[HN Gopher] I'm a scam prevention expert and I got scammed ___________________________________________________________________ I'm a scam prevention expert and I got scammed Author : matiskay Score : 404 points Date : 2022-03-31 16:50 UTC (6 hours ago) (HTM) web link (www.lupinia.net) (TXT) w3m dump (www.lupinia.net) | iratewizard wrote: | This speaks more to the incompetence of supposed experts and less | to the sophistication of scams. | BenjiWiebe wrote: | Agreed. I wish someone would try this level of attack against | me - I'm 99% sure I wouldn't have fallen for this particular | one, but how can I truly know without going through it? | | Anyways, I am extremely aware of caller ID spoofing. I use it | myself to show a usable callback number on a VoIP outgoing-only | line. | | And the 2FA - I would be incredibly reluctant to give a code | over the phone, even if _I_ had initiated the call. | Sebguer wrote: | I honestly got this exact same scam happen to me, and | probably came 50% of the way through falling for it. | Especially since it happened just a few weeks after I had | actually had my card compromised, and used for fraudulent | transactions. | | I got the same text about "confirming fraud transactions" and | then a phone call from "my bank". I nodded along at his | script for a few seconds, before I remembered the constant, | unending advice of: "if your bank calls you, hang up and call | back on the fraud number listed on your card". I told the | person I'd do exactly that, and hung up. | | I then checked my card account and confirmed that there | actually weren't any fraudulent transactions, so didn't | bother calling. | | That said, I can absolutely see a world in which a tired or | otherwise frustrated me would just follow along the script, | and with a similar background to the author (I'm not a | security professional, but I work in fintech and on security- | adjacent things): | | > I also find it entirely plausible that Apple (or Google) | would require a bank to jump through these kinds of hoops in | order to remove a fraudulently-added payment method from | someone's account, and that Wells Fargo's system would be so | janky and sloppily-built that this is the least awful way | they could figure out how to do it. | | This honestly resonates with me as a plausible thought path. | I'm pretty confident that I wouldn't have actually provided | the two-factor code, but again, everyone has off days, and | everyone makes mistakes. That's the core of all of this, that | endless refrain: defense has to work 100% of the time, | offense only needs to work once. | benji-york wrote: | Sounds like a product idea: Red team for the family | myfavoritedog wrote: | TrianguloY wrote: | "I was tired" | | This says it all. You may be the best expert and everything you | want, but when you are tired you are no longer an expert, and | it's something that practically can't be learnt to self-identify. | | If you think that X will never happen to you, wait until you are | tired and we'll see about that. | KT-222 wrote: | I was at my local coffee shop yesterday when the manager was on | the phone for 10+ minutes with a scammer. Was a new one to me. | | The landline caller ID showed "Madison Police Dept" - the local | police. The caller introduced themselves as an investigator | working a case with counterfeit bills. "Don't contact your | boss/owner because we are not sure if they are in on it." The | caller knew details like employees names and the layout of the | store. The manager was going through the cash in the back | "confirming" serial numbers when the owner got in touch and | cleared things up. | | I was confused about the end game for the scam, but online I've | read a version where they send a courier to pick up the | "counterfeit" bills. There's also a version where they convince | the employee to purchase moneypak cards to be deposited into an | account so that the 6AM audit shows balanced books making up for | the counterfeit bills that will be confiscated. [1] | | To a person that doesn't know caller ID can be spoofed, getting a | call that shows up as coming from the local police department can | put you in a mental state that it 100% is the police, and it will | take a lot of counter information to realize that it isn't. | Between that and the convincing reason to "don't tell your boss", | I'm afraid this might be an effective scam until it's more widely | known. | | [1] | https://old.reddit.com/r/Scams/comments/ryp4fg/i_got_scammed... | Giorgi wrote: | So... where did they got his/her details that she/he was so | surprised by? Was it Bank's breach? | stretchwithme wrote: | Why would an expert on scam prevention answer the phone? | Markoff wrote: | On related note - I work for Asian company which sends me money | to Europe through their US "offshore" bank account in Wells | Fargo. | | I'm receiving monthly payments, but once payment bounced back | because my local EU bank switched their intermediary bank, | something normal client shouldn't care about, but I learned about | hard way because WF is not updating their database of | intermediary banks and routed my payment through outdated | intermediary bank. | | I was pretty pissed about my own bank not informing me about | changing intermediary bank, so I changed my receiving bank to | different one, although in the end it was Wells Fargo problem not | keeping their records up to date. | | Guess what happens years later after my other bank merger with | different bank, Wells Fargo once again ignores new intermediary | bank and bounced back the payment. | | I dunno if this is standard US international banking experience, | but I find it extremely unprofessional and unheard in other | countries that payments would be bouncing because bank is too | lazy to update their intermediary bank database, not sure what | operation they are running in Wells Fargo. | | In the end company made exemption for me and they are sending me | money directly from their Asian account, because apparently you | can't get worse banking experience than with US banks. | shevis wrote: | Simple solution to this: Never do anything important or give out | info on an incoming phone call. Always hang up, find the proper | number online, and call back to continue the conversation. | xarope wrote: | Scams are getting more and more sophisticated. We've always known | that when you write a playbook, sooner or later the red team will | find holes in that playbook. Perhaps that's where ML/AI comes in, | since you can train them, but you never really understands what | they really "learnt" from that training (/s sort-of, but the | famous amazing snow/husky classifier always comes to mind) | | Personally, I've received such calls before, and the first thing | I'd ask for is a case number, and that I would call the support | number printed on my credit card, to get back to them. Of course, | if someone co-opts that number, then I'm also SOL, but I'd | imagine then this would be engineering on a larger scale, rather | than a specifically targeted whaling attempt. | buscoquadnary wrote: | Security theater. I had a situation where I had to buy something | online from a company in Europe (owl4thunderbird) I placed the | charge and then right after I got a text telling me to call a # | for a possible fraud alert. | | That's a big red flag there. So I try and find the phone # of the | fraud dept of Citi because anyone can send a text message. Turns | out can't find it anywhere in the official Citi site. So I | finally give up and call the phone # before they could go further | they asked me to confirm a 2FA they would text to me. At that | point I noped out and decided if it was a realt problem I'd find | out about it another way. | | The problem is I now know how easy it is to break into any Citi | account just send them a text with a # and pretend to be the | bank. The worst part is every every every message I get that is | actually being secure always says "You will never be asked for | this code" and everytime they ask for it. | | It is security theater of the worst degree by incompetents and | MBAs and I am getting sick of it. | hunter2_ wrote: | > always says "You will never be asked for this code" and | everytime they ask for it. | | Yes, but the real meaning behind that phrase is "You will only | be asked for this code by pages served by our domain name or a | native app we published." It's unfortunate brevity. | buscoquadnary wrote: | Sorry the exact message is something like you will never be | asked for this by a real employee. | hunter2_ wrote: | Oh I didn't mean to suggest the brevity was your doing. | I've seen it the short way first-hand, but yes, more | typically it's pretty decent, as you've clarified. | drdaeman wrote: | Hell, I'd wish there'd be some zero-knowledge proof protocol | that can be performed with a pen and paper over a phone call. | You know, like Dining Cryptographers or Solitaire cipher. Maybe | there is something, but I'm not a cryptographer and not aware | about it. | | Though, of course, it's completely unrealistic to expect that | some bank person would agree to do some weirdo math tricks with | SSN numbers :) | compsciphd wrote: | isn't there a phone # printed on your credit card? | [deleted] | buscoquadnary wrote: | Only the customer support number, not the fraud number | specifically and at the time I didn't have the time nor | patience to navigate through a thousand mile phone tree and | wait on hold for 8 hours. | KMag wrote: | Side note: if unexpectedly getting a new card, call the support | number on your old card. A friend of mine almost got taken | about 15 years ago by a scam where someone got his address and | bank name, then sent him a fake credit card from that bank with | a letter saying something like fraud had been detected and they | were sending him a replacement card. When he called the number | on the new card's activation sticker, something seemed off and | he balked when they asked for his SSN. He called the support | number from his old credit card and confirmed that he had in | fact not been sent a new credit card by them! | | Hopefully we can at some point stop treating a SSN as a | universal password that can never be changed. At least mother's | maiden name stopped being a universal security question. | camtarn wrote: | Whoah, that's a pretty smart attack. | Loughla wrote: | >It is security theater of the worst degree by incompetents and | MBAs and I am getting sick of it. | | It's security theater giving people exactly what they want. | People want to feel secure, but they don't want any amount of | actual difficulty in getting what they want from Company A. | | Like it or lump it, but regular people really don't want actual | security. They want the ease and convenience of no passwords at | all, and want someone to blame in case something goes wrong. | rhizome wrote: | Of course people want security, how can you say otherwise? | What you seem to be talking around is that security | researchers have been unable to figure out simpler forms of | maintaining a true sense of security, simpler forms of | reliability. There is no survey where people say they don't | want these things, and if you're relying on the sales figures | for Yubi keys or something, that's not a good indicator. | | And of course people don't want difficulty! That's why we | don't hand-crank to start our cars anymore. Blaming people | for wanting faster horses[1] is a convoluted anti- | intellectualism where the experts who actually know what's | possible are let off the hook. All in all, if you ask me this | should be a locus of UI/UX research. | | 1. https://hbr.org/2011/08/henry-ford-never-said-the-fast | Kalium wrote: | You're absolutely right. People _do_ unquestionably want | security! They want privacy too! | | The issue that the parent is alluding to is that the same | users who want these things seem unwilling to make | decisions or change behavior to get that security or | privacy. Those of us working with security and privacy | often wind up with the sense that users want them, but also | that users expect them to be automatic and perfect and | free. This starts with the computer-illiterate user who | finds passwords confusing and goes all the way to | developers who find it irritating to be forced to update | the libs in their docker images. | | Are there better ways? I sure hope so. So far we don't have | simpler forms of maintaining true security or simpler forms | of reliability. We just have cheaper ways of maintaining a | sense of security - and that's theater. | | I don't blame people for wanting faster horses. We don't | have them on offer though, so in the meantime it might be | nice if they were willing to consider what's available. | 1ris wrote: | >They want the ease and convenience of no passwords at all, | | That's not what I see. I see people looking for | inconvenience. Expiring passwords. Password requirements, so | you have to write your passwords down. (You will change it | soon, anyway) "Security" questions. Lock-Screens, session | limits. 2FA-SMS. That horrible and unsecure Microsoft 2FA | that was on the frontpage yesterday. IP-Geo-location-voodo so | you can't log in from a different ISP/cellular/your parents | place on this supposedly world wide internet. It's not like | these things happen on their own. | | Computer illiterate people thing that these inconveniences | bring them security. | thatwasunusual wrote: | So. Not an expert, then... | kmeisthax wrote: | These 2FA bypass scam calls genuinely unnerve me - because | they're specifically designed to trick someone who _knows how | scams work_ and has actually put some effort into securing their | accounts. | | Hardware authentication factors are, of course, immune to these | sorts of attacks because you can't confuse the victim into | forwarding their second factor back to you. However, I don't see | why you couldn't construct a specific scam setup for those. | GTP wrote: | But they could still try to trick the victim into reading the | code for them. | swalsh wrote: | I got a really weird call yesterday from some place claiming to | be the medical center where I was a patient 5 years ago (I go to | a new place today). I was a bit suspicious simply because it's | been years since I've been a patient there. But there are many | plausible legitimate reasons for calling me. However the first | thing they did was "verify" me by asking for my date of birth and | home address. I was disarmed at first because the lady was | clearly American, and sounded bored. But I was still hesitant to | give up any information on an incoming call. So I asked for some | way for me call them. She gave me a phone number... which was the | same one calling me, so I hung up. I looked up the phone number, | but it was just a random landline from SC (this was a MA based | business). At this point I gave up, and decided if I owed some | money they would probably send something in the mail. But it | makes me wonder if there's a new class of scammer out there with | a bit more sophistication. | woah wrote: | Easy way to avoid this: don't answer the phone | nonrandomstring wrote: | I think the movie was Phone Booth that begins with the line | | "A ringing phone demands to be answered" | | Technology projects a form of authority (disconnected from any | real power) in the same way that written words were synonymous | to truth for illiterate 13th century peasants. | | To follow your logic, which I am not criticising as it's a | valid approach given how dysfunctional cellphones are as | trustable systems, I would say it's better not to _have_ a | phone. But there 's the road to living in a woodland shack and | eating spider and squirrel broth. | akeck wrote: | The rule in our family for a number of years now has been, | "If the number is not in your address book, let it go to | voicemail." We have the landline ringer off and always let it | go to voicemail. As an 80/20 solution, it's been remarkably | effective so far. | alana314 wrote: | The scammer spoofed the wells fargo customer service line | in caller ID though. | fierro wrote: | interesting post, but tough to take any security-minded