I deal with a lot with people who have been conned by scammers both online and over the phone; I also deal with the aftermath. I have been consistently amazed at how many people in my own small orbit fall victim to one degree or another. Of course I am not immune from these attempts, I get phishing phone calls and email messages quite frequently in fact. I am glad to say that so far I have not been led down whatever rabbit hole has been laid our for me. Although I am a sophisticated computer user and have a well honed sense of what a scam looks like and how it smells, people who should know better fall into these traps all the time. It speaks to just how good the hooligans who work these scams are, and to how well designed the traps are. So good, in fact that often I have trouble convincing people they were scammed, even when they call me because they know they have.
Some of the better designed scams are those that involve the phone. Partly that is because these are nearly as old as the phone itself and partly because it takes a more clever lure to hook people on the phone than it does to convince them to click on an email link. After a call I took this morning that was clearly a well played attempt at phishing, I thought maybe I should explain a bit about how phone scams work and give some tips in hopes it might help someone avoid being a victim.
If you want you can just skip ahead to my tips and avoid several paragraphs of educational dribble
The phone call started with a voice telling me to continue holding. I have trouble imagining a scenario where a valid call would start that way and you should hang up right then if yours does. I will talk in a minute about why a scammer might have the call begin that way. I held for a few seconds for a few reasons. First because these kind of calls pique my prurient tech interest, second because the longer I can keep the scammers on the line the less chance they have to call others.
Phishing by phone or vishing, is not nearly as common as online phishing because the cost is far greater. If you have an email account you have probably received phishing email messages. If you have fallen for them I am sorry, if it helps just know that you are not alone. Although most phishing scams go unreported making it tough to get accurate numbers, credible estimates suggest that 156 million phishing emails are sent every day and each day 80 thousand people fall victim in some way. Phishing doesn’t just affect individuals either, many companies have fallen victim to these attacks including The Washington Post. It was a phishing attack that led to the DNC being hacked.
The good news in regard to online phishing is that software programs can detect and alert you to most scams. Only about 10 percent of those 156 million emails sent every day make it through spam and virus filters. When they do make it to our inbox, most malware programs will warn of harm. Still it falls on us humans to recognize pending danger. It is not easy, but at least we have some help. There are not really any filters in place for vishing. When it comes to phones based scams. We are largely on our own.
In order to protect yourself it is important to know what these scammers are after. I think it helps also to have a very basic understanding of the anatomy of a scam. Let’s start with the second thing and for that we go to Nigeria.
Although i have not seen this particular email in some time almost every one has probably received some variation of the Nigerian Prince email. As a refresher this scam tries to convince you that a deposed Nigerian prince needs a vessel to get millions of dollars out of the country. If you provide the means to this end – in the form of your bank account number – you will be graciously rewarded. This is known as a 419 scam it is a type of con known as an advance fee scam, others in this category include the Spanish Prisoner scam which dates back to the 16th century, and The Black Money Scam. A very common version of this scam goes after those who sell items online, I call that one the over-payment scam. In reality, of course the reward the victim will receive is that their pocketbook will be easier to carry after it is lightened considerably by the scammer. If you have seen one of these messages you probably wonder how anyone could possibly fall for such an on obvious scam. Believe it or not that is part of the plan.
Suppose a scammer is able to deliver one million emails with a reasonably convincing message. The come-on is so good in fact that 1 percent of those who receive it go to the next step which involves then contacting the scammer for more information. Those messages were super cheap to send, and very easy to craft as well. One person could quite easily create and send the message over morning coffee, but replying to and dealing with the questions of ten thousand people is much more costly in terms of time. At some point after the initial contact and after the scammer has invested some actual time most of the potential victims will get that “feeling” and drop out of the scam. A lot of time is wasted. in addition there might be other costs as well including postage. In the end it is safe to assume that a small number of these people will follow through and become a victim so those costs will be repaid but what if we could cut out most of those costs.
Suppose a different scammer delivers a million messages with a ridiculous come-on that should be able to be seen right through. In our example above let’s assume that a paltry 1/100 of one percent of the people actually lost some money to the scammers. Those same 100 people are just as likely to fall for the ridiculously obvious message. The scammer will have much less work convincing them because they are obviously quite gullible. I mentioned earlier that I would tell you why you should hang up right away when the call starts with something as obvious as a recording asking you to “please continue to hold”, this is why. If you make it past the initial greeting the scammer assumes the have someone who is at least a little bit gullible on the line.
Most people, even gullible people are protective of their money. For this reason many of these scams do not ask for any money at least not in a direct way. Those that fall for the Nigerian Prince scam are not being asked to send a check or give a credit card number, only a bank account number into which can be deposited the money. What could go wrong. The classified ad, or over-payment scam actually works by the scammer sending the victim a bank check and asking them to give part of the money along with the item they have sold – to a third-party. Again what could go wrong?
These same people are not nearly as protective of personal information, which is why many phishing / vishing attacks are designed to get only personal information from you. The point is to use your information to steal, or at least misuse your identity, in order to get a lot of money from you.
Back to my phone call. I waited a few seconds and finally a human came on. He asked if he had reached Shannon Hanson. After I replied that indeed he had, I was told that in order to protect personal information (how nice of him) he would like to verify he had the right Shannon Hanson. Oh boy, I do hope I’m the right Shannon I thought, and moved to the edge of my seat. All I would need to do would be to give him my zip code and date of birth and then we could get on to whatever wonders he had in store. Of course I wasn’t about to give him either of those things even though he insisted that he already had all the information right there in from of him. He just needed me to verify it, yeah, right.
