usually if they get me on the line, I have them wait, then come back after a few minutes, then have them wait, pretend I can't hear them well, pretend I don't understand their questions, etc. It's a bit of a burden, but kind of fun. But really my reasoning is that if they weren't on the phone with me, someone who won't fall for their scam, they would be on the phone with someone more likely to fall for their scam, so better me waste some of my time and have a little fun than the next person losing a bunch of money to a scam.
If you answer the call at all you will be put on the "Answers calls" list and sold to the next company. It's a way of cleaning calling lists from dead numbers.
>. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.
I haven't picked up an unsolicited phone call or answered the door in 25 years and I never had a problem with it.
I second this. If I’m not expecting it then I don’t bother. If something is important then they'll call a second time and leave a voicemail or come knocking again but that has rarely happened.
Because a world in which people are unwilling to answer their doors is depressing, and answering the door is only going to cost you like 30 seconds of your time.
I get what you're saying, but I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.
I've been in situations when I don't have access to my cell phone and I need help from friends, so I call from a stranger's cellphone. I never get an answer. I have to text them from the stranger's phone (and see their text messages), wait for them to see the message, then accept the call. It's incredibly frustrating.
One problem here is that by answering at all, you're confirming your phone number as one with a real live person on the end. They track this and will keep calling. Anecdotally I noticed after I stopped picking up, the number of calls I was getting decreased.
I like to pick up and immediately hit mute. If they say something, maybe I reply, but typically the spam callers just hang up after a few seconds. I read somewhere that picking up but not saying anything can take you off the rotation or something
I've done the same for a span of a couple months--immediate mute, no interaction. It didn't seem to make a difference one way or other other though with regard to call frequency.
It's just a machine calling. If you pick up and make a sound, you will be immediatelly connected to a person. If no person is available it will just drop the call and call again later. Only way is to not answer.
> ... I get irate at people who don't answer calls from unknown numbers. Spam or soliciting? Hang up and block caller. It doesn't take more than 5 seconds.
I'd like for you to spend a day at my grandmother's house.
She's had the same landline number for probably 50 years and gets - no kidding -- probably 20 of these calls a day. It may not "take more than 5 seconds" but it gets real f'in' annoying real f'in' quick.
She now only answers calls from numbers she recognizes. She will pick up if you yell at her on the answering machine, though!
Also, as of iOS 13 (or whenever it was they introduced the feature), I am -- thankfully -- no longer even aware of calls or text messages from numbers that aren't in my contacts until I pick up my phone and look. My phone doesn't beep, ring, or ding if I receive a call or text from an "unknown number" -- and I could not be happier about that!
Doesn't Google have an automatic call screening thing? Maybe it was related to Voice and/or a pilot program they cancelled. But I'd expect people around here to know about it.
Thanks for sharing. Questionable whether it's legit since they're apparently making false verbal promises of a lower bill. Hard to prove, yes. It's not right just because a corporation does it.
Just an FYI, my town (in Pennsylvania) passed an anti-peddling / door-to-door sales ordinance to get these high pressure utility sales guys off our streets. You might want to talk to your city council about doing the same.
At this point we can call the cops on them and the cops can issue a citation. I haven't seen them since the ordinance was passed.
My town (in New Jersey) has a similar law. We have a list at town hall. You can ask to be put on the list. Salesman must not go to your door if you are on the list. Only problem is that charities and politicians are exempt from the requirement.
My policy is before any time sensitive decision is to determine if it is manufactured time sensitivity, that is the company created the time sensitivity. I refuse to act on things that are only time sensitive because someone else decided it should be. Those are traps.
We would only put up our Christmas tree on Christmas Eve when I was growing up, and it was ever so stressful watching my father haggle on the tree lot.
That is an excellent example. Who really has the upper hand? Depends on how close the competition is, I guess. And how close the competition is to their competitors..
Tree guy, you can have Christmas without a tree. I hate Christmas trees. They take up space I don't (didn't; I have more space now) have, and spread needles everywhere. And I'm Christian, so I'm not that big on the pagan symbols anyway.
This is why I've done my damnedest to avoid jobs that require additional on-call time. It invites abuse where everything has to be a crisis. I worked in e-commerce ONCE. Grandma can't buy shoes at 2am because part of the site isn't working? This is not an urgent situation.
Unless it's the Joint Chiefs calling me up from the war room to stop a meteor from destroying the planet, I'd rather go back to sleep. Even then I still might: they can fire me in the morning if there is one.
"Exploding offers" (the deal is off when he leaves) and other hard-sell tactics are big red flags in general, IMO. If I get a whiff of hard-sell it's an automatic and unconditional "no."
I've been working on this over the years, since I noticed a tendency to just go along to make the uncomfortable situation go away. Just having a mental flag helps a lot: "this is probably BS, don't agree to anything."
I would tell them to fuck off and go back to sales school - these tactics don't work in today's day and age, they worked when information was opaque, you got the world's information at your fingertips now.