blog | seriously when served over HTTP | troon-lover wrote: | denton-scratch wrote: | He "relayed" an "Apple Authentication Code" from an email to this | Daniel fellow, right? Presumably he read it into the phone? | | That's where (I hope) I would have stopped; if X sends me an | authentication code, the only reasonable place to send it back to | is X. | | Also, I think the real fraud department would be completely OK | with me saying "Oh, thanks for spotting it. I'd like to call you | back now please - give me your name and the name of your | department, and I'll look it up and call you back - what do I do | to bypass transfer hell?". | | Getting on the blower to Wells Fargo on the other line was smart, | but you need to have multiple lines at your disposal. | jordanmoconnor wrote: | I never pick up the phone if it's a number that's not in my | contacts. You can leave a voicemail. | PopAlongKid wrote: | I almost got scammed regarding renewing my software subscription | with Intuit. I got a voice message indicating that my credit card | on file for the renewal was expired (true) and that I should call | back at the number given. That was my big mistake; given that _I_ | made the callback, I overlooked the fact that I had not myself | looked up the number I was calling. But how did they know my CC | number was expired, and that my annual renewal date was coming up | soon? | | When I called, I immediately got connected to a live person. | Second mistake: you can _never_ get through the voice menu to a | live person so easily. Anyway, the guy sounded convincing, and | said I could get a special discount on renewal, so after some | further conversation, I commented that I should be able to log in | online and get this same deal, which was my preferred method. At | that point, he finally put me on hold and then the call | disconnected. | BuckRogers wrote: | I was scammed by a kid locally. He paid me for a motherboard over | Paypal, then months later claimed it wasn't approved. I thought | it was fishy he mentioned to me having his little brother pick it | up. I said no to that. And I insisted on cash, but eventually | relented, thinking it would probably be ok. He filed a PP dispute | and lost, as I had text messages proving the sale. Then he did a | chargeback and won. | | I would've filed in small claims court but the filing fee is more | than the loss. So I looked up all his family info and addresses, | and next time in his neighborhood I'll be knocking on their door | for my money. | | And, I'll just keep finding creative ways to chase him down, | online and off, until the day I die. I'm never letting it go and | eventually if I had to "take" the money from him through other | means (him losing money), that's what I'll do. I'll be sure to | double or triple his losses though if it comes to that. | gnicholas wrote: | > _He verified my name, he had the last four digits of my debit | card number, and everything generally seemed to follow the normal | script of a transaction verification call_ | | There's a red flag right there -- I've never found a bank willing | to provide any verification of who _they_ are when calling me. | They call me and ask me to give them a code or card number | without providing me with any proof of their identity. I 've | tried to get them to give the sum of the last 4 numbers of my | account, but they won't do it. | | They always tell me to just call back using the number on my card | and try to find my way to the right department. Super annoying. | hunter2_ wrote: | > sum of the last 4 | | It's a chicken/egg problem of not wanting to give information | first, but a one-way function (hash) is a fantastic idea. The | collision possibilities in this particular function are | worrisome, though. | onaworkcomputer wrote: | It'd be unreasonable to ask someone to perform a hash of | those last four digits (how would your mom respond if the | bank asked her for the sha256 hash of her card number?), but | it could be helpful to ask questions that don't reveal too | much information, like, "is the sum of the last four digits | even?" or "is the sum evenly divisible by 3?" | | It would be difficult to come up with something you could | reasonably ask an account holder to figure out on their own | that also wasn't easy to randomly guess. | gnicholas wrote: | What I was suggesting wasn't asking the account holder, but | asking the bank. With a little training, the call center | reps should be able to handle adding together the last few | digits of a card number. | | I agree that asking account holders for this would be | confusing, but since the bank is the one calling in this | case it makes sense that the caller (bank) should provide | information first. | | Of course, it appears that in this guy's case, not even | this would have worked, since they apparently had his full | card number. | giaour wrote: | If the account holder has to ask the bank for a piece of | information, the account holder will also have to produce | it for comparison. | | Summing the last four digits could unintentionally leak | information (what if those digits are all zeros?), so the | challenge question should be carefully chosen by the | bank, not just whatever the account holder comes up with. | gnicholas wrote: | Can you explain what the information leak would be? Also, | I think it's not possible for a credit card to end in all | zeroes. | giaour wrote: | There may be inferences you can make from the sum that | aren't immediately obvious. If cards can end in four | zeros, the sum and the last four digits contain | equivalent information, but you would also confirm that | three of the digits are zeros if the sum was 1. It's | something that, if I were a bank, I would want someone | with a background in number theory to weigh in on. If I | were a paranoid bank exec, I wouldn't trust the low-wage | customer support reps I had on staff to vet customer | questions for how much information they might leak and | would instead have blanket prohibitions on answering | questions from customers until after the authentication | phase of the call. | | Questions like "is the sum even?" trade a lower | opportunity for information leakage for a greater | opportunity for a random guess to be correct. | gnicholas wrote: | I understand the perspective of the paranoid bank exec! | But if the alternative is that their customers are | trained to give out personal information whenever someone | calls and says they're from the bank, that's quite | possibly worse. | | It would be nice if when someone called me from an | institution, they gave me a code that I could enter after | calling the number on the back of my card. That way I | would have confidence I'm talking to the bank and would | feel comfortable giving out verification information. | | In the past, it has always been a headache to find my way | back to the department that called me. | jrochkind1 wrote: | Don't forget the last digit is a checksum digit too. | Which I still can't give you an attack, but I also agree | that I definitely can't say I'm sure there isn't one. | hunter2_ wrote: | For sure. I wonder what the state of the art is in human- | friendly challenges. | Zachsa999 wrote: | Please select pictures containing a boat. | giaour wrote: | "What is pictured on the front of my card?" might not be | a bad question (assuming the bank allowed account holders | to choose from a large variety of images or upload their | own). It's data that the bank could capture on card | issuance, that anyone who has been in the physical | presence of the card could answer, and that would not be | captured by payment systems. | droffel wrote: | The dataset for hashed credit card numbers is small enough | that it can be easily represented in a static lookup table, | or brute forced. | giaour wrote: | Brute forced by a human voice on a phone call? You must | talk quickly. | NavinF wrote: | He almost certainly meant that sha256(card number) can be | bruteforced to figure out what card number was hashed. | 10^12*256 bits is only 29 TiB. | | So providing a hashed card number to a potential scammer | is just as bad as providing the card number. | indiv0 wrote: | So just ask the other party to give you a salt they | generate on the spot? And/or you do so on your end? | | You can still get targeted for a direct attack but much | less likely to end up caught in a dragnet approach. | giaour wrote: | That would prevent using a pre-generated lookup table but | doesn't help much with brute force attacks. All possible | card numbers is a finite set, and if you have the | sha256(card number + salt), you can figure out which card | number was used as input given the improbability of | sha256 collisions within that set. | | Keep in mind this in the context of an account holder | asking the bank to authenticate themselves on a phone | call using data only the bank and the account holder | should know. sha256(card number) was an example of | something that is obviously inappropriate, and I don't | think sha256(card number + salt) is any different | qualitatively. | lucb1e wrote: | > like, "is the sum of the last four digits even?" or "is | the sum evenly divisible by 3?" | | Exactly. After only a few of these you have an equivalent | security level to checking the four digits directly but at | each step of the way there is a 50% chance that the | attacker, not knowing the number yet, gets it wrong and you | stop giving more info. If they do a thousand calls a day, | they'll still get some people, but it's _probably_ not you | so that 's at least a small win. | | You might enjoy learning about PAKE/SPEKE, which has | similar properties. | | > An important property is that an eavesdropper or man-in- | the-middle cannot obtain enough information to be able to | brute-force guess a password without further interactions | with the parties (Wikipedia: PAKE) | | Just enough enjoyment to then get depressed wondering why | nobody is using these nice things | Domenic_S wrote: | This happens with my doctor's scheduling people all the time. | "Hi I'm calling for $YOU, will you please verify the last 4 of | your social and full DOB?" uhhhh... no I will not, random | person | Isthatablackgsd wrote: | DOB made sense because 10,000 people in the world have the | same birth date. DOB (without PII) didn't narrow enough to | identity the person. Regarding that last 4 SSN, yea I would | never give that out. | | My doctor office required me to provide my DOB before I can | schedule an appointment or questioning over the phone. My | pharmacist required my DOB before I can get my meds from | them. If I don't provide my DOB, they will turn me away and | assumed that I'm a scammer. | the_svd_doctor wrote: | DOB is often just to make sure they have the right person, | and not an alias. But yeah, SSN, I wouldn't give it out like | this. | wanderer_ wrote: | Oooh, good way to abstract out names from stories! Stolen for | my own future use. | alana314 wrote: | I had a similar scam fraud call from my bank and I asked them | to verify the last 4 of my SSN. They had it! But later they | said they'd send a text verification but it was asking to add | my card to apple pay. So I hung up and called my bank back and | they had no record of the call. It was freaky that the scammer | had so much info though. | A7med wrote: | "EXPERT" | TheHypnotist wrote: | That's all I could think. This guy sounds like a typical person | prone to scams. Expert my ass. | fleddr wrote: | Some of the comments here are cruel and missing the entire point. | | Well yes, as you're slowly reading this entire case, with the | prior knowledge that he is getting scammed, and having all the | time in the world to find the mistake or red flag in his actions, | sure enough you'll find it. How very smart and vigilant you are. | | But as the article already explains, those are not the conditions | in which a scam happens. You don't know you're being scammed. The | person sounds helpful, exploiting your inner desire to be | cooperative. There's a sense of urgency, which disrupts calm and | clear thinking. It was a very sophisticated and well prepared | scam, which increases trust and makes you glance over or | "forgive" small oddities. | | Ironically, the fact that some of you chose to criticize somebody | showing vulnerability is very emotional behavior, not rational | behavior. Perfect candidates to be scammed. | | By the way, are Americans still logging into online banking with | a username and password? That's it? Please tell me that's a joke. | klik99 wrote: | There's one easy rule that could have avoided all of this - never | give out any info on incoming calls. If I get a call or text | about fraudulent transactions, I'll keep them on hold while I log | into the bank website. If I get a call about a late payment, I'll | thank them for the info and ask them to stay on while I pay | online. If I get an inbound call with a more complex request, | I'll ask them for their employee info and call back the official | service number. It annoys the caller sometimes, despite always | treating them professionally, but I keep that a hardline rule no | matter how real it feels. | | I heard this from a security guy and was under the impression it | was one of the sacred laws of security. If it's not, it should be | - it's a rule of thumb that would stop 90% of social engineering | attacks I hear about. | zzzeek wrote: | what information is actually being asked of people on incoming | calls these days? I never seem to get any of these calls, but | banks and credit cards etc. by now should be clued in enough to | this stuff that when they actually call a customer, they do | nothing more than alert that customer to proper channels they | should initiate and follow to resolve the issue. | [deleted] | antiframe wrote: | Yes, this is what I do too. I say "Thank you for the | information. For security reasons I won't discuss this matter | on this incoming call but I will immediately contact your fraud | department on the number I have." They've never been annoyed | about this. In fact, mostly they've been positively surprised. | geek_at wrote: | Another solution would be to find out who the scammers | parents are and write them. Worked for me | | https://blog.haschek.at/2016/how-a-scammer- | stole-500-dollars... | roozbeh18 wrote: | I am a security guy by profession, the other day my wife singed | up for a tesla and they ran her credit. next day we get a | random call from wellsfargo regarding an auto application and | wanted to verify her information. my wife confused why | wellsfargo calling, did what I always ask her to do. tell the | individual to provide her with the case number and she will | call back and they do not need to provide her the call back | number. This is easy to remember for most people and She did | just that. It turned out tesla has multiple financier which | tesla failed to mention that one is wellsfargo. | tempestn wrote: | This is good advice, despite it being a pain sometimes! I once | got a voicemail from the fraud department at my bank, with a | number to call back. I googled the number and all that came up | were stories about being scammed. So I was 95% sure it was a | scam, but called my bank directly just in case. The person who | answered assured me they hadn't contacted me, and it was indeed | a scam. I later got a follow-up voicemail from the "fraud | department", from the same supposed scam number, which I | ignored. | | Then, the next time I went to use my card, it was blocked. I | called the bank again and spoke to someone new, who _informed | me that the original calls had been legitimate_ - they had the | same reference number and everything - and the card had been | blocked due to lack of response! | | Obviously a false positive on the scam detector is less of a | problem than a false negative, but was still pretty incredible. | No idea what was with all the people talking about being | scammed from that number online; I can only assume that they | (like the first rep) _assumed_ it was a scam, since if the bank | needs to call you, they should tell you to call back using the | number on your card, not some random number