Remember, I had waited through the mechanical voice urging me to continue to hold so I must be at least a little bit sucker, right? Besides what could possibly be gained by finding out my zip code and DOB? After all these things could be found on Facebook or from any of several public sources.This is what i call ‘in for a penny’. Suppose I do give him my zip code and DOB, does that make it more likely that I will give him other info? You bet it does, at least in the eyes of a scammer. I have already been told and chose to believe that he has all sorts of info on me so what can it hurt to “verify” other things, right? .
The call ended not long after that. Nope I didn’t hang up, though I would encourage you to do so long before that point. I insisted that he tell me what this was about “A personal matter” he said, but he couldn’t discuss any further and would need to end the call if he couldn’t verify that this is the Shannon Hanson he was looking for. Alas I didn’t get to find out what plays the smooth talking hustler would call, or learn his exact end game. I know the game well enough to know I wasn’t interested in playing anymore. The end game is identity theft because an identity can be far more valuable than just a little money, even, I suppose, mine.
Tips for avoiding phone scams.
1) Don’t take the call unless you recognize the number. This one is easy to say but is not always possible, especially if you are on a business line. Of course you can let the call go to voice mail with the idea that if it is important they will leave a message, but this is not always true especially again on a business line. Also there are scams that involve leaving a message asking you to call back to claim some fabulous prize or because your grandson is in jail in Mexico. If you read through instead of clicking the link you can probably guess why they might do this.
2) Remain calm and be suspicious . There are a number of somewhat creative phone based scams designed to net a quick pay off by playing on the emotions or the naivete of the potential victim. One of these will try to convince you that your computer is having trouble and they need to connect to it remotely. Another has the caller claim to be from the IRS and tell the potential victim that the back taxes they owe are due right now. if a credit card is not provided for payment a cop will be dispatched and the victim will be arrested. This one works because many people do owe back taxes and many others may think they do, especially elderly people. Worse yet anti-government sentiment makes people believe the IRS might send the police. Knowing that the IRS can not send the police or that they will never take payment over the phone helps in this case,but what about the many other emotion based scams?
The best advice here is to stay calm and assume what they say is a lie. If they get under your skin you are no longer thinking straight and are likely to make a bad decision. Ask the caller for his her name and tell them you will have call back or that your spouse handles that and that you will be sure to have them call and take care of it.This will almost always send them scampering. If they threaten to send the police tell them to go ahead, then let them know you will have recorded the phone number and will be sure to give it to the police when they arrive.
In any case always assume the call is a scam and remember you ALWAYS have the ability to hang up the phone and that is usually the best tactic. No, the cops are not coming to your door. Your grandson is not really in a Mexican jail – and if he is a credit card payment from you is not going to get him out. Your computer may well have reported a problem to Microsoft but trust me when i say Microsoft will not call you, in fact if you call Microsoft or Apple and get a human you did not call Microsoft or Apple.
3) Verify. The person on the other end may claim to already have the info and just need you to verify it, do not. Instead ask them to provide something from the information they claim to have and let you verify that it is correct. Even when you are sure this is not a scam watch what info you give out.
4) No amount of information is so small that is should not be protected. No harm can come from giving out your email address or dogs name right? i wouldn’t want to bet my meager bank account on that. Aside from increasing the amount of spam, many people say things in email that they might be embarrassed to get out or that can be use in various nefarious ways. For example there is a fairly common scam where a person’s email is broken into, the hacker learns that you and your best friend were in outer Mongolia last year. Then the criminal sends an email message to your contacts telling them you are travelling and have been robbed of all your stuff and had your leg broken. Of course the plea comes with a means for your friends to help you out by sending money to the criminals .
Of course the sons-a-bitches need more than your email address how on earth did they get your password? Well let me just say that it amazes me the number of people who use password that are simple and based on some personal info such as a dog’s name.
5) There is some information you should NEVER give out. NEVER give out your full social security number to ANYONE over a phone line, you can never be sure that your call is not being listened to. You might be asked the last four digits of you SSN, if so ask if there is some alternate info you can give. If not, it is okay to give your last four digits only, and then only if you are very sure who you are talking to.
Passwords are another thing that you should be very careful with. Keep in mind that your passwords should be stored in a non-reversible encryption. That is tech talk to mean that the person on the other end can not see your password anyway.
6) Know what you might be expected to give. it is not uncommon that a company may need you account number or phone number in order to “pull up your account information” Other companies ask you to provide a pin or the answer to a challenge question and when you call you will need this before customer service can help you. Of course it is okay to give this information but only if you made the phone call and only if you are sure of who you are talking to.
7) lie A little fib can help you verify that the person on the other end is legitimate. When asked for an account number, PIN or answer to a challenge question give the wrong answer the first time. if they tell you that the incorrect information is right then you should hang up. You can also lie when you set up the answer to the challenge question. For example suppose the challenge is name of your favorite child, Even if your only (and presumably favorite) child is Gertrude you could provide Ralph as an answer. This way no one at the electric company knows your child’s name. You would be surprised what additional information can be gleaned if you have the name of a person’s child, this includes pets.(see number 4)
In any case, if you do do fall victim to a vishing call, contact your local sheriff’s office to make a report. Also you can post to social media and tell your friends. Honestly there is a little chance that the scammers will be caught but perhaps you can stop someone else from being a victim.