Those tactics still work for most people who don't know any better. Most people are still too lazy (even when you tell them it's so easy to save money).
Speaking of school, being aware of sales/marketing/scam tactics and how to defend against them should be taught very early on.
I have yet to find a use for some advanced math school tried to teach me when I was a teen, while basic life skills like how to manage finances, deal with scams, etc are invaluable.
When someone tells me the offer expires when I walk out the door etc, I just reply "It must not be that good of a deal if you don't want me to comparison shop." I've never run into a salesperson that had a good/any comeback to that.
Used to work for a sales company, impulse is a textbook tried-and-true sales tactic. For everyone like yourself that decides to sit on it another jumps at the offer.
How does "I'll get back to you after considering" let "weasley salesdroids" take advantage, as long as you hold firm? If you're not the type of person to hold firm after saying that, you won't hold firm after saying "No" either.
I think you either fail to read comments in their entirety or just focus on one thing. So I'll say it again "Someone who can't hold firm won't hold firm. It doesn't matter if they 'No', or 'I need to think about it'".
A simple "No Soliciting" sign can help ward off many such ruses given the further illegality of proceeding with soliciting when such a sign is visible. (This also may signal you are not as easy a mark and therefore not worth their time.) Doorbell cams + Nextdoor/Citizen make this even harder since one skeptic can poison a neighborhood.
Plenty of companies here that are like subletters for utilities; they claim to be able to offer you a lower energy bill because they buy up electricity in bulk, but when I looked into it it turns out that in practice they're only cheaper the first year. These aren't energy companies, they're marketing / sales companies.
Anyway I went with one of the "source" power suppliers who instead offer a loyalty discount that builds up over time. I'm sure switching suppliers every year will be a bit cheaper in the long run but I choose reliability and convenience in this case. Also because the reseller companies tend to pop up and be bought up / merge constantly. Besides, it gives me some moral peace of mind that I'm paying the company producing electricity directly instead of a marketing middle man.
>But if your response to such a scam involves anything other than hanging up and calling back the entity that claims to be calling, you may be in for a rude awakening.
So the scammers expected the victim to callback the bank to get the secret code? That is pretty sophisticated. But when they first called they knew about fraudulent discharges, and presumably had caused them, right? Or did they break into the victim's computer? Tbh., something is missing in that story.
You got me thinking, so I went back to the report. The victim's call to the bank is something of a red herring, in that the scammers neither need the victim to make that call, nor to know that he did so (and I assume they did not know that.) I am guessing that the bank texted the code to the victim's phone in response to the call made by the fraudulent team, who were just hoping that he would read it back to them... which he did.
The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.
So, seems that the scammers knew about the fraudulent ones, but apparently not the regular ones. So:
1 - do fraudulent transactions
2 - call card holder and say that those charges might be fraudulent.
3 - because you know the fraudulent charges, card holder believes you are from the bank
4 - profit
I think the attackers had Mitch’s bank card and PIN and was making those fraudulent charges to see if Mitch would notice. If he did, the attackers would have been shut out then and there.
Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”
Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.
At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.
This is exactly what I meant. If the attackers already could make fraudulent discharges, then why should they put up such a complicated and risky attack? Could they not simply have gotten the money via the debit card?
Probably not anything like $9,800 dollars in one go - there's usually a daily limit. And the scammers may know (e.g. from doing it before) that after a few small transfers, the victim's bank will call him if he had not already noticed, in which case they preempted that call and effectively subverted it for their purpose.
The risk of the scheme not working might be high, but I am not sure that the risk of being caught is much increased.
Does anyone know any good guides for being aware of these things, strategies used by scammers, and what to be suspicious of? Something that isn't patronisingly simple, but not aimed at teach expert users either.
> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.
This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.
Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"
About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)
They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.
I think the attacker called the bank and Mitch at the same time. The attacker knew that the bank would send Mitch a SMS code so the attacker asked the bank to send it, Mitch told the attacker, the attacker told the bank.
The bank was on the phone with Mitch and the attacker at the same time. Mitch thought the “other Mitch” was himself on the other line.
Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities. [0]
Getting you to browse your computer for 10-20 minutes and then log into your bank account could be enough to gain access to your account.
And 2FA is proven insecure with SIM hijacking. These methods have a high up front time investment but will take even less effort than Mitch's gambit once deployed.
I don't think the techniques and technology have become quite refined enough for this to be widely deployed, at most people are simply experimenting with the idea. But people are taking this seriously because it represents quite an attack vector once things fall into place. The thing is we won't know when we've reached that threshold until the first news stories about a widespread phishing scam using the technique emerge.
> Krebs mentioned that Mitch logged into his bank account while on the phone with the scammers. That's a HUGE no. We live in a threshold period where acoustic emanation attacks are about to become much more commonplace due to increasing computational capabilities.
Huh, this reminds me that a major US bank verifies people on the phone by asking them to log on to online banking.
I love the convenience, but it's never crossed my mind that it was a huge vulnerability waiting to happen.