they give you. But | apparently that 's exactly what they did. | aceazzameen wrote: | I had something similar. One time I got a phone call from a | "Scam Likely" and decided to answer it. And it was an | automated message from my bank asking if some purchases in | another state were real or fraudulent. At this point I began | to second guess if it was a scam or not, but had to assume it | still was. I ended up logging into my account and seeing the | same fraudulent purchases that it listed over the phone. So I | called the number on my card and had it all settled. I found | it weird that the original call was a false positive though. | MerelyMortal wrote: | Probably because the phone number is calling about a scam | (fradulant charge), and then when they hang up, people | report the phone number as a scam because they don't | understand the difference. | caf wrote: | This has a similarity to the original story here, in that the | original sounded like: _" They behaved a lot like a scammer | would, but I also totally expect my real bank to behave like | a scammer would"_. | WorldMaker wrote: | Many banks today have communications preferences options | and I've told all of my banks that do to _never call me | directly_. If I receive any sort of legitimate call from | them I immediately follow up with a strongly worded letter | that they should not have called me and violated their own | security policies. | | The only thing we can do about "bank behaviors make it | easier for scammers" is to change bank behaviors. It's not | an _easy_ process, but unfortunately it is a necessary | process. | fallingknife wrote: | He is looking for a definite red flag that it's a scammer. | This is a terrible strategy and he should know better. One | suspicious act and you should hang up and call the number | on the back of the card. Really you should just not take | calls from the bank ever and call back on the number on the | card. | thathndude wrote: | Agreed. It's easy to play Monday morning quarterback, but the | author of this article made some pretty big blunders for an | expert. | blondin wrote: | surprised too, once i read it all started with a phone call | from author's bank. your bank will "almost" never ask you for | your info on the phone. if they do, you don't have to provide | it. you can ask to go to a branch in-person, or log onto the | website to provide the required information. | | all banks should often remind their customers of this. mine | does. | | banks and phone carriers should do scam and fraud trainings for | customers. or friendly reminders. | wccrawford wrote: | Agreed. No matter how tired and annoyed I was, I'd have stopped | dead at the confirmation code that they asked for. There's | absolutely no way I'd have given that to them, even if it meant | cancelling my account and using a different bank. | | That seems a bit extreme, but if their procedures are so crazy | as to require circumventing another system's security | procedures, I'm not going to bank with them. | | I actually had a bank send me an email asking for information | that came from another domain, had a header that looked liked | it had been badly scanned in, and had links to domains they | don't own. When I ignored it, I eventually got a notice that my | car loan was in jeopardy because I hadn't provided that | information. | | They had no clue why I was so upset about that email. | | I paid off my loan immediately and never looked back, even | though the interest was less than I make off the stock market. | yuliyp wrote: | I think this is a statement easier to conclude in hindsight, | especially as you are primed with "this story is describing a | scam, definitely". The author describes the thought process | and what ended up nudging them toward believing the scammer | about the workflow. A code sent like this in a legitimate | workflow could be plausible. Maybe it's a requirement to | ensure that the customer is indeed acknowledging the | operation and the CSR isn't taking actions behind the | customer's back, for instance. | | The author had a lot of signals pointing toward legitimacy to | counteract their natural skepticism, it was a stressful | situation and the nature of a phone call puts time pressure | into the decision making, increasing the odds of a mistake. | | Your example points out that false positives on the "scam or | ham" decision do have a cost to the contact recipient too, so | "never respond to anything" comes with risks and costs too. | It's hard to be perfect. | pmoriarty wrote: | _" There's one easy rule that could have avoided all of this - | never give out any info on incoming calls."_ | | Also: Just call your official bank/card phone number yourself. | This number should be on the back of your debit/credit card. | Isthatablackgsd wrote: | I have the same rule for online chat support. | | Last week, I cancelled my Netflix subscription and been trying | to remove my credit card details from my account to prevent | surprise reactivation in the future. There wasn't an option to | do it online, so I went in their chat support and ask them to | remove my CC information from my account. Then they asked me to | provide my CC number to validate who I am. I told the rep that | I am not comfortable sharing my CC information over the chat | and prefers only give out my service code or alternative | information. This rep kept ensuring that it is secured and they | can't see what I am typing in. I asked them to initiate it and | I will decide if it is trustworthy to put it down. I got the | prompt and it asked for a full CC number. I declined the prompt | and told them that I'm not comfortable doing that. And it | didn't help that the rep are unintentionally behaving like a | scammer. I shared my concerns about the rep behavior and | remarks that scammers can say those things. The rep understand | my concerns and asked for other information like the email | address that is linked in the account and what are two recent | activity on the device I uses. I gave out the information and | validated I am the accountholder. Then the rep processed my | request and I see my CC information is removed from my Netflix | account. | nilsbunger wrote: | Banks and health care providers have aggressively trained | customers to be ok with giving sensitive info in a received | call. It's a real disservice to the community, but kind of a | tragedy of the commons. | | I also do a callback (verifying the number they give me via a | google search) but it seems like almost no one else does. On | one of these calls from a bank, I asked the agent whether | anyone else asked to do a callback, and they said no one ever | did this. | alskdjflaskjdhf wrote: | Yes, this is scam prevention 101. Anyone who called you is | always unverified. It's hard for me to take seriously a "scam | prevention expert" who doesn't seem to know or follow this | rule, which by itself is enough to protect you from most scams. | Normally I try not to victim blame people for getting scammed, | but when you've made a declaration like that you forfeit that | right. | | I'll also point out that the author seems to have some | complicated arrangement for their phone number(s), presumably | in the name of security, that in fact got in the way of | identifying this to be a scam. | klik99 wrote: | Regarding the complex phone arrangement: There's an effect, | the name escapes me, that adding security can make threats | less frequent but more dangerous. Sounds like he was more | complacent because he had trust in his phone system. | | And I agree about author - if he had said that he violated an | easy rule and owned that I would take his credentials more | seriously. Everyone makes mistakes, but he didn't list this | simple, well-known rule as a way of preventing this. | aceazzameen wrote: | That's good advice. I'm also wary of providing information over | a customer service chat. A recent example that comes to mind | was when I was price matching a product on Best Buy's website | over a chat session. The rep confirmed the price match was | valid and began to initiate it. And then he started asking for | all of my personal details including, phone number, address, | and credit card. When I politely refused, he thought I didn't | want the price match anymore. I confirmed I still did, and he | said he needed all of the info to place the order for me. I had | assumed I would be sent a personalized link to order the | product, or it would just be added to my cart (since I was | signed in). But no, he needed personal info which would live in | a chat log. I ended up ordering from the other retailer. | | Anyways, maybe there was nothing wrong with providing those | details. Maybe they were already available to him on his | screen. But the act of asking for that info and making it | commonplace for people to just provide it is how so many scams | are successful. I don't know how we get away from bad security | practices being the norm. | jesusthatsgreat wrote: | Or better yet, just don't answer incoming calls that you're not | expecting | cjg wrote: | Calling on the official number is a good rule. But my neighbour | followed that and was still scammed for tens of thousands. | | The critical extra step that they missed was to check that the | line was disconnected before calling out. They were using a | landline. | | The scammers called them, but didn't hang up. Then, when my | neighbour called out to their bank, they pretended to be | answering that call - going through security, etc. | | My neighbour then did whatever the scammers said - because they | couldn't possibly be scammers. | ghostly_s wrote: | Your neighbor just dialed the new number without hanging up | first? | AdamTReineke wrote: | I could see this working if the other end played a click | followed by and dial tone sound. | harshreality wrote: | Unless both sides hang up, there's something like a 10-20 | second window where the call is held open. Hanging up, | picking up within 10 seconds and dialing, means you're | still connected to the original caller. If they're clever, | the might even detect the click of you hanging up, and play | a dialtone for when you pick back up, and stop playing it | when you start to dial. | lostlogin wrote: | No dial tone and no ring... Seems a difficult mistake to | make but then again, I regularly surprise myself with my | errors. | bragr wrote: | There's nothing technical that prevents the other side | from playing dial tone and ring sounds | e40 wrote: | The neighbor hung up, but the scammers didn't, and the call | was not disconnected? That's not my experience. Is this what | you meant? | afiori wrote: | Apparently it is a feature Called Subscriber Held (CSH). | | https://security.stackexchange.com/a/100342/143105 | | TL;DR It was just how analog phone worked, users came to | rely on it, digital exchanges reimplemented it (with a | timeout) | [deleted] | BeefWellington wrote: | Yes, and this is how it works as another responder | mentions. | | The thinking by phone companies is essentially: guy calling | pays for the call, so we can milk each call for a few extra | cents each time even if they're shady or a wrong number. | mdoms wrote: | Your neighbour dialed a new number without hanging up his | ongoing call? Is this his first time operating a telephone? | The scammers mustn't have believed their luck when they | realised that was happening. Did they mimic a "brnnnnggg | brnnnggg" sound when he dialed? | post-it wrote: | > Did they mimic a "brnnnnggg brnnnggg" sound when he | dialed? | | Yes: https://bc.ctvnews.ca/beware-of-the-delayed- | disconnect-phone... | | Looks like you would have fallen for it. | function_seven wrote: | The connection isn't always torn down immediately. | Different switches behave differently in this regard. I | remember a long time ago being trolled by a friend of mine | who refused to hang up. I wanted to call someone else, but | every time I picked up the handset to dial out, he was | still on the line laughing at me. | | So if you're served by a switch that operates this way, the | scammer just holds the line open, plays dialtone and | ringback tones appropriately, and you're none the wiser. | camtarn wrote: | For the people who are confused: this is a fairly common | thing on landlines in some countries, where the telephone | exchange doesn't drop the connection until both ends have | hung up, or in some cases when the caller hangs up but not | the callee. So it's possible to put your own phone down, but | when you pick it up again your phone is still connected to | the scammer's telephone. If they play a convincing dial tone, | then change to a ring tone when they hear DTMF, you'd be none | the wiser. | | The workaround to this is to use another phone (e.g. switch | to mobile), or if that's not possible, apparently you can | wait several minutes until the exchange times out the | connection. | | https://security.stackexchange.com/questions/100268/does- | han... | afiori wrote: | I can confirm that at least once this happened to my family | in Italy about 20 years ago. | | The most anecdotal statement ever, but a data point | nonetheless. | sometimeshuman wrote: | I accidentally won a radio contest many years ago in this | way. I heard "you are caller 2" and then the DJ hung up. I | stayed on because I was confused and then a few seconds | later he picked up again and said you are "caller 4". So I | just stayed on and eventually said I was caller 10 and the | 10th caller won the prize. I assume he was switching back | and forth between two internal phone lines. | | I was confused because I was calling to make a song request | and had no idea that this contest was initiated because | they had just played a certain song. | Spooky23 wrote: | I did that too, except I called the wrong number and won | Barbara Streisand tickets. Not my jam. | caf wrote: | Back when I was in high school and landlines were still a | thing, we used to prank our friends this way sometimes. | hunter2_ wrote: | It even makes the news [0] periodically. Watch the video, | especially 2:22-2:36 which reiterates the PSTN behavior. | | [0] https://bc.ctvnews.ca/beware-of-the-delayed-disconnect- | phone... | Phiwise_ wrote: | Even already knowing about this I'm still mystified that | landlines work this way on every occasion that I'm reminded | of it. Does anyone know if there is, or at least was, a | justification for this mode of operation? Was it at least | of any use to anyone back around the 1900s or whenever or | is it just another "we do it because that's how we've been | doing it" residue that hasn't been cleaned yet? | maicro wrote: | As opposed to my sib comment, I could see (theoretically, | not saying this is what the original logic was) some | justification to deal with intermittent line breaks or | connection issues - if one side can keep the call open, | then a wind gust breaking the connection for a couple | milliseconds somewhere between the two parties won't | cause the whole call to end. From a customer point of | view, it's more resilient and ends up with fewer dropped | calls. | | I could also theorize about the different switching | actions going on, where up until the other party picks up | there's already only one phone on the line, but that's | getting into phone system/phreaking stuff that is way out | of my depth. | jameshart wrote: | Back in the day, folks would have more than one phone in | their house. | | Someone would call and all the phones would ring (or you | might turn off the ringers on some of them so only one | main phone actually rings). So someone might pick up the | phone in the entrance hall and the caller would ask to | speak to Becky, and Becky's mom would yell up the stairs | 'BECKY PHONE' and then put the receiver back down while | Becky runs into her big sister's room to grab the | upstairs phone, and carry the whole phone, trailing on | its wire, into her bedroom, slamming the door on the wire | for privacy, before she picks up the receiver to answer. | brimble wrote: | I lived through this era and at one point _worked at a | phone company_ and never knew about this behavior. I 'd | hold the receiver until I