Subj : Close call? What I learned from my brush with a phone scam syndicate
To   : All
From : News
Date : Wed Jun 12 2024 01:25 pm

By Anna Murray, Opinion and Explainers Editor
7:11am

A very polite Englishman tried to steal all my money over the weekend.

He phoned my mobile on Friday night and said he was from my bank's credit
card fraud team. As well as clearly having my phone number, he also knew my
full name and the last four digits of my credit card.

He calmly explained there was a suspicious charge on my credit card of more
than $6000 to an online travel agency. Had that been me spending up on a big
holiday, he asked.

I wished. It was not me spending thousands of dollars on a fancy hotel and a
quick check of my banking app showed that nobody else had made that charge
either.

I told this polite man that I didn't believe him, hung up, and phoned my bank
to confirm nobody there was trying to contact me about any suspicious
transactions.

The next day, another very polite Englishman tried to steal all my money. I
guessed scamming syndicates didn't keep a shared spreadsheet of everyone they
had already called.

Curiosity and a splash of spite made me play along for a while this time
around.

The second caller followed the same script as the one used the night before.
A charge of more than $6000 had been made to an online travel agency. Was
that me, he asked?

No, I said, sounding very concerned.

He asked if I had clicked on any links in any unexpected emails or text
messages recently. He asked me if I had shared my credit card information
with any friends or family members. "No, I'm not stupid," I said.

He reassured me he didn't think I was stupid. He said I would soon receive a
text message with a code that I needed to read back to him.

I didn't want the text message, so I responded in a way that was not all that
clever, funny or advisable.

I said: "Oh, I have the code," and then told him where to go.

The conversation ended very shortly after that, but not before the scammer's
veneer of politeness slipped. He read out my home address before telling me,
"I know where you live, b***h."

The scammers' playbook
There were a few ways in which these scammers likely got details such as my
home address and phone number, according to CERT NZ Threat and Incident
Response Manager Tom Roberts.

"The easiest way for scammers to get information is to buy or just download
large amounts of data that come from data breaches," he said.

"This is why it's really important for businesses to protect their
information because . when they have a data breach, there's sometimes
long-term impacts."

Roberts said I had likely been caught up in such a data breach.

"That information goes for peanuts compared to what the scammers can probably
get out of it. Even if they only [scam] one [person] in 100, it's still worth
their time," he said.

As for the security code one of the scammers tried to text me, Roberts said
this was likely an attempt to replicate two-factor authentication so as to
appear like a legitimate bank employee.

"The reason why they do that is because two-factor authentication works
exceptionally well to stop these scammers, so they're trying to replicate it
to fool people into thinking this call is actually OK," he said.

By establishing that trust, the scammer could then trick the person they've
called into handing over information or clicking on something that will
install malware on their phone.

If you suspect a scam, the best thing to do was to hang up and contact your
bank yourself. Nobody should worry about appearing rude to genuine bank staff
that might be calling, Roberts said. In fact, banks now expect customers to
hang up on them.

"If you say, 'Sorry, I'm not sure, I'm going to Google the bank's number and
give you a call back', you won't get any pushback from them."

People should also be aware of another tactic scammers seemed to be using
more of late.

"One that's becoming a wee bit more prevalent is [scammers] will do a bad
call that's obviously a scammer," Roberts said. "But then a few days later,
they'll call back, pretending to be a bank or telco and saying, 'Hey, we've
heard that you've been scammed or someone's tried contacting you'."

A multimillion-dollar problem?

People field calls like this all the time, if the amount of money being lost
to scams is any indication.

According to data from 11 of the country's biggest financial institutions,
New Zealanders lost $198 million in the year to September 2023.

Consumer NZ responded to this rise in scams by launching a petition this
week, calling on the Government to force banks, telcos, and other digital
platforms to do more about scammers.

The petition demanded banks refund scam victims unless the victim had been
grossly negligent.

Minister of Commerce and Consumer Affairs Andrew Bayly wrote to New Zealand
banks earlier this year to ask them to investigate a voluntary reimbursement
scheme to improve consumer compensation.

When the NZ Herald asked Bayly if the Government would regulate banks if they
didn't come up with the voluntary scheme, he said: "We're certainly asking
them to move at pace."

Consumer NZ's petition also called for a centralised anti-scam centre such as
those run by governments in Singapore and Australia.

Bayly travelled to Singapore this week for scam prevention meetings.

"This trip will be a valuable opportunity to understand how Singapore and
Australia are approaching scam monitoring and enforcement. Together, we will
look for opportunities for industry and government to collaborate to combat
scams," he said in a statement ahead of his trip.

Tips for spotting this kind of scam

Fraud teams working for banks do need to call customers occasionally to
discuss unusual transactions.

The advice around these calls was very similar between New Zealand's major
banks.

They said they would never ask for banking passwords or PINs. They also
wouldn't ask for two-factor authentication codes.

Legitimate bank staff wouldn't ask for full credit card numbers or CVVs (the
three numbers on the back of the card). They wouldn't ask customers to
download software or allow them to remotely access their device either.

Phone calls from unknown numbers were also a red flag.

If you're not sure the person calling you is genuinely from your bank, simply
hang up and call your bank using the phone number that is listed on their
legitimate website. Banks and cyber security experts advised ending these
calls immediately and not engaging with the scammers, too - no matter how
satisfying it feels to tell them where to go.

And if you think you have been scammed? Report it to your bank immediately
and to Netsafe.

You can report cyber security issues through CERT NZ, too.

Roberts said it's a good idea to make a report to CERT even if you didn't
fall for a particular scam.

"We monitor for all these new activity types, and we share them around the
community; we share them with banks, we share them with telcos, insurance
companies, NZ Post.

"It helps them come up with new ways for their defence [against scammers] so
it's helping other people, too."

--- Mystic BBS v1.12 A44 2020/02/04 (Windows/64)
 * Origin: S.W.A.T.S BBS Telnet swatsbbs.ddns.net:2323 (63:10/102)

.