It will take a series of high profile hacking incidents to finally wake the public up to the need to develop mitigations. We won't see the problem until it's widespread.
A password manager makes this attack vector useless. The sound of my typing my password on any site is the keyboard shortcut to activate it, my finger silently passing Touch ID, and the "enter" key.
VoIP has not been worth the billions in thefts that it has enabled via easy call id spoofing. I would happily give up VoIP to have restored trust in the telephone network. But unfortunately that is not where our captured regulators are heading.
That's interesting, I come to the exact opposite conclusion (I am admittedly not a telephone network expert, maybe I am missing some important things).
But I don't see why having voice conversations over the internet is the issue. The issue is these systems keeping compatibility with old telephone networks which prevents solving these problems. If we dropped that compatibility requirement we could require a certificate authority and be able to verify callers and use end-to-end encryption, just like with https.
Or maybe better would be a compromise where all these systems can still fall back to unencrypted/unsigned connections, but on any modern phone or cell phone it would show a big insecure warning like modern browsers do for http.
> Armed with a counterfeit copy of his debit card and PIN, the fraudsters could pull money out of his account at ATMs and go shopping in big box stores for various items. But to move lots of money out of his account all at once, they needed Mitch’s help.
An anti nuisance call policy that has served me well and I try to get my folks to adopt is that if there is the merest hint of a delay between my hello and the caller's response, I put the phone down immediately.
I don't think I've ever had an identifiable repeat call, from which I conclude it's both effective and has a low false positive rate.
I take this a step further and don't say anything for the first few seconds if I pick up a call from a number I don't recognize. I used to not pick up those calls at all, but now that spam callers are using local area code caller IDs more and more, that is getting more difficult.
"He said he checked his account online several times over the weekend, but saw no further signs of unauthorized activity."
If, in retrospect, you feel someone was attempting to scam you, a better option - I hope - might be to contact the bank's fraud line, explain that you are suspicious, and have them look for suspicious activity.
Mitch was satisfied thinking that the bank was already looking into it, since the attacker pretending to be the bank didn’t ask for any details
/raise any flags.
For the point I am making, it does not really matter what Mich was thinking, but his behaviour over the weekend suggests that he was not entirely comfortable with the outcome. What do you suppose he was checking for? I would guess that he did not need to see his balance more than once.
He says that his suspicions were tweaked, near the end of the call, by the scammer giving an old address for him, and apparently his girlfriend was a good deal more suspicious: "Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”
On first read, I didn't understand how the call to the bank's customer service department went wrong.
Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.
“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
What happened is that the attackers made one call to Mitch, and another call to the bank posing as Mitch. When Mitch called the real bank to check up if there was a call in progress, they said yes (the call with the attackers).
I don’t know if I’m just really tired or if the post was just badly written, but I’ll go with the latter since you were confused too.
My understanding is this happened:
1. Attacker got a hold of Mitch’s bank card, PIN, and some personal details.
2. Attacker starts pulling out money and buying things here and there to see if Mitch ever notices.
Mitch never notices so...
3. Attacker calls Mitch on Friday and pretends to be Mitch’s bank. Attacker doesn’t ask for any details, just alerts Mitch that something was going on with his account to get him to think the bank was looking into it.
4. Attacker calls Mitch’s bank and also Mitch at the same time the next day.
5. Attacker asks the bank to send the SMS verification code to Mitch.
6. Mitch gets the code and reads it back to the Attacker.
At this point, we should really throw away the current phone system and use an authenticated model. There should also be laws forcing the phone companies to not allow this. I get at least 2 spam/scam calls a day and there is no hope that it will reduce.
Actually, there is a (small) bit of hope: SHAKEN/STIR [0]!
> STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.
> ...
> As of 2019, SHAKEN/STIR is a major ongoing effort in the United States, which is suffering an "epidemic" of robocalls. The Federal Communications Commission is requiring use of the protocols by June 2021.
1. If someone who calls you asks you for ANY sensitive personal info, just tell them that your policy is to not give any personal info to those who called you, but you’re happy to call the official number. That stops it right there
2. Use email aliases instead of your actual email when creating accounts with eg Amazon Web Services. An email alias is like me+somethinghere@gmail.com — this way the attacker can’t get the customer service rep to give them access to your account easily.
3. If you use your phone as a 2FA, be on the lookout for sim porting - that’s when they trick the rep into porting your phone number.
I had the third one happen, luckily I acted fast. The attackers couldn’t get into my G Suite email but they got into godaddy to port the domain and MX records to their servers. So they could receive email sent to me, and send email as me. They also changed my GoDaddy password. I had my phone as the 2FA at the time. Better to not have one at all, or use an authenticator app.
I called in and luckily GoDaddy restored my account. Too bad they had no tool to check what changed so I had to check every domain manually.
The attacker was too slow in that regard. But it was telling that I received an email with the subject “Test”. That’s what tipped me off.
356 comments
[ 3.3 ms ] story [ 305 ms ] threadBanks could normalize this behavior by having their customer service reps ask customers to do this at the beginning of every call.