heard the other person pick up, | then hang up. | lxgr wrote: | If you're up for an (at least to me) fascinating rabbit | hole of technological history in audio form, you might | enjoy this narrated audio tour of analog phone switches: | | https://www.evan-doorbell.com/production/group1.htm | easytiger wrote: | Was this in the UK? I think they dropped the timeout to help | mitigate this. KNow someone else it happened to | mekoka wrote: | So your neighbor hung up to proceed with a follow up call, | which, if they're like most people, consists in just pressing | the switch with a finger, while keeping the handset to their | ear. But then upon releasing the switch, they just started | dialing without waiting for the dial tone? And after they | finished dialing and never heard the ringing tone, they | didn't find that unusual? Forgive my skepticism, but | something's missing from that story. | | Edit: Just read up on the disconnect time (10 seconds for | some providers) and yes, a sophisticated scammer could indeed | emulate the various tonalities. | AdamN wrote: | scammer plays a dial tone after the 'hang up' and while | dialing. | chaostheory wrote: | Can I get scammed? Sure, but in this specific case, that Wells | Fargo scam wouldn't work on me because I know firsthand that | Wells Fargo fraud prevention is terrible. Case in point, a few | years back I had in-store mall transactions happening 400 miles | and 2600 miles away from my current location within an hour span | of my lunch transaction. No fraud alert. It even took me weeks to | contest these transactions. This is abysmal compared to virtually | every other credit card provider. | gowld wrote: | > I answered, the guy said he was calling from Wells Fargo's | Fraud Prevention Department, calling to verify some transactions. | He verified my name, he had the last four digits of my debit card | number, and everything generally seemed to follow the normal | script of a transaction verification call. | | No legitimate bank would do this. They say "call the number on | your card, and mention reference # NNNNN" | | Wells Fargo is a criminal organization: | https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan... | so there's no reason to assume an impostor would be worse. | js2 wrote: | > Said he was calling from Wells Fargo's Fraud Prevention | Department, calling to verify some transactions. He verified my | name, he had the last four digits of my debit card number, and | everything generally seemed to follow the normal script of a | transaction verification call. | | I recently had to speak with the Zelle FPD because it had frozen | my ability to send (but not receive) after I had made some small | trial transactions. Also, I use a Google Voice number with Zelle, | which Zelle seems not to like. | | I was shocked at the depth of questions that the Zelle FPD agent | asked me. My SSN, DOB, address and recent transactions were | expected. But then it went deeper: state where my birth | certificate was issued. Fine. Car loans I had. Okay, this is all | stuff on my credit report. But then it went past me: where my | kids were born and their DOBs; my brother's DOB and age; my | wife's DOB and age; my mother-in-law's (!) maiden name. Keep in | mind this all after I've authenticated myself to my bank | including a phone password I have setup. And, it's for a | secondary checking account that I have less than $1000 in. | | Real bank FPDs have a crazy amount of information on not just | you, but also your family members. | | I personally would hang up if any of my financial institutions | called me and I'd call them back. | sjmm1989 wrote: | > We always say we'd rather people report a thousand false alarms | than fail to report a single real emergency, but if the process | of filing those reports results in condescending info-dumps or | intimidating interrogations, is it really a surprise that so many | people have been trained to just not say anything and hope their | suspicions were wrong? | | This is how it is at almost any company I have ever worked for. | They always say things like "We prefer that you ask questions if | you don't know" or "We would rather get a hundred false reports | than miss one valid one." That sort of thing. | | And then when you follow through with what they ask for, it's | just like the quoted part says. | | > results in condescending info-dumps or intimidating | interrogations | | It's not just a cyber security problem folks. This is pretty much | a global problem, because no one ever really wants to be bothered | over trivial matters, and no one really wants to believe the boy | who cries wolf; even if the wolf is real. | | None of this will get better until people in general become both | intellectually and morally wiser. So get a drink and some popcorn | cause this is gonna be a while. | nopeYouAreWrong wrote: | I'm so skeptical of these "experts" especially if they write a | blog post where they hate their bank. | | I've been with Wells for over a decade. They have never called | me. Never. | | I have had "fraud" alerts hundreds of times. They always happen | at certain POS, and it's always a text alert. | | Some of the stories I read make me viscerally react with "what in | the world are you doing with something as simple as a bank | account?" | | Also a fundamental default is "no action". If you are even | slightly suspicious, do nothing. It isn't somehow so important | that you stop thinking and just act or react. Just stop. | ghostly_s wrote: | > I'm so skeptical of these "experts" especially if they write | a blog post where they hate their bank. | | There is a nearly endless list of legitimate reasons for one to | hate Wells Fargo. | buscoquadnary wrote: | My wife used Well's Fargo, I've heard about how they don't like | to bother customers, in fact they hate it so much they didn't | even bother notifying customers when opening new accounts for | them, or performing actions on their behalf to generate fees. | civilized wrote: | Also, no one asked for the account to be opened or for the | fee-generating actions to be performed. | | (They're still not out from under that Federal Reserve asset | cap!) | mattbee wrote: | The author does seem to bang on about his "reasonable | assumptions" for how much Wells and Apple Pay suck, so he | should continue the call! Like he's just too clever to follow | the advice he'd give everyone else to hang up and call back. | mort96 wrote: | I didn't read it as explaining why she _should_ continue the | call, just why she _did_ continue the call. She 's explaining | why those things didn't immediately trigger the scam alarm. | Nowhere did I see her claim to be too clever to do anything. | | I found it an interesting read which details an experience | which is far removed from how you expect a scam call to | occur. It's interesting to read the signs which _should_ have | been alarm bells, but which were dismissed because nobody is | perfect all the time. | spicybright wrote: | I'm honestly surprised he even wrote this if he claims to be | an expert. | | He literally ignored half of what the rep was saying because | he was busy fiddling with the computer, then willingly gave | up all his personal information because of the distraction. | | You would think an expert would know how to properly use 2 | factor auth too. Giving someone the code is exactly how you | defeat it. | BaseballPhysics wrote: | > I'm so skeptical of these "experts" especially if they write | a blog post where they hate their bank. | | Really? That's the thing that makes you skeptical and feel the | need to use scare quotes? | | Banks suck. Hell, mine hasn't even implemented proper 2FA. | | And Wells Fargo is so bad they've been caught scamming _their | own customers_ : | | https://en.wikipedia.org/wiki/Wells_Fargo_account_fraud_scan... | gotaquestion wrote: | I think it was important of the author to put that out there, | expert or not. It made me take a mental inventory, and bolster | my first-responder thoughts. | vmception wrote: | > if it was a scam, then this was clearly a bluff to try to | reassure me, but he had WAY more information about me than I | would expect an average scammer to have | | you can purchase FULLZ from darkweb marketplaces, these contain | name and address and social security number and often come with | credit card details too | | with that, you can do social engineering like this, you can also | remote desktop into any computer nearby to their zipcode (from a | different darknet marketplace of compromised computers being | rented out) and purchase things online from that, making it less | likely to be flagged | | the idea that "scammers intentionally do obviously red flag | things to weed out discerning people and just target susceptible | people" is just one segment of the market. doing smarter more | cunning things is entirely available and entirely lucrative | boznz wrote: | Be interesting to do a lookup on yourself, is there any | information how you go about this ? | vmception wrote: | I mean you could try to find the large known leaks and go | through them yourself | | People just cross reference them and sell individual ID packs | one by one | | There were 15,000,000 people in the Experian leak alone. Most | of that information is still valid, we've just gotten numb to | it. | | Merchants that care about customer support and reviews will | just replace an ID for the consumer if its been used before | | There isn't a way to try to find who is in a database without | the source databases yourself. Merchants don't tell you how | they found the aggregate data, they just have reviews from | people that say if it was accurate data or not. You could try | and ask a merchant if they have a particular person, but I | doubt many merchants have a way to sort that themselves, as | the files are no longer in a parseable database by the time | it reaches them. The organized networks are corporations and | conglomerates with separations of knowledge and duties. | | All you would be able to do is purchase a FULLZ and get what | you get. | luckyorlame wrote: | Define expert? | nonrandomstring wrote: | This is a perfect case of iatrogenic security. When the systems | get so complex and remote that security experts are caught out, | they do more harm than good. | | It's also a consequence of solutionism, systematic monotonicity, | mother-knows-best and externalising costs such that we: | | Only add more security solutions on top of existing ones to fix | their holes. | | Deny the user any choice or agency in setting their own security | terms | | Never revoke or remove a feature (that would be admitting | _defeat_ ) | | Push the burden in every process on to the user | | Create fear in the user - that any misstep will cause them more | inconvenience and trouble. | | Make security an authoritarian culture such that user will not | question or be sceptical. | | All of these are antithetical to civic cyber-security that we | need available so educated and empowered users can operate | technology under their control. | inetknght wrote: | What a terrible site to complain about being scammed when you | don't even bother to serve over HTTPS! | dfsegoat wrote: | I know it doesn't matter for reading text, but the look is no | bueno. | | I really think this detracts from the credibility of a | "Security expert". | otterley wrote: | Scam reports like these really frighten me. If someone of above- | average intelligence like the author can nearly be taken for a | ride, imagine how easily our friends and family -- who are often | far more vulnerable -- can be taken advantage of. | | As the people most capable of remediating the vulnerabilities in | our telecommunication and banking systems, I think we ought to | close ranks and insist that our employers do a better job of | protecting the innocent, even if it means breaking a few | conveniences. | jstarfish wrote: | > imagine how easily our friends and family -- who are often | far more vulnerable -- can be taken advantage of. | | FUD. Hackers and scammers exist, sure, but your friends and | family are always most likely going to be victimized by friends | and family. | | Outsiders have to _work_ to collect intelligence, gain access | and obtain your trust. Friends and family already have all | three prerequisites. | | Bernie Madoff didn't become the most prolific con-artist in | history by cold-calling strangers. And consider what | demographic is most likely to try recruiting you into the | latest MLM scheme. | AnIdiotOnTheNet wrote: | Why do you assume the author is of above average intelligence | just because they work in a technology profession? _I_ work in | this industry, and I 've met a lot of people even dumber than | me in it, so intelligence can't be much of a requirement. | smm11 wrote: | Expert. | qualudeheart wrote: | But who scams the scammers? | Anechoic wrote: | There was one time I _thought_ I was being scammed, but it turns | out there was an actual issue with my bank account. | | Sitting at my desk at work, I get a phone call from my bank on by | cell phone. "Mr. Anechoic, there appears to be a security issue | with your bank account. We can resolve it for you. For security | purposes, can you give your checking account number and the last | four of you SSN"? | | This is clearly a scam, right? I tell the guy there is no way I'm | giving up that info for a random dude that calls me. He stresses | again that there is an issue with my bank account, that the | account will be frozen, and there is nothing he can do about it | without the account and SSN information. I refuse again, and he | tells me that I should go to a local bank to get it resolved. I | hang up and go back to work. I log into my bank account website, | and all seems fine. | | After about 20 minutes, something is still bothering me, so I | leave work to go to a local branch. I speak to a branch manager | about what happened, and she agrees with me that it was clearly | an attempted scam and the bank would never call me and ask for | that information. But just to be safe, she checks my account on | her computer. To our surprise, it turns out there was a security | flag on my account! | | She calls the bank security desk, they confirm that there was an | attempt by someone in another branch a few states to get money | from my account and the call I got was legit and logged in their | system. We get the account locked out, and then the manager asks | to talk to a security supervisor about the messed-up way they | reached out to me. The security person basically said "this is | how they do things" and didn't see the problem. The bank manager | apologized, said it was messed up and she would try to run things | up the chain to improve their process. | | Damned if you do, damned if you don't. | exolymph wrote: | Not the same thing, but relatedly, every legit email I receive | from my health insurance is functionally indistinguishable from | phishing. They always bounce me through a million weird domains | too. It's very discomfiting and makes me worry that I won't be | able to pinpoint a legit phishing attempt because it won't | stand out. | bombcar wrote: | The weird domain stuff is something related to SSO I feel, | and it is HIGHLY indistinguishable from phishing. | | So all the "just be smarter" talk from ten years ago about | checking your domains, etc is out the window. | scammerbillz.biz is ACTUALLY your hospital billing service, | too bad. | tempnow987 wrote: | I love the weird domains - billing is sometimes outsourced | through x redirections, and they use weird third party email | hosts (CISCO secure email etc) that is halfway broken with | CSS for you to upload your employee rosters (complete with | socials and DOB's etc). | | The domains for these are always commically like phising | domains (secure-bank-email.valimail.com etc). | teawrecks wrote: | "Cool cool, could you go ahead and close my account, please?" | alana314 wrote: | That's so dumb! No wonder the industry is rife with scams. | mafuy wrote: | How about this: | | "Very well. Please repeat to me in writing that if I receive an | unverified call claiming to be from Your bank, and asking for | my personal details, that I am to give the information and | follow all instructions and will not be at fault for damage | that might result from this." | | As they clearly won't do that, at least the moron will lose | face, and quickly so. | smarx007 wrote: | "We don't issue written statements to customers, please call | another department. We have locked your account for the time | being." | | The kinds of people who do this boring work all day long may | not be so receptive to our witty humor. | throwaway1777 wrote: | Sounds like they're not an expert after all, never give out | information over the phone unless you initiated the call. | googlryas wrote: | > So, I faithfully relayed the Apple Pay verification code, as | requested. | | I cannot fathom how a tech professional would do this. I mean, I | read their justification, but it still doesn't make an ounce of | sense to me, other than their brain was shut off for the entire | call. | renewiltord wrote: | I think I can kind of get it. This guy has made his own life so | complicated that he no longer knows what a normal guy operates | like. | | A normal person knows that scam calls come in all the time, so | they're on the alert for them. A normal person has their MFA | device or has MFA on text and they know these two mechanisms | have codes they should never relay. If they got an MFA via | email they'd immediately have their suspicions up. | | A normal person, through the normalcy of their system, assumes | that if this bank is having trouble dealing with them they'd | have trouble dealing with everyone and that's just absurd. | | But if you're the _abnormal_ person, then you assume your | custom setup is the problem. That's because 99% of the time it | _is_ the problem. He 's fucked himself into being a social | engineering target. | | Back in the day, this was a thing with Linux. You'd encounter a | bug in a Windows app hosted through the WINE runtime and you'd | think "Well, it's WINE, it can't be perfect. I'll just report | it on WineHQ and go about my life". Well, sometimes it wouldn't | be WINE. It would just be the app itself. But you assumed that | because you're the weird one using WINE. Everyone else is using | Windows. So you blame your own setup and your bug doesn't get | fixed because it's in the wrong place. | | So this is my attitude to a lot of security stuff. I want to be | the normal user. Huge advantages: | | - If something is broken for you, it's broken for everyone. So | no one will blame you for consequences. | | - If something is weird about it, it's weird; you should be | suspicious | | - If things go badly for you because of it, no one will blame | you because they can relate; you will get help easier | mort96 wrote: | > A normal person has their MFA device or has MFA on text and | they know these two mechanisms have codes they should never | relay. If they got an MFA via email they'd immediately have | their suspicions up. | | What? I get MFA codes on e-mail all the time. I've got them | from Steam, from Mojang, from GitHub, from Square Enix, from | Digital Ocean, etc. For a normal person, getting some code | you have to relay to some other entity via e-mail is normal. | | Not to mention that the e-mail was actually a legit 2FA | e-mail from Wells Fargo? That's how this scam works after | all; you tell the victim that they'll receive a message with | a code, then the scammer tries to do some action which | requires 2FA, then the victim reads the code from the 2FA | message. The fact that you would categorize this e-mail as an | obviously fake e-mail which normal people would immediately | recognize as suspicious, when it's actually a real 2FA | e-mail, is pretty telling I think. | | > A normal person, through the normalcy of their system, | assumes that if this bank is having trouble dealing with them | they'd have trouble dealing with everyone and that's just | absurd. | | No, _this_ is absurd. Everyone has experienced having some | one-off problem with some account in some system. Not to | mention that the case in TFA was explicitly about fraud | prevention calling you about suspected fraudulent charges, | which seems extremely normal to me. Limiting individual | accounts due to suspected fraud, and then notifying the owner | of that account, is exactly the purpose of fraud prevention. | | The only part of this event which the author's unusual set-up | is responsible for, is that she gave an unusual level of | credibility to the scammer just for calling her phone number. | | But if it comforts you to think normal people would be immune | to this scam just because normal people have their | information more readily available on the internet, keep | believing that I guess. | [deleted] | megous wrote: | Nah, phone calls are even worse than SMTP here. Caller ID means | nothing. It's like a From header on an email with no DKIM. | | It can be set by the caller to anything, if they have access to | some trunk from an operator that allows this. It's another trust | based thing, with no automated verification. | | Trusting caller ID was the initial mistake. Never trust caller ID | with your money. It's like trusting sender names in your spam | folder mean anything. | arzeth wrote: | Is that "Verify your card in Apple Payr" email real/non-spoofed? | On that email's screenshot there's a huge red flag as with other | 99.9% scams: bad punctuation. Nobody writes "number:" (1:, 2:, | 3:, ...) for lists in English. | https://writing.stackexchange.com/questions/5680/is-it-ok-to... | orkj wrote: | > And lastly, if you're reading this, Daniel Coffmane #1687979, | whoever you really are: Well played. | | I went to read the comments here to see if Daniel somehow | acknowledged this | rob_c wrote: | I keep seeing this story headline from security admins lecturing | me how to not get my estate compromised... please just learn and | employ best practices and stop getting on at those with proven | track records | intrasight wrote: | Banks will never call you. It's that simple. And if they do, hang | up and call them back. | | I've had this attempted scam tried on me twice in last 4 months. | You know it's a scam for sure when they try to prevent you from | hanging up. | | Also, always disconnect. Don't just listen for a "dial tone" | after they hang up. | ivanche wrote: | This x100! And call them back from a different phone, just in | case. | josephcsible wrote: | tl;dr: Someone claiming to be from Wells Fargo contacted her by | phone and requested a code that she got emailed. The email with | the code said "Wells Fargo will not contact you by phone or text | to request this code." She gave him the code anyway. | TedDoesntTalk wrote: | > opened a claim for the fraudulent transaction (frustratingly, | there's no immediate reversal; have I mentioned yet that I loathe | this bank?). | | That's because you have a debit card instead of a credit card. | Get rid of the debit card. There are Zero consumer protections. | throwaway2474 wrote: | I wonder who these well-spoken, educated scammers are and how | they're recruited. | | Pet theory: voice recordings will be the next fingerprints/DNA, | at some point it will be trivial to identify the person based on | old recordings. At which point we can retroactively convict these | people years or decades later, when they thought they were out of | the woods. | katsura wrote: | Reminds me of the Darknet Diaries podcast episode 69: | https://darknetdiaries.com/episode/69/ | | Off topic: The site has a contact form and a login page, but no | https? | simoneau wrote: | I'm surprised at the level of scamming we tolerate as a society. | As technologists, we have a good chance of not falling for it, | but my parents are sitting ducks. | | Some combination of new consumer protection laws, infrastructure | improvements, and law enforcement attention is desperately | needed. I don't know why this doesn't get more attention. Is it | just the historical attitude that each of us are responsible for | protecting ourselves? Is the line too blurry between a legit | business and an outright scam? | monktastic1 wrote: | "while I'm no expert, I've never heard of a call center system | that can accept touch tones seamlessly while a call is active, | and it would take extremely sophisticated audio processing | capabilities to be able to do that, since the frequencies used by | touch tone keys heavily overlap the frequencies of human speech." | | "Extremely sophisticated?" The tones are just a sum of two sine | waves of known frequencies. That's trivial to detect. What am I | missing? | scottmcdot wrote: | > he was talking about mobile app payment systems, like Apple Pay | and Google Pay. Which, yes, I'm very familiar with, but I don't | use and have no interest in using. | | I think if you're going to be a Scam Prevention Expert, you | should at least familiarise yourself with the user experiences of | these services so that you can detect when they're potentially | being used in a scam. | renewiltord wrote: | I'm a gullible motherfucker: I have memories of handing a $20 to | a random guy walking up to me and saying "Hey, man, my car's | stuck and I need some cash for gas". | | That said, I've had a lot of these calls and fortunately not | fallen for them once. The funny thing is that eTrade (I think) | has a system where you can ask for a callback but then they'll go | right into taking your information. When that happens, I followed | the play book: I asked for a phone number that I could find on | ETrade that I could add an extension for to get to this person. | He gave it to me and everything along with some sort of quick | access code I was supposed to use to get whomever I hit to pass | me along. | | Well, I did the whole thing and the person at the other end in | the ETrade system that I dialed said "It's okay, I'll just take | care of it, sir". I mean, at this point I just sucked it up and | went through with the process since I figured I dialed the number | from their website to get there and then the extension so surely | it has to be legit, right? | | But I just know someone is going to point out a way that I could | have been scammed through this mechanism. | paxys wrote: | I expected some crazy new attack vector that was so sophisticated | it could fool this Scam Prevention Expert, but this post is | laughable. They fell for textbook "scamming 101" that my grandma | knows to avoid. | | Here's one tip for this expert - if you get a 2FA code over text | or email that clearly has the line "we will never contact you for | this code over phone or text" right under it, DON'T give it to a | "support agent" over the phone. | | > this is clearly a two-factor authentication code, meant to be | entered directly into an authentication page. Which is normally | not something that would be relayed over a phone call to a | customer service rep. A concern that I raised to Daniel. However, | he said that it was part of Apple's system, which they only had | limited access to. An explanation that, as someone who works with | computers, data security, and API integration professionally, I | completely bought | | And after reading multiple paragraphs of this person describing | money literally taken out of their account in front of their | eyes, you get to this line: | | > Putting all of this together, the scales started to tip toward | this potentially being a scam call, but I still wasn't certain | | I _really_ hope they don 't have a lot of clients | feoren wrote: | I agree. I nodded along to the part about not assuming it's the | victim's fault, and then this "expert" falls for an extremely | basic, obvious attack. "Wells Fargo will not contact you by | phone or text to request this code." -- maybe that should have | been bigger and bolder, but it was there. This guy should not | be allowed to call himself a "scam prevention expert" anymore. | mort96 wrote: | There's _a lot_ of text in that e-mail. The text you 're | referring to is perfectly positioned to be almost invisible | -- it's in the last paragraph intermingled with the standard | "if you have any questions, call us on blah blah blah" text. | My brain skipped the rest of that paragraph the first 5 times | I skimmed the e-mail. | gridspy wrote: | Anyone can fall for these attacks in the moment, even experts. | That was the point of the article. | | What makes us vulnerable is that we are human: we get tired, | caught up in the urgency of the call and our logical thinking | stops working. | | The actual story of the article is that we need to design | systems that are robust even when people are getting scammed. | Able to identify and reverse scamming soon after it happens | with easy ways to report it. | fallingknife wrote: | Amazing that a security "professional" would wait until he is | 100% sure it's a scam and not hang up when he isn't 100% sure | it's legit. | anonymousisme wrote: | I had a legitimate call from my credit union last month. They | were following up on a problem I had reported with their on-line | bill pay system. Toward the beginning of the call, they wanted to | verify that it was me and they asked me to provide them with the | 2FA code they had just texted to me. I declined and told them | that this is what scammers do. They agreed with me and encouraged | me to call them back at the number on my ATM card. | | I thought it was really unprofessional of them to operate this | way. | harshreality wrote: | It's insane for them to request that you read a 2fa code to a | human over the phone. Even if you called them. Escalate and get | their policies changed, or get them fired if they're violating | policy. | killjoywashere wrote: | I mean, if you're the test, if you pass 100% of the time, you're | not trying hard enough. | lucb1e wrote: | How often do you guys get calls from your bank? | | I got called twice in my life, both times in response to a ticket | I had filed but didn't necessarily need a response to (firstly a | complaint about some new hardware authenticator that was worse | than the old one (I was hoping enough complaints might make them | pick a better replacement next time), secondly about phishing- | but-legitimately aka Sofort which they now, two years later, | finally semi-blocked). | | From the post, since it mentions this being routine and normal, | plus the comments here, it sounds like americans are called every | month or so. Is that impression correct? Is it because of this | credit card system where basically anyone with your account | number has withdrawal access identical to what we use 2FA (chip | and pin) for? With IBAN it's more of a money destination than a | source. Direct debit exists but I have yet to see it abused, not | sure how that works exactly, and definitely never got a call to | confirm this or that. | verisimi wrote: | Is it possible that this is a PR puff piece? | | I think you could argue that this guy gives us this long (and | somewhat implausible) story in order to: | | a/ support the line of business he is in and | | b/ to justify all the privacy intrusions and obstructions that | banks are undertaking | [deleted] | interfixus wrote: | Caller would have gotten about five seconds worth of my time: | "That's very nice. Please send an email. Goodbye". But then, I'm | not an expert. | kebman wrote: | Sure. I've been scammed. It felt really bad. And I consider | myself quite knowledgeable. On the other hand, I noticed what was | happening before greater harm could have been done. Perhaps | that's what distinguishes so-called experts from the regular | folks. Because an expert would know sooner, without being | impervious. | | Long story short, I could have ended up with a subscription on a | set of questions for 20 dollars a week, which was given only | after a set of legitimate surveys were given on behalf of Apple. | I of course notified Apple of this, but I never got the 20 first | dollars back, before cancelling the "subscription" I had | apparently signed up for. | | I really wanted to track the guys down, but they had been very | careful in covering their tracks with proxies and mailbox | addresses, so in the end I considered it too much work. But I did | spam them. Perhaps I could