Episode 18: No, They Are Not Going to Pay Your Bill
On the day of this recording, I received a phone call claiming to be from “TMobile/Sprint”. They wanted to advise of an overpayment on my account and that I was owed a credit. As I fumbled in an attempt to record the conversation and string the scammer along he must have realized I knew what his real intentions were.
I knew this scam existed but I had never been the target of one before. The scammer is attempting to steal your cell phone account, personally identifiable information (PII), and/or banking account/credit card.
So how does this scam work, and how can you prevent it? You’ll have to listen to learn more.
Speaker 1 0:00
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity and data, the human element has to be front and center in a war against data breaches and ransomware attacks, it’s time to educate.
Speaker 1 0:52
When I was a kid, we had something called three way calling. I know, I know, we still have it today, you could still have a conference call or you know, more often than not, now we get on FaceTime or zoom or something like that, where more than three people are on. But it was a big deal. When I was a kid to have three way calling, we didn’t have cell phones. They were available, but not really realistic for most people. We didn’t have zooms and all those things back when I was a kid. And so we had this three way calling feature, you had to pay a couple extra dollars a month for it. And we would use it to our kids would use it to prank call people. And so we would call up a third person using three way calling. And they would not know that one or the other person was on the line. And we would get them to admit to things that they wouldn’t normally admit to or we would try to prank them. crank calls were very common back in those days. That’s when we still had to coiled phones with the 25 foot long cord so that we could reach into our rooms or whatever. The good old days because the calm the scam calls didn’t really exist beyond the prank calls. So I would venture to guess that a lot of those kids that were grand calling people back then are probably contributing to the scam calls today. But it was a simpler time, people weren’t afraid to answer their phones, and take calls. Unless they didn’t want the world to know about the secret crush they had on their classmate. Welcome to the human element podcast, visit our website at the human element dotnet for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech a client focused security minded proactive IT service provider. Welcome to Episode 18 of the human element podcast. This episode is titled No, they’re not going to pay your bill. So I received a phone call today as I’m recording this. This is April 18 2023. And I’ve heard of this scam before. But I’ve never