"Hi, this is <csr> calling from <bank>. We'd like to talk to you about <subject>. To ensure to you that this is not a fraudulent call, please look up the phone number for this bank and call us back. Thank you."
How long are bank cards valid? I'd say they expire within 5 years? Also, if there is a merger, wouldn't they send you a new card with updated branding?
They could, but I just tried calling the numbers on the back of two cards from merged/acquired banks and they both forwarded to the acquiring bank. Yes it's a small sample size, but I suspect that there's enough money on the line and enough legacy contracts and systems that banks keep their communication channels active for some time.
> "Hello. Please find the callback number on boa.com/contact. Please enter code XYZ to be connected directly to the agent regarding this matter. Thank you & goodbye."
It's not perfect & you'll still have some percentage of fraud that goes through, but I'd be interested to see the impact this has on fraud rates.
* EDIT: Callback number via the card as the other commentor noted probably works too.
I'm sure it's possible, but it strikes me as a pretty large hurdle. And even if they manage to pull it off, they also need no one from the bank to notice and report it.
They pay for it. Most people can't distinguish search ads from search results.
Would the new transparency requirement be useful to go after these fraudsters after the fact? https://news.ycombinator.com/item?id=22955606
It depends how aggressively Google pushes on it, and how carefully they verify the actual identity of the entities putting ads up.
"Alexa, confirm."
One gets a call from the bank, they give you a number to ring, you type the number in to Google search, the results come back listing that number and the bank's name -- identity confirmed!?!
The fraudsters just need _a_ website listed by Google.
My insurer called me out of the blue: I said I'd call back. Their number was not listed on any of the companies websites. I called the company, and said what has happened, took them about 10 minutes to confirm they'd called me and that the phone number I was called on was valid.
As it happened someone was trying to commit insurance fraud, saying we'd crashed in to them; but that's by-the-by (ie not relevant to the main story).
But I admit-- having just done a search for every institution I could think of, it seems Google AMP has done a lot to promote legitimate numbers. It used to be sites like GetHuman competing with or outranking the actual company website for contact information.
"Sir, I'm just trying to help prevent fraud on your account and I need to know that it's actually you who answered the phone."
(Yes, there legitimately was fraud but I had no way to know it at the time. I closed the account about a month later after another issue.)
I told them as much and after a few years they finally started sending me secure emails asking me to call them. Certainly I wouldn't trust "call back at..." messages claiming to be from a medical provider, even though they're indistinguishable from the real thing because that's the same thing the doctor's office does. It's bizarre considering how security conscious they have to be.
I found it was in fact not fraud when my credit monitoring service informed me that someone reported I refused to pay a bill. One call to the utility company later, it was resolved...unfortunately i'm still trying to fix the credit report.
It sounds like that option has passed for the parent comment, but you did just try disputing it right? Force them to come up with the proof.
I am not sure whether it's even legal for them to mark you as refusing to pay without making a formal payment demand by mail.
If so, it sounds like a long-shot tactic, especially because everyone uses cell phones now.
I believe no other country has that feature.
I'm sure there are other European landline phone systems which behave the same. I don't know about the U.S.
Note to kids: we used to have our phones anchored to the wall with these coiled ropes so you couldn't walk away with them To counter that, we had multiple phones in various rooms of the house. They also made the phones so big the wouldn't fit in your pocket as another way to prevent stealing them. They didn't have screens because the vacuum tubes drew too much current and they would get too hot when pressed to your ear.
https://www.cbc.ca/news/canada/ottawa/line-in-trapping-techn...
Some locations in Brazil worked like that, depending on which timeframe we are talking about. Pretty annoying.
I guess this depends on the equipment used, not the country.
This trick only works if the receiving caller is on a landline. It will not work on mobile phones.
Most of the US uses either near-end, where the recipient hanging up will end the call, or both-end supervision, on POTS/landline systems.
0 - https://www.youtube.com/watch?v=bUIiUXvnkUQ - This video was filmed at the excellent Museum of Telecommunications in Seattle, located in a CenturyLink switching office. When travel is available again, I encourage all phone geeks to come here and check it out.
So, say, if I called you and you picked up, I would be able to prevent you from calling anyone else by not hanging up indefinitely?
Just great. Will the system not disconnect if you dial 999, too?
Originally there was a grace period because of pulse dialling. Each "pulse" is actually a hangup - so the system had to tolerate that hangup != disconnect. But the grace period was far too long, and eventually end-users adopted it as a feature - if you wanted to take this on your bedroom phone instead of your hallway phone, you could hang up the phone, go up stairs, and pick up the bedroom phone.
So now we have two problems. One is that the bug has been adopted as a feature. The other is that precisely because of 999/e911 systems, the phone system is incredibly backwards compatible. Most exchanges still support pulse-dialling - it's never dropped intentionally (some exchanges don't, because they're too modernized. But it's not a conscious "lets turn this off now" thing.)