have even used their mail for even | more spam, but I suppose they just use throwaway mails anyway. | | Not sure how they got through the cracks of Apple, though. IMHO | it's pretty damning for the reputation of Apple to work with guys | like that. | dade_ wrote: | Not much of an expert, caller ID means nothing. | | Standard procedure for everybody in the last 20 years should be: | Whenever I get a call about security or fraud from the bank, I | thank them for the notification and tell them I will call them | back, and hang up. Then I call the number on my credit /bank | card, not the number I was called from. Fortunately there is a | lost or stolen cards so there is no queue time and tell them I | received a fraud alert notification. | BaseballPhysics wrote: | > Not much of an expert, caller ID means nothing | | They... said that: | | > The caller ID showed the correct name and number for my bank, | but caller ID data is so hilariously easy to spoof that it | might as well not even exist. | | Honestly, what is with the low quality comments attempting to | undermine this person's credibility? | mardifoufs wrote: | So what if they said that? I'm not trying to pile on them but | the reason people are questioning their credibility is that | they fell for a pretty basic scam. Even if they acknowledged | that their assumptions were incorrect (knowing Caller Id is | very flawed but still falling for it), it doesn't necessarily | make the scam any less obvious. | | Would you not question the credibility of a doctor who falls | for say, crystal healing or homeopathic cures? | BaseballPhysics wrote: | > I'm not trying to pile on them but the reason people are | questioning their credibility is that they fell for a | pretty basic scam. | | Yeah, I've read the armchair quarterbacks around here | thinking they wouldn't be the ones to get duped if it was | them. | | Of course, I'll bet if they did get duped, they wouldn't | post about it on social media because a bunch of folks | would come out of the woodwork to point out how stupid they | were. | | Personally, I read this accounting and thought "You know, | for all my own knowledge about how these scams work, I | might've been caught by this one." This specific example | strayed into spearphishing territory given the knowledge | the attacker had of the victim. This wasn't just an average | war dialler. And the time investment, alone, on the part of | the attacker makes this unusual compared to your average | phone same. | | But hey, maybe I'm just not bright enough to hang with the | cool kids around here. | mardifoufs wrote: | I'm not saying I wouldn't get duped, but Im also not a | scam prevention expert! And you are right that I wouldn't | be posting this if I was in their place but I'm not sure | if that means that makes them immune to criticism. "I bet | you'd have done the same" is not an extraordinarily good | defense when we are talking about a scam precention | expert. | | I also don't think this has anything to do with | intelligence. You can question expertise without | questioning intellect | mekoka wrote: | Simple and effective. It's been over 10 years that I've | followed this same protocol. It hasn't failed me yet. I also | don't think I've missed anything that could have been better | handled, had I chosen to speak to the caller. Just don't say | anything, beyond greetings, to the caller. | gwbas1c wrote: | > I'm a scam prevention expert and I got scammed | | After reading all that... I noticed that the "scam prevention | expert" isn't serving their site with proper https. | lucb1e wrote: | Was the first thing I noticed, but to be fair, there also just | isn't really a need for a blog like this. Someone once said | something like "I encrypt my innocuous blog because else | private becomes suspicious" but by now the internet is largely | encrypted and this one blog won't reverse that. | | And who knows, maybe the person reading along at the NSA will | also enjoy the article :) | tempestn wrote: | I wish the title hadn't given away that it was a scam call. | Perhaps it could have implied it was a gripe about Wells Fargo at | first. Reading it while already knowing it was a scam, it seemed | blindingly obvious to me, and it was hard to imagine how I could | have made the same mistakes. But that could be overconfidence. | ziml77 wrote: | Yes it is overconfidence. You just have to be tired or | distracted and it will be incredibly easy to fall victim to one | of these scams. | sevenf0ur wrote: | I have to give credit for sharing your story and how | sophisticated these attacks can be. These scams work because | we're human and don't always think rationally under pressure. | sshine wrote: | I was never attempted scammed online, and I think (naively like | the author) that it wouldn't happen to me. | | But I was pick-pocketed twice in my life. Both failed attempts, | but only because of dumb luck. And I thought that would never | happen, "because I'm that much present always." | | One time I'm wearing a hoodie, and a cheery guy distracts me and | sticks his hand into a double-ended pocket and my hand, resting | in the other side, instinctively grabs his; a trigger-happy hand- | shaking mechanism and a bad choice of pocket. I quickly walk off | because his grumpy friend looks like someone who would stab you. | | Another time I'm running for the bus, my phone is thrashing forth | and back in my pocket, so while running, I quickly grab the phone | and stick it in another pocket; two seconds later, a young guy | bumps into me, and his hands reach all the way down in the now | empty pocket. We land, we stare at each other, and I run for the | bus rather than him; I'd have no chance catching him anyways. | | So... with some humility: The only way to stay out of trouble is | to apply really dumb protocols. | throwawayHN378 wrote: | "Expert" | drdaeman wrote: | Hm, interesting. I've had surprising fraudulent charges on a WF | card just a few days ago. They texted and emailed me, but I had | to call them myself (not that I would've trusted a call, I even | wondered for a minute if SMS was a fraud attempt). | | The issue is, it was a card that I keep only because it's the | oldest card I have, that I don't really ever pull out of my | wallet anymore. I'm not familiar with the underground stuff but I | suppose stolen CC numbers are typically sold reasonably fast | (months, not years) and used while they're still fresh? If that's | the case, while two random anecdotal data points don't prove | anything, I start to wonder if it's possible that WF was recently | compromised. | stjohnswarts wrote: | ehhhhhhhhhhhh I always call back. Isn't that one of the 1st laws | of not getting fucked online/over the phone? I go to the company | web page (https only of course) and get a phone number. I mean | suppose it's possible for an employee to screw you over, but at | least it's (call metadata) probably being logged somewhere. Also | if I was into security my blog page would be on https, even if | that's not entirely necessary for webpages. It throws up a yellow | flag to me. | dangus wrote: | The author ("scam prevention expert") was extremely uncomfortable | at multiple points in the interaction and just...kept going. | | I know that this scam is relatively sophisticated compared to | others, but I have to think if I was a scam prevention expert | that I wouldn't tarnish my own name by putting a story with this | much raw honesty out there. | | They basically violated rule #1 of scam avoidance which is that | no legitimate business cold calling you will need you to do | _anything_ with urgency. | | Either that or it's a way to make potential customers feel better | about the obvious mistakes they made. | rollcat wrote: | > I have to think if I was a scam prevention expert that I | wouldn't tarnish my own name by putting a story with this much | raw honesty out there. | | I think it's an absolutely excellent story to publish. The road | to becoming an expert in any field or art is paved with | failures, and your own failures tend to be the ones you learn | the most from. Plus in a field that primarily deals with | dishonesty, being this transparent does help build a positive | image. | aldebran wrote: | I think you missed the point. They said circumstances can make | it such that you can get scammed so let's not blame the victim. | whimsicalism wrote: | Just don't give people 2FA codes? I am never going to give a 2FA | code to someone who calls me, no matter what combination of words | come out of their mouth. | jcoq wrote: | Right? There's nothing surprising about getting scammed when | you give out the 2FA code. | throwra620 wrote: | agentdrtran wrote: | "just don't get phished" | iforgotpassword wrote: | As TFA starts out, it is always easy to point out all the | mistakes after the fact. People underestimate how prone the | mind is to just trying to play down danger, inconvenience and | generally unpleasing situations. Even after a few minutes on | the phone, after you built up the most basic "relationship" | with the person on the other end, you simply don't want this to | be a scam. Avoiding cognitive dissonance. Just like when you | bought something expensive that doesn't really meet your | expectations. | | Then you must not underestimate the pressure under which you | then are, because either way is not a pleasant situation | (getting scammed or having been scammed already trying to | contain the damage). I fully believe the author that they only | skimmed that mail and weren't even aware that this is 2FA. It | must have seemed like "just some one-off verification code". | | Then I think there is also this phenomenon where experts think | that just by being an expert on something, they are immune to | it. Not consciously, rationally, but lingering in the | subconsciousness. It reminds me of the show "the good doctor" | where a seasoned oncologist is diagnosed with a brain tumor and | completely blocks off any conversation about it and rejecting | treatment. I think that very well illustrates what I mean. | | Another anecdote to add here if that Jim Browning, a YouTuber | focused on finding scam call centers, getting into their | systems to gather information and shutting them down in the end | got his YouTube account taken away from him through a scammer | on the phone. So I'd be careful with claiming this could never | happen to me because I'd never do X. Until the day you do | without realizing. | whimsicalism wrote: | Look, I certainly believe that as you get larger and larger | groups of people, law of large numbers it becomes inevitable | that someone becomes scammed. | | And I certainly don't doubt that I could be scammed at some | time, especially by a phishing email or something of the | sort. | | But I don't think I'll ever give out a 2FA code to anybody | that's not me. It's a really simple rule of thumb. Just never | do it, there is never any reason for anybody besides myself | to know my 2FA. If there is a reason, that is unfortunate | that they've designed their system that way because, again, I | am never going to give out my 2FA code to anybody. | | The person in your anecdote never gave his 2FA to anybody, so | it is not relevant to what I am discussing. | iforgotpassword wrote: | Yes, it's easy to convince yourself you're way too smart to | make this mistake. At the same time, you now deliberately | skipped over the fact _twice_ that he just skimmed the mail | and didn 't fully realize it was specifically a 2FA code, | just assumed it was _some_ verification code. I mean, the | wording explicitly talks about _entering_ this code | somewhere to _enable_ stuff. That 's already two dead | giveaways. Otherwise you'd be implying this guy, being an | expert, doesn't fully understand how 2FA works. Pretty | unlikely, but sure, not impossible. But I mean | realistically now that this has been overstressed I | actually do believe you'd never make that specific mistake | in the future. | whimsicalism wrote: | It's pretty obvious what is a 2FA code and what is not. | If I'm being sent a code on my email or phone, I know not | to tell it to someone on the phone. Indeed, even that | very email she was sent contained a reminder not to tell | it to someone on the phone. | | I read the entire article, I am just unimpressed by the | justifications as to how this "could happen to anybody." | mort96 wrote: | I don't think the e-mail in the article is very obviously | a 2FA code? I usually associate 2FA with something I use | to log in somewhere; not to do some other operation which | (presumably) already requires account access. To me, it | looks like a Wells Fargo Apple Pay "Verification Code", | which honestly could mean anything. | | There are other signs, obviously. You could ask the | question of, why is the e-mail asking me to enter the | code myself while the customer support rep asking me to | provide it over the phone? But as you well know, the | author also asked that question, and arrived at a | plausible enough sounding answer. | | Regarding that last sentence: I have actually skimmed the | e-mail many times now, and only when looking at it again | to try to understand what you meant by "even that very | email contained a reminder not to tell it to someone on | the phone" did I actually see that part. I suppose I just | started reading the standard "if you have questions call | us on this number" text and skipped the rest of the | paragraph. Brains are very good at extracting what they | think is the relevant information and ignoring what they | think is the irrelevant information, _especially_ when in | an active social interaction with another person who | expects something from you. | | I think any technical person should be able to analyze a | play-by-play description of the events and explain | exactly how each mistake could've been avoided. But I | think most technical people could've made similar | mistakes if they were caught in a vulnerable state of | mind. I think sharing these kinds of stories, where even | people who "should" know better got scammed, is an | important part of how we learn to recognize scams. I | think the vitriol in places like this comment section | plays a part in making people avoid sharing stories like | this. | Spivakov wrote: | Here is an interesting story in which a scammer almost got me but | failed because he knew me "too well": | | One morning in college I was awakened by a call after staying up | all night working on some project. The caller claimed to be from | my home country's embassy and was investigating a fraud case I | was involved in. He started by confirming my personal information | such as DOB and passport number and he had them all correctly. He | asked me to physically visit consular office, which I told him | was impossible because I was in some program. | | At this point I sort of give in, but he asked if I was preparing | for piano/music rehearsal - a huge red flag that awakened me from | foggy mind. During adolescence I attempted to becoming a pianist | and dedicated lots of time to training and competitions, but this | is a past that was never mentioned on resume or to friends. There | couldn't be legitimate way to relate that experience to me. | | I said yes and asked why he knew it. He began talking about my | musical experience and what awards I won, without knowing that | all these bits sounded to me like a pretentious show of being | knowledgeable about my life. | | One lesson from this and Op's story is that the scammer can | attempt an attack at any moment, including downtime of brain | activity. | 533474 wrote: | Crazy, was it someone you knew? | Spivakov wrote: | No, not to my knowledge. It seems that they obtained/built my | pre-college profile many years ago, but they attempted scam | until later and failed to match it up-to-date | [deleted] | Natsu wrote: | > my bank, Wells Fargo (I know, I know; trust me, they were not | my first choice). > aren't phone numbers that Wells Fargo | recognizes as valid mobile numbers (one of many things I despise | about this bank). > Wells Fargo's system would be so janky and | sloppily-built that this is the least awful way they