There has been a move in recent years to reduce the grace period, precisely because of this abuse. But until it's dropped short enough to be a non-issue, my advice for anyone who thinks a call is suspect, is to call the talking clock (123 in the UK). It is a paid service, but I don't like bothering the operator for such things. But if you call 123, and reach your bank, you know summat's up.
No no no no no.
Hang up and use another phone. End of. Any advice that you call another number first or whatnot is bad advice. If such advice got widespread, what would scammers do?
Obviously, they would have a DTMF decoder on the other end and they would patch the call through to the number you called. These are sophisticated people who send fake security officers to people's houses to "pick up the compromised card". Call forwarding is trivial.
Good that the UK is moving away from this "feature".
(I still remember that to take a call on another phone, you could just leave the receiver up on the phone you too the call on, provided you're not too lazy to hang it up later).
From what I remember, repeatedly pressing the button under the receiver in quick succession eventually disconnects the call.
https://forums.theregister.co.uk/forum/1/2009/09/19/phone_di...
Glitchy landline behavior from the 90s?
https://www.openreach.co.uk/orpg/home/updates/briefings/down...
That said, with far-side supervision, I suspect that the call would actually time out after something like 20-30 seconds of either party hanging up. I'd just make it a habit to go put the kettle on and make some tea before placing another call.
If the call doesn't time out, well, it's time to ask BT some hard questions as to why they're allowing that sort of nuisance on their telephone network. AT&T managed to get rid of it here just fine.
Sure, but that only works for landlines. Is this still a common thing in the UK?
Example: https://www.discover.com/credit-cards/help-center/faqs/credi...
also, if someone is calling you, they most likely aren't trying to help you.
This would be great as long as your call back was recognized and immediately routed to the right person instead of being placed on infinite hold, as is usually the case when you call a bank's or credit card company's number.
It would be great if more companies had this functionality. It would also be useful in the situations where you get disconnected while talking with someone.
Most call centres want you off the phone as soon as possible, regardless of whether the problem is solved or not. Making it easy for you to call them isn't in their best interests.
As long as the first csr puts a note on the account about what's going on, any csr can resume from there.
i.e. a note like "20200423 - asked customer to call back to discuss recent large transactions on credit card".
Yes, going to exactly the same person is not always required (depends on how good their customer notes are--in my experience there's quite a bit of variability there).
Going to the right department immediately instead of being placed on infinite hold like someone who just randomly called in is required for something like this to work.
I really, really thought it was fraud at first until they basically said "yep, go for it, use the number on the back of your card then give us this code".
So it's definitely possible.
Good idea, except now people will think: "yeah, right, that way the call will cost me money".
> CS: Hello, this is X from Y Bank. Is this Z?
> ME: Yes, this is Z.
> CS: Z, can you confirm your last 4 digits of your social security number so I can confirm who I am speaking to?
> ME: Uh... How do I know you're the bank? I can't just tell any person who calls that information.
> CS: Z, we are from your bank, Y Bank. Please provide the last 4 digits of your social.
> ME: There has to be another way to do this, right?
> CS: Please hold... (puts me on hold for 30 seconds)
> CS: Hi Z, I'm back. Can you look up our phone number on Google and give us a call back and ask for me by name, X?
> ME: Sounds good.
It was them. I got quickly reconnected to the same woman. I'm still concerned that the norm should be something closer to what you commented, even if it adds friction and will probably result in lazier people not calling back for something important. It's better to normalize this than allow for the alternative, which is to normalize people telling random strangers their sensitive, personal information.
Any time this topic comes up, I immediately worry about my parents and grandparents falling for this sort of thing if real scammers are out there trying. I realize the last four digits of my social security number are not as great as the whole thing, but as far as I know, it's enough to be dangerous.
We need verified identity for phone numbers and email, with consequences attached to bad behaviour.
For how often you need that kind of cash readily accessible it's simply not worth the risk for the overwhelming majority of people.
This was a really sophisticated attack and fooled even a security conscious person but defense in depth (not having the big bucks accessible from your general use card and/or following up on unknown transactions) would have stymied it. With a good security protocol breaking one rule (not hanging up and calling back) shouldn't screw you.
The incoming message was automated, asking for (person who lives here) with a visa debit card that has fraudulent transactions. The caller id was a number not listed on the back of the card.
Pressing “1” puts you into the next phase, which asks you to “verify” your identity by - guess what - typing in your full 16 digit debit card number!
At this point I am convinced this is a scam. You google the phone number and you see tons of links saying it’s a scam.
The person calls their regular number on the back of her card and they claim no fraudulent activity.
A few days later I still get these calls so I decide to investigate. Pressing zero a bunch and asking for an agent finally gets me to a live individual. He claims they’re from pnc and they are a different section not connected to the “main” number. He’s able to recite details about the account that only pnc would know, so now I’m not sure.
I email abuse@pnc.com asking them to please either say the calls are fraudulent or acknowledge that the phone number associated with these calls is legitimate (it doesn’t appear anywhere on pnc’s web site)
I did get a response - good! But they didn’t actually change the site ... so I suppose in this case anyone who receives notification of fraud on their pnc debit card should email abuse@pnc.com to validate the calls are legitimate?
Note that faking the number you are calling from is fairly trivial, so do not trust the callerid as proof of identity.
That's the creepy part. There is so much of our info available on the darkweb that even engaging with scammers potentially verifies it and makes it more valuable, although it is unlikley a purchaser of a phishing database is going to provide feedback to the point of origin, they may feed it forward if they resell and augmented dbase. [For example, if someone buys 1,000,000 phone numbers, and that person finds 250,000 are bogus, they can sell the "cleaned" database again claiming it's been slightly sanitized. DefCon has taught me to fear the world.]
But yeah their fraud detection is lacking and reporting it was a pain, and they are slow to resolve anything. They did not detect the fraud at all.
Your experience reinforces my impression.
If it is about finances, YOU call them at a number on your billing statement that you know is correct, or just go to the bank.
Never make a decision / give info if "they" called you.
How is it possible for someone not to check his/her bank account all this time? There were unknown transactions for several weeks and no one noticed?
IMHO not having alerts for your cards/accounts and not noticing strange transactions is a bigger security risk than trusting the telephone number calling you.
I fully agree that we should call back on the official number for any banking issues and don’t blindly trust whoever is pretending to be from the bank.
You and I are the outliers, my friend.
I have had two fraudulent CC charges in 25+ years, and they both were reversed immediately so I'm not worried about that. More worried about my credit union so I keep as little in there as possible. (Interest rates are a joke so it doesn't matter.)
Did a quick Google search the next day and figured the process is legit but people out there have gotten higher bills than before.
Moral is to fight the human-interaction pressures and be adamant on doing your own research. No shame in that.
If you don't have a badge and a gun, I'm not opening the door for any reason. If you have a badge and a gun, I'm probably not opening the door.
Obviously this isn't legal advice, but it's what defense lawyer friends have suggested if it ever comes up.
I think that popular video about "never talk to cops" mentions something like it too?
I assume if they don't wait, it helps your court case. They could always go with the "probable cause" argument, but again this can help your case if you can prove they didn't have actual cause.
Pro-tip: if they're at your door with a warrant, they have probable cause.
https://www.motherjones.com/politics/2010/09/aiyana-stanley-...
Think about it: say someone has a bunch of drugs, you wouldn't want to give them time to start flushing it down the toilet while they call up and verify the warrant is valid. You kick the door in, arrest them, and secure the scene for forensics and evidence collection.
Assuming they knock and announce they have a warrant as opposed to knocking the door down, you open the door and they start coming in immediately. You can read the warrant, they'll likely shove it in your face. You should be on the phone to an attorney or the local bar association before the last officer in past the threshold, anyway.
I'm pretty shocked an attorney would suggest doing something that can very likely be construed as stalling for time when tensions are likely pretty high.
Nor do they have to allow you time to call a "watch commander to verify it".
What is likely, however, is that you're gonna be shopping for a new front door if you don't open up by about the second knock -- if they give you that long.
If I'm in the market for a service, I'll do the research and reach out.
This problem, at least at that level of magnitude, does not exist in other parts of the world.
- to sell me on religion
- to solicit money for some kind of commercial service, charity, non-profit fundraiser
- to sign me up for political stuff
And they do this several times a week (pre-COVID). So I never open the door to surprise strangers. It's not paranoia; it's just preventing the waste of my time and emotional energy. I'm not interested in worshipping a sky demon. It's not incumbent on me to figure out whether the service is legit, rent-seeking grift on top of a legit service, or a total scam. I don't have to figure out how to gently turn them down just to keep junk food out of the house.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind.
Or OMG what if somebody needs a boost because their car battery is dead? Oh man, I couldn't bear it if I became that guy who didn't give someone a boost.
Signed, A Canadian HN user
I’d be quite worried if I ever became stranded in a white neighborhood and had to knock on a random door for assistance.
"I once got lost in typical U.S. suburbia and the first door I knocked the guy wouldn't tell me the direction I needed to go but insisted on driving me there.
I was conscious of being percieved as a potential threat in that situation. But me being percieved as a likely nuisance to be ignored didn't cross my mind."
My concern is neither racist or irrational, based on my particular racial mix and phenotype.
Then when your irrigation system has sprung a leak and is spewing water all over the side of my house, I'm going to go to the valve on the sidewalk in front of your house and turn off the water to your house while your family is trying to shower and make breakfast.
That's exactly what happened when my neighbor refused to answer his door one morning at 6am.
I totally get not wanting to talk to people who are trying to sell you something, but if you are such a bad ass, living in your wild west world, why don't you try bringing up the courage to just tell someone at your door that you won't buy anything from them? Seems easy enough to me.
Hence the saying "get your foot in the door" for getting an opportunity to talk to someone.