could figure | out how to do it. > consistent with similarly nonsensical | policies I've encountered with Wells Fargo before (I hate this | bank so much | | I think it might be time to change banks... | rcurry wrote: | It gets even weirder when your bank acts like a scammer. A few | weeks ago I was trying to help my wife add her USBank credit card | to Apple Pay and Apple Pay said I needed to call this number to | finish setting up the card. So I call the number and the guy is | very friendly and asks me for a bunch of identity verification | details, which I provide to him, but then he asks us to send a | code back that will be coming over text messaging - yes, I | initiated the phone call, but I suddenly realize that the number | Apple directed me to was not the same number on my USBank card. | Being a bit paranoid I tell the guy "Look, nothing personal but I | get nervous when people ask for a verification code to be read | back to them, I'm just going to call the regular number and go | from there, okay?" Instead of being friendly, this guy suddenly | gets in my face and is like "Oh, you'll give me all this other | info but won't read that code back to me? I'm Fraud Prevention | dude, good luck getting this done calling the main number. Oh, | and just for this I'm putting a block on your card." I hung up | immediately and called US Bank's main number and asked to talk to | a supervisor - sure as hell, it turns out the guy I had talked to | did work in their fraud prevention department and actually had | retaliated against me by locking my credit card. It was the most | incredibly ugly thing I've ever seen from a customer service | department. | starwind wrote: | I had a problem with US Bank just trying to open an account | with them. They sent me these instructions on how to upload a | copy of my ss card through some "secure" Cisco system. The | email I get has a different subject line than what the | instructions said it would, it has this HTML attachment that | doesn't render right, and it was missing the button they said | it would to create some kind of account. I was like wtf and | their security department said if I didn't like it then I had | to go into a branch to handle everything. | | Went with a local credit union instead | WorldMaker wrote: | Something I learned (almost the hard way) was to always make | sure I have a Bank/Credit Card's own app installed (and logged | in) before trying to add to Apple Pay. Apple Pay can and will | redirect you to verification steps _in the app_ if the app is | installed. More often than not, if you initiate "Add to | Wallet" from the app itself there's no additional verification | step. | rexf wrote: | The setup flow is hit or miss. | | With some banks, it was seamless to setup. With another bank, | it wasn't clear how to finish setting up Apple Pay. I don't | recall if I called them or went through their app to actually | set it up. It was definitely confusing, and the Apple Pay | onboarding screens didn't provide useful instructions. | EGreg wrote: | This is just very weird to read. What was this scammer's endgame? | | With all this info they can call up GoDaddy and redirect your | domain (and all your emails) to themselves, or call AT&T and sim | swap you. Why even call the actual account holder? | | https://www.zdnet.com/finance/blockchain/fbi-warns-sim-swapp... | | As for these "confirmation" emails or SMS -- they are so dumb !!! | Why don't they just include a full description of the ACTION you | are supposed to have taken, that you are expected to be | confirming? In big red letters before the confirmation number. | That way the scammer won't be able to trick you. Sheesh, these | companies haven't figured out to include that? | BeefWellington wrote: | A tip that may or may not travel well: some banks can set a | "security passphrase" or passcode that must be provided before | they will do anything for you. A few years back I had someone | compromise my credit card and somehow answer enough questions to | increase the credit limit on the card substantially. This was the | bank's response to this. | | No bank advertises this from what I can tell. | rolobio wrote: | I nearly got taken by a scammer because Amazon transferred me to | one. I purchased a set of Reolink cameras on Amazon, (they've | been great) one of them failed a couple months in. I contacted | Amazon customer support (via my Amazon login and in their | interface) and they wanted to troubleshoot with their technical | team. Eventually the (very helpful) Amazon technician suggested | contacting Reolink for support and started a 3-way call. The | "Reolink" technician got my phone number and then said they | wanted to call me back. | | They called me back a minute later (now without Amazon recording | the conversation) and asked me for my NVR's serial number so they | could connect to my NVR. I was shocked they had a backdoor into | my NVR but I figured I'd let it play out. A minute later the | technician said that he was having trouble connecting because "an | internet virus is corrupting my firewall". I was extremely | confused and thought it must be a translation problem. Until he | kept insisting it was a problem and became belligerent and angry. | He said I needed to pay $300 to have an on-site technician | troubleshoot the problem. I got angry because he was making some | weird excuse for their camera not working, and wanting to charge | me rather than just ship me a replacement. I refused and he | started mocking me. I demanded his manager and he ignored me. | Eventually I hung up and called Amazon back. | | The Amazon technician was helpful and shipped me a replacement. I | contacted Reolink via email to complain about their technician. | They responded that they have no on-site technicians and that it | was a scam! | | I was blown away that Amazon would transfer me to a scammer. I | contacted Amazon again and let them know what had happened. | Hopefully they will figure out how their guy got this scammers | phone number and teach him how to find a 3rd party phone | number... | Galaxeblaffer wrote: | It's really hard recognizing the image Amazon have in the US | compared to my personal experience with amazon.de . The service | is stellar, shipping both ways is free as long as you buy | products covered by prime. Refunds are with no questions asked | (as long as you don't start abusing it i guess). As soon as you | go into 3rd party sellers the experience gets muddled, though | I've had plenty of good experiences with those as well. There's | simply nothing here in Europe that gets even close to what | Amazon offers. I really really hope it will never be like the | horror stories i see here on HN. | FpUser wrote: | >" The service is stellar, shipping both ways is free as long | as you buy products covered by prime. Refunds are with no | questions asked" | | This is my exact experience in Canada so far. But they did | something else weird. I wanted to buy Google Store gift card | from Amazon and as soon as I made the purchase my account was | suspended. It had taken me few hours including lengthy phone | call to sort things out. I was told that gift cards are | widely used in fraud. Sure, whatever but then why FFS they | sell those? | nattaylor wrote: | My US based Amazon experience is like yours with fast | shipping and easy refunds/exchanges, so don't lose hope. I | guess with 100e6 or so customers, there are bound to be some | bad experiences. | mcv wrote: | > There's simply nothing here in Europe that gets even close | to what Amazon offers. | | I strongly prefer bol.com. No idea if they ship abroad, | though. | rolobio wrote: | Amazon US used to be as you describe. But now its mostly just | cheap knockoff stuff. I hardly purchase there anymore. Its | really sad because they used to have such a wide selection. | pmoriarty wrote: | Where do you shop instead? | rolobio wrote: | Locally mostly. Also, surprisingly on walmart.com. | | Edit: Also from manufacturers' websites. | monksy wrote: | > just cheap knockoff stuff. | | By that you mean overpriced dropshipping from aliexpress. | bcrosby95 wrote: | I dislike Amazon but yes, my experience in what you have | outlined is that it's generally amazing. | | The parts that aren't amazing is getting items that aren't | representative of what I ordered. But refunding is always a | breeze when that occurs. | | My problem is that it shouldn't be a thing that happens so | often (to me). I shouldn't be shipped shoes of the wrong size | 3 times before I get shoes of the size I ordered. I shouldn't | be buying open box items without being told it's open box. I | shouldn't be buying things with the completely wrong thing in | them. | | Now, all of these can be problems with big box retailers. But | the sheer frequency it happens to me on Amazon - it's never | happened at this frequency to anyone I know when we would | shop in store. Yes, my friend once bought a graphics card at | Fry's that just contained a box of rocks. But that was one | friend, one time. I've had more of these issues on Amazon, | the last ~7 years, than I have for all shopping experiences | everywhere else that I've ever shopped combined. | mypalmike wrote: | I think it's selection bias. People with a bad experience | with Amazon are more likely to dive into it here. And dive | they do, nearly any time Amazon is mentioned. Even in a | thread about Wells Fargo we somehow get sidetracked into | "Amazon just sells counterfeit garbage". | | Out of the thousands of items I've bought through Amazon, I | think maybe one set of Henckels steak knives might be | counterfeit (I've ordered two sets of the same knives and | they were noticeably different - both seem high quality | though). | carabiner wrote: | Amazon today is a street side flea market. You really don't | know what you'll get. I've started ordering more stuff from | traditional retailers. Their online operations these days are | really good, and at most a few dollars more than Amazon. | Clothes from macys.com, home goods from homedepot.com and | target.com, and so on. You're not flooded with choices with | these stores that are mostly garbage, instead you get only 1-3 | choices that are reputable. | SemiNormal wrote: | Too bad Wal Mart murdered Jet.com | m463 wrote: | I think ordering on amazon has become a little like getting | your car towed. | | Towing companies appear to be a large shell game where your | $200 tow is handled my one or more middlemen who eventually | get some poor independent towtruck driver to tow you for $75 | | Amazon should do something that would allow partnering with | decent brands. Customers would be happy, brands could keep | their reputation, amazon could get a reasonable cut, and they | would still sell stuff via flea-market brands and the made up | word-salad amazon brands | amelius wrote: | I'd like to see an economist's view on how the free market | is failing here, and what we can do about it. | mlindner wrote: | I'd say it's working just fine, by causing people to | switch away from using Amazon. Amazon continued to lower | their brand's quality and as the name becomes less and | less trusted, their products are worth less and less. | Wistar wrote: | > I think ordering on amazon has become a little like | getting your car towed. | | Apparently _especially_ in Ontario... | | https://www.thedrive.com/news/44749/inside-the-tow-truck- | maf... | Spooky23 wrote: | Tow drivers make a lot of money. They do a lot of | subcontracting and mutual aid type arrangements. | weq wrote: | Towys in my country are usually connected to some kind of | mafia. Never met an altruistic one like like matts | offroad recovery in my travels. | bubblethink wrote: | This seems to be the classic underdog problem. The | traditional retailers that you like today will become third | party marketplaces tomorrow if they grow. So the issue is | that we only get good service from underdogs and it is | destined to fail once the underdog is not an underdog | anymore. | verve_rat wrote: | That doesn't follow. Just because an online retailer grows | it doesn't mean they have to start allowing third-party | sellers. In fact, seeing what is happening to Amazon's | reputation, that seems like a bad long term move. | | Short termisum might win out, but it is not a foregone | conclusion. | cogman10 wrote: | I agree it's not a foregone conclusion, but it's also not | far fetched. That's what happened to newegg. They tried | to turn into an amazon and now I have a hard time | trusting them. | lamontcg wrote: | The mechanism is the managers that take over at companies | who focus on the short term bottom line (trimming support | today, to juice profits tomorrow, to lose credibility | years down the road after the bonuses have long landed in | their bank account). | | And the problem is that Amazon's growth profile (retail- | side anyway) is going to be pretty constrained going | forwards because they own too much of the available pie | right now. So the result is that managers are going to | have to look for other ways to trim costs to make | numbers. | | If you're starting from 0.001% of the retail market and | trying to grow 10x it is much easier to do that just by | having really good customer service. | lupire wrote: | "short term bottom line" is a comically absurd way to | describe Amazon, which has been growing consistently for | 25 years. | WorldMaker wrote: | Except Amazon _started_ as a third-party marketplace. This | isn 't *new*, some of us just have really short memories. | For the first several years the _only_ first-party sales | they did were in books (and not _all_ books on the store | even at the beginning). They 've expanded into other first- | party categories, but there are much fewer first-party | categories than people assume. (And always have been.) | | The big thing that changed isn't the third-party | marketplace on Amazon, it's that they increasingly and | intentionally blurred the lines between "third-party" and | "second-party" marketplaces. Any third-party that uses | "Fulfilled by Amazon" logistics (warehouses, shipping) just | about gets automatically upgraded in the Amazon user | experience to "second-party" even if Amazon has no deeper | working relationship with the third-party than "Fulfilled | by Amazon". | | Some of that intentional blurring of the lines is also | questionably Dark Patterns intentionally designed to | confuse consumers in just exactly what categories Amazon | supports directly (first-party) and which ones are third- | party, and more importantly which ones are first-party | usually versus third-party _today_ (such as sold out | goods). They want to give consumers the illusion of an | "everything store" that is never out of stock. That's never | the practical reality, and the illusion may be evil from | the perspective of shadily pushing consumers to unvetted | third parties due to Dark Patterns that back that illusion. | 14 wrote: | Agreed. Last example was LED grow light I purchased and | description said had a grounded plug. When it arrived there | was only a 2 prong plug. I'm weary of everything I buy there | now and try find a manufacturer direct order when possible. | Fulfilled by Amazon should read as a warning sign. | aceazzameen wrote: | Yep. I've been ordering from Target, Best Buy, and Walmart | much more often these days. I just assume the product | descriptions and reviews on Amazon are all lies. | brimble wrote: | Target and Wal-Mart also sell third party shit. It's easier | for me to just buy directly from brands I like, or to shop | for them on a couple outlet sites I trust (so far) to sell | legit (overstocked or lightly damaged) top-quality stuff | and not lower-quality second- or third-tier versions (as | some outlet stores do), than figure out how to avoid or | disable displaying third party sellers on a bunch of | different sites. | | By the time you factor in the time and frustration for | that, any savings (which isn't even guaranteed) doesn't | look like great ROI anyway. Plus, even Amazon often won't | carry the full range of a brand's products, so I get more | options shopping this way. | mardifoufs wrote: | Best buy is filled with 3rd