Before I lived "here", every weekend, guaranteed, at least 4-5 knocks on the door on Saturday & Sunday afternoon (combined). Trying to sell me something that I didn't need, didn't want, and often it felt like a scam.
https://www.consumer.ftc.gov/blog/2015/08/door-door-sales-an...
The only thing that will sometimes peak my interest enough to listen to the pitch, is if they offer non-monetary upside.
I'm thinking of preparing an mp3 of a chaotic household (think 10 kids screaming and fighting) for improved effect in the future.
Before they can speak, I say, "Are you selling solar, politics, or religion?"
They always protest, "But I'm not selling anything..." and go into their sales pitch.
I interrupt with again with, "Solar, politics, or religion?"
90% of the time it's solar. I tell them I rent, and they go away.
But the caveat there is that if I were to do a one-time donation, they would still have my information and the permission to receive mail on file.
Charities are marketing companies; they collect money and advertising permission, and give you direct mailed marketing in return.
"We do not buy things at the door"
I had a call from a guy claiming to be from PECO (my power co) with a good deal to switch off of PECO. Indeed we do have alternate generation supplier options, but this smelled. So I asked him several times if he worked for them and he insisted. Finally i agreed and he wanted to route me to a neutral, recorded line, agreement gathering company, but he said it would identify as "xyz energy". Whoops, deal's off, fat liar.
If they get you on the line, you're going to fight against a professional liar on an uphill territory made of cultural norms and basic politeness. Turns out disengaging from a conversation isn't easy. But how do they get you on the line in the first place?
Like anyone, you probably have frequent periods of time when you have a lot of errands in progress. Maybe you've ordered a bunch of things on-line, booked a trip, just sent documents to your accountant, and posted your car for sale. Any of these can face roadblocks that generate a phone call. In such periods of time, you'll be more likely to pick up that unknown number calling in, because maybe it's one of the vendors calling with an issue that can either be resolved in 30 seconds on the phone, or 2 days via e-mail.
For the bad actors (marketers), it's a numbers game. Personally, I also don't take calls from numbers I don't know... except whenever I run any kind of errand remotely, which is when they usually manage to catch me (only for me to wait until they tell me what they want, at which point I hang up).
I haven't picked up an unsolicited phone call or answered the door in 25 years and I never had a problem with it.
I've been in situations when I don't have access to my cell phone and I need help from friends, so I call from a stranger's cellphone. I never get an answer. I have to text them from the stranger's phone (and see their text messages), wait for them to see the message, then accept the call. It's incredibly frustrating.
I'd like for you to spend a day at my grandmother's house.
She's had the same landline number for probably 50 years and gets - no kidding -- probably 20 of these calls a day. It may not "take more than 5 seconds" but it gets real f'in' annoying real f'in' quick.
She now only answers calls from numbers she recognizes. She will pick up if you yell at her on the answering machine, though!
Also, as of iOS 13 (or whenever it was they introduced the feature), I am -- thankfully -- no longer even aware of calls or text messages from numbers that aren't in my contacts until I pick up my phone and look. My phone doesn't beep, ring, or ding if I receive a call or text from an "unknown number" -- and I could not be happier about that!
At this point we can call the cops on them and the cops can issue a citation. I haven't seen them since the ordinance was passed.
It took me decades to learn this. I mean, to really learn it.
Barring emergencies (like blood squirting out of puncture wound, or part of your house is on fire):
NOTHING is ever urgent.
You set the pace of your life. You speak when you are ready. You act when you are ready. Take as much time as you need to think.
My dad: "It's worth nothing to you tomorrow."
Tree guy: "You're not gonna have Christmas?"
Unless it's the Joint Chiefs calling me up from the war room to stop a meteor from destroying the planet, I'd rather go back to sleep. Even then I still might: they can fire me in the morning if there is one.
Saves so much time and energy, and you rarely if ever actually miss out on anything good.
I have yet to find a use for some advanced math school tried to teach me when I was a teen, while basic life skills like how to manage finances, deal with scams, etc are invaluable.
Standard sales pitch tactic: "manufacture a sense of urgency"
Sometimes you really do need to think things over before making a decision. "No" closes doors before you've had a chance to consider.
How does "I'll get back to you after considering" let "weasley salesdroids" take advantage, as long as you hold firm? If you're not the type of person to hold firm after saying that, you won't hold firm after saying "No" either.
Anyway I went with one of the "source" power suppliers who instead offer a loyalty discount that builds up over time. I'm sure switching suppliers every year will be a bit cheaper in the long run but I choose reliability and convenience in this case. Also because the reseller companies tend to pop up and be bought up / merge constantly. Besides, it gives me some moral peace of mind that I'm paying the company producing electricity directly instead of a marketing middle man.
My response is not picking up the phone at all.
The victim unfortunately assumed, on verifying that the bank had a second call, supposedly to himself, in progress, that the bank had placed that call and that it was in fact the call he had received on the first phone.
Mitch didn’t notice, so the attackers called Mitch pretending to be the bank. They didn’t ask him for any details so no red flags were raised, they just said “we noticed fraudulent charges and rest assured we are fixing it.”