party sellers too but it's at | least very easy to filter them out. If I could do the | same on Amazon I wouldn't have any problem with 3rd party | sellers, but they instead make it almost impossible to | know even if you check manually. | aceazzameen wrote: | That and Amazon commingles their inventory with 3rd party | inventory, which can sometimes be counterfeit. And Amazon | doesn't care if the counterfeit products are mixed in | with the genuine products in their warehouses. As far as | I know, Best Buy/Target/Walmart don't commingle their | inventory with 3rd parties because they have physical | stores that they can pull from. | aceazzameen wrote: | True. But stores like Target also let you see inventory | in physical stores, so it's easier to purchase an item | you know is coming from a Target store/warehouse than a | 3rd party. | gkilmain wrote: | Interesting. I would have lumped them all together. Why do | you trust reviews on Target but not Amazon? | wombatpm wrote: | Target and Walmart take online returns at their stores, | which no one in the supply chain likes. They will take | bad suppliers to the woodshed if too many returns of an | item. Hence they have skin in the game to carry quality | products | jimmaswell wrote: | These days I'll order certain things from Wal Mart if I'm | wary of what I see on Amazon. | bsder wrote: | > Amazon today is a street side flea market. You really don't | know what you'll get. | | There are two time when I will use Amazon nowadays: | | 1) If there is an official store there | | Anker is a good example of this. It seems like Amazon doesn't | commingle inventory if there is an official store. | | 2) If I want something faster than Alibaba/Aliexpress | | Quite often I can find the exact Chinesium equivalent on | Amazon and I get the benefit of returnability if what is | advertised is completely out of whack. | | This has to be costing Amazon money, but, it's their funeral. | InitialLastName wrote: | > It seems like Amazon doesn't commingle inventory if there | is an official store. | | Is there any confirmation of this? I've seen assertions | both ways. | lupire wrote: | No. Amazon doesn't commingle inventory when... the | manufacturer doesn't sell through any other channels, so | there is no one to commingle with. | reincarnate0x14 wrote: | Do you know if the original order was from Reolink? If I had to | guess, that may have been a questionable reseller, I've seen | several cases in which it looks like you're ordering from | SomeCorp as fulfilled by Amazon but once you get into the | actual order process it shows up as some other seller that was | in the "Buying Options" list. | | Definitely sketchy behavior on Amazon's part, never dealt with | the selling side there so no idea if this is sellers gaming | Amazon or just awful market platform in general. | switchbak wrote: | Not an isolated incident. My mother was transferred to an | Amazon employee who tried to scam her as well. This was years | ago, and I reported it to Amazon. No idea what eventually | happened, but I was shocked that they'd be so brazen about | committing fraud as an actual employee. | 1270018080 wrote: | Amazon hasn't been usable in a long time for me. It takes more | time to find non-counterfeit/trash products than it's worth. | craftyguy wrote: | > I was blown away that Amazon would transfer me to a scammer | | You shouldn't be. The amazon store's core business model is | allowing scammers to sell garbage to unsuspecting buyers. | Cd00d wrote: | I'm blown away that Amazon has phone support! I had no idea! | MerelyMortal wrote: | They don't make it as easy to call as they did in the past | though. | Nextgrid wrote: | > I was blown away that Amazon would transfer me to a scammer. | I contacted Amazon again and let them know what had happened. | Hopefully they will figure out how their guy got this scammers | phone number and teach him how to find a 3rd party phone | number... | | 1) Amazon is complicit in shady behavior on their platform, | whether it's inventory commingling, sketchy sellers repurposing | existing, well-reviewed listings for a totally different | product or those bribing customers to leave good reviews with | gift cards or free stuff. | | 2) The tech support number could very well be provided by the | seller, and you could've bought the camera from a listing from | said seller instead of the real Reolink (if the "real" Reolink | even sells on Amazon to begin with). Maybe tech support | scammers are now using this as a new lead-generation tactic | ("legitimately" sell a high-maintenance product but scam anyone | that calls for support?). | jjoonathan wrote: | Yep. Amazon gets a cut and they act like it. | dangus wrote: | This is quite a jump to conclusions. The alternative theory | of the customer service rep googling a phone number and | getting the wrong one is far more likely. Or, it's possible | that the company's own seller login was compromised and a | scammer changed their contact number. | | The idea that a wildly successful multi-billion dollar | company would actually set up such an easily-noticed system | where they "get a cut" of phishing scams is outlandish. | daniel-cussen wrote: | Why is your username dangus? Are you imitating dang too? | ethanbond wrote: | I don't think the "cut" implies they are in on some | phishing scam. It's saying they take a cut of all volume, | so even volume that's harmful to consumers is hardly | worth Amazon's attention (as is evidenced by the | obviously massive economy of systematic scamming that | happens via Amazon, all of which, again, they get a cut | of). | danachow wrote: | > The alternative theory of the customer service rep | googling a phone number and getting the wrong one is far | more likely. | | Their support staff is that reckless and Amazon has no | training and other systems in place to prevent that? Your | theory doesn't paint them in any better light. | bllguo wrote: | it's far more believable than amazon being in cahoots | with scammers. whether you think this is "better" or | "worse" wasn't really part of the discussion | specialist wrote: | Well. Not directly. But same outcome. No actual conspiracy | or collusion necessary. | | Amazon profits so much that they're content to eat the | rampant fraud and waste, than to run a proper legit market | place. | bryanrasmussen wrote: | that number 2 is some next generation criminality there! | twoxproblematic wrote: | taylorfinley wrote: | It's pretty shocking but most IP cameras can be accessed with | nothing more than their serial number. Here's a somewhat | recent DefCon talk about it: | https://m.youtube.com/watch?v=Z_gKEF76oMM | | I use Reolink cameras, in the admin interface there's an | option called UID. Turning that off (theoretically) disables | the backdoor. I have my cameras and NVR (which is actually | just a python script on an old laptop that uses ffmpeg to | capture streams) on their own airgapped lan so I don't have | to worry about blackhats or the ccp using backdoors to watch | my kids. | brk wrote: | Well, _most_ IP cameras cannot be accessed this way when | you look at the global pool of IP cameras. However many on | them on Amazon, particularly from OEM companies like | Reolink that are more of a custom relabeller vs. a real | camera manufacturer have all kinds of backdoor access | methods. | | Best practice is to put your IP cameras on a separate | isolated network, connected to a dual-NIC recorder/PC | running trusted software (eg: not some random DVR/NVR on | Amazon) for recording and viewing. This is not a perfect | solution, but it at least takes you far away from the path- | of-least-resistance pool of devices with weak cybersecurity | that are prone to various exploits. | ashtonkem wrote: | And this is why my reolink cameras are on a subnet without | access to the internet. The only thing it can reach is my | home assistant and open source NVR. | ______-_-______ wrote: | I bet your Amazon rep just searched for Reolink and clicked on | a Google ad that happened to belong to the scammers. | dqv wrote: | Well this initiated a rant, not directly related to ads, but | Google in general. This is an internet literacy issue I've | noticed more and more. People will refer to Google listings | as an authoritative source even if the data comes from some | third party. | | "Is this Jordan's Tiles?" | | "No. This is Patrick. You have the wrong number." | | "It says on their website this is the number!" | | "Their website is wrong, this isn't Jordan's Tiles." | | _more argument with me just hanging up because they're | clueless_ (someone even had the audacity to ask me what the | number was for Jordan's Tiles like I'm their personal | assistant) | | And finally I went on Google and searched for Jordan's Tiles. | There my number was on the listing and on a _third party | source_. The right number was on the lower ranking Jordan's | Tiles website. They were so argumentative about being so | wrong, it was outside of their ability to understand that the | internet can and does give you the wrong information. | itronitron wrote: | Apple Maps from my experience is quite bad about this. I | know of one city where it happily provides the locations of | four DHL counter locations even though there is only one. | Numerous other store locations on Apple Maps also often do | not exist, so however they are sourcing their data is full | of errors or outdated information. | lostlogin wrote: | Wrong opening hours on Google is a niggle for me. And | having been on the other side of the equation, changing the | hours Google says a business is open is not always | straightforward. | threads2 wrote: | whoa, dude, language | lupire wrote: | This is a great opportunity for you to learn more English | language. | asib wrote: | Not sure if you're joking, but the etymology of this word | does not appear to be racist. According to [0], it | derives from the same root as "niggardly", which | according to [1], is unrelated to the racial epithet. | | [0]: https://en.wiktionary.org/wiki/niggle [1]: | https://en.wiktionary.org/wiki/niggard#English | davchana wrote: | My friend booked one international flight with departure | and destination having 12+ hours timezones difference. The | email listed the departure time & duration of journey and | arrival time, all in local times (as expected). Gmail auto | creates an event about flights and hotel bookings, and thus | shows the correct departure time, duration & then that AI | simply added that duration to departure, and showed | departure city's time flight lands. Wrong. My friend, no | blame, believed it; until I pointed it out. | pmoriarty wrote: | . | jazzyjackson wrote: | you've got caller and callee flipped | david422 wrote: | Honestly, how do you know what the right number is though? | Everybody outsources their stuff. The real website is at | jordans-eatery.outsourcedsite.com. Or maybe the guy at | jordans-eatery.seo.com is taking calls and placing orders | to the real site at a markup. Or maybe the real number is | on jordans-eatery.com. Or maybe it's none of those. | aaaaaaaaaaab wrote: | You should have spun up gour own tile business, preferably | just dropshipping from the real Jordan's Tiles! | ejb999 wrote: | I've had that happen to me as well - person finds a wrong | number online someplace, calls me, and then is mad at me | that I am not who they are looking for...go figure. | [deleted] | rolobio wrote: | Had this happen to me when I was in IT. I got a cold | transfer of an angry customer who wanted to talk to a guy | who had a very similar name. I told the customer that | they wanted the other guy, I was in the wrong department, | and they wouldn't believe me. They said "I know it's you | from yesterday, I recognize your voice!" How was I | supposed to argue against that?? Eventually I convinced | them and did a warm transfer to the correct guy. We do | have similar voices... | rhizome wrote: | "Call Google. Ask for Sundar." | burnished wrote: | I think this might just be a people thing? I've had the | same experience (some one calling for the YMCA, I inform | they have the wrong number, they proceed to argue and | berate me) but they probably just misdialed. | | Not that I don't also feel like Google search results have | gone down hill. | acheron wrote: | Yeah, you hear about this with the people who get taken in | by Grubhub or whoever that's spoofing a restaurant's phone | number/ordering site. I would never take a third-party | source as authoritative, but apparently people do it. | rhizome wrote: | I never take restaurant phone numbers directly off of | Google, I always check their (hopefully existent) website | before calling, or at least crosscheck it against other | sources. There is no way Grubhub or any of the other | mediating greedholes will get even Caller ID data from me | if I can help it. | InitialLastName wrote: | Wait until you find out that Grubhub and ilk have been | known to prop up fake websites for places. | daniel-cussen wrote: | Go to the right address in person. If you have no real- | life connection with the restaurant, or any restaurants, | give up and take what you get. | narag wrote: | _"It says on their website this is the number!"_ | | "What do you think is more probable: that the website is | wrong or that I don't know who I am?" | ashtonkem wrote: | Given how many fake products amazon sells and intermingles with | legitimate products, it isn't at all surprising that they | forwarded you to a scammer. They just don't care about | protecting their customers, apparently. | dheera wrote: | > The Amazon technician was helpful and shipped me a | replacement. | | Considering they have a backdoor, why did you want a | replacement instead of a refund? | rolobio wrote: | Had they actually had a backdoor, I would have unplugged it | from the internet. Clearly the scammer did not have a | backdoor. | itslennysfault wrote: | Reason #99,999 that I don't use Amazon anymore. Just buy stuff | in-person, pay the shipping, wait the week, or whatever. You'll | be fine I promise. | dheera wrote: | Stuff in person costs 2X the price though. Especially bike | parts. | | It's often cheaper to buy from Amazon but never go through | troubleshooting support. Always return or replace. | | If that doesn't work, give a 1 star review, wait for the | seller to come chasing you with a gift card in return for 5 | stars. Change it to 5 stars, spend the gift card, and then | change it back to 1 star. | [deleted] | craftyguy wrote: | As someone why buys a lot of cycling parts online, there | are many mom/pop bike shops with web storefronts, that are | very reasonably priced and often include "free" shipping. | Stop giving bezos your money, you have no excuse. | jeromegv wrote: | Yeah.. lots of people keep repeating "but its expensive | out of amazon!" and they never tried. Sure, you can find | cheaper products on Amazon, but once you start looking | around, it's definitely not always the case. But people | are lazy, they get multiple amazon packages a week, and | love to complain about Bezos but do nothing about it. | weq wrote: | I bought a book on Amazon in 2005, it came (weeks) late, | i complained, got sent another, ended up receiving 2 | books. It was my last purchase from Amazon. Since then, | the only time i see Amazon is on the backend of a | scammer. Amazon in my opinion, in every sense, a scam | itself. | | First off, its just morphed from a book store into a | upper class ebay. Alibabba became the chinese ebay. I'll | pay that drop shipper the money, i got no problem with | the conveince they give but realistically whats the point | of going through 3 middle men when i can wait an extra | week and limit that to 0 or 1. | overtonwhy wrote: | Lots of call centers get targeted with this type of scam. I | think it's because call center employees are so poorly treated | and compensated that it's appealing to join the scam. I've seen | the same exact thing happen with QuickBooks support. The actual | agent you're speaking with gives your contact info to the | scammer who calls you back. ___________________________________________________________________ (page generated 2022-03-31 23:00 UTC)