Next day, attackers call the bank and Mitch at the same time. They needed the code the bank would send to the # on the account, so the attacker requested it from the bank, the bank sent it to Mitch, Mitch read it to the attacker, and the attacker repeated it to the bank.
At some point, Mitch got suspicious and called the bank to ask if they were on another call with him. The bank was on a call with the attacker pretending to be Mitch, so they said yes. Mitch thought the other Mitch was himself.
The risk of the scheme not working might be high, but I am not sure that the risk of being caught is much increased.
> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.
This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.
Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"
About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)
They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.
The bank was on the phone with Mitch and the attacker at the same time. Mitch thought the “other Mitch” was himself on the other line.
Getting you to browse your computer for 10-20 minutes and then log into your bank account could be enough to gain access to your account.
And 2FA is proven insecure with SIM hijacking. These methods have a high up front time investment but will take even less effort than Mitch's gambit once deployed.
https://www.cs.cornell.edu/~shmat/courses/cs6431/zhuang.pdf [0]
The mentioned paper contains a remark:
> While recording from the third keyboard, we get several seconds of unexpected noise from a cellphone nearby.
But that's the only mention of a phone in the paper ...
It seems VoIP will be the first low-hanging fruit: https://arxiv.org/pdf/1609.09359.pdf
Huh, this reminds me that a major US bank verifies people on the phone by asking them to log on to online banking.
I love the convenience, but it's never crossed my mind that it was a huge vulnerability waiting to happen.
Google is one example of companies that asks its GSUITE admins to login to confirm support ticket codes.
But I don't see why having voice conversations over the internet is the issue. The issue is these systems keeping compatibility with old telephone networks which prevents solving these problems. If we dropped that compatibility requirement we could require a certificate authority and be able to verify callers and use end-to-end encryption, just like with https.
Or maybe better would be a compromise where all these systems can still fall back to unencrypted/unsigned connections, but on any modern phone or cell phone it would show a big insecure warning like modern browsers do for http.
Whoa, a double-tap attack
Isn't bank cards designed to be non-cloneable (with crypto chips)?
I don't think I've ever had an identifiable repeat call, from which I conclude it's both effective and has a low false positive rate.
If, in retrospect, you feel someone was attempting to scam you, a better option - I hope - might be to contact the bank's fraud line, explain that you are suspicious, and have them look for suspicious activity.
He says that his suspicions were tweaked, near the end of the call, by the scammer giving an old address for him, and apparently his girlfriend was a good deal more suspicious: "Anyway, the whole time my girlfriend is sitting next to me listening to this conversation and she’s like, ‘This sounds like bullshit.'”
Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.
“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
What happened is that the attackers made one call to Mitch, and another call to the bank posing as Mitch. When Mitch called the real bank to check up if there was a call in progress, they said yes (the call with the attackers).
My understanding is this happened:
1. Attacker got a hold of Mitch’s bank card, PIN, and some personal details.
2. Attacker starts pulling out money and buying things here and there to see if Mitch ever notices.
Mitch never notices so...
3. Attacker calls Mitch on Friday and pretends to be Mitch’s bank. Attacker doesn’t ask for any details, just alerts Mitch that something was going on with his account to get him to think the bank was looking into it.
4. Attacker calls Mitch’s bank and also Mitch at the same time the next day.
5. Attacker asks the bank to send the SMS verification code to Mitch.
6. Mitch gets the code and reads it back to the Attacker.
7. Attacker repeats code to the bank.
Last time I checked, carriers have until June 2021 to implement it. https://arstechnica.com/tech-policy/2020/04/ajit-pai-follows...
> STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks.
> ...
> As of 2019, SHAKEN/STIR is a major ongoing effort in the United States, which is suffering an "epidemic" of robocalls. The Federal Communications Commission is requiring use of the protocols by June 2021.
---
[0]: https://en.wikipedia.org/wiki/STIR/SHAKEN
1. If someone who calls you asks you for ANY sensitive personal info, just tell them that your policy is to not give any personal info to those who called you, but you’re happy to call the official number. That stops it right there
2. Use email aliases instead of your actual email when creating accounts with eg Amazon Web Services. An email alias is like me+somethinghere@gmail.com — this way the attacker can’t get the customer service rep to give them access to your account easily.
3. If you use your phone as a 2FA, be on the lookout for sim porting - that’s when they trick the rep into porting your phone number.
I had the third one happen, luckily I acted fast. The attackers couldn’t get into my G Suite email but they got into godaddy to port the domain and MX records to their servers. So they could receive email sent to me, and send email as me. They also changed my GoDaddy password. I had my phone as the 2FA at the time. Better to not have one at all, or use an authenticator app.
I called in and luckily GoDaddy restored my account. Too bad they had no tool to check what changed so I had to check every domain manually.
The attacker was too slow in that regard. But it was telling that I received an email with the subject “Test”. That’s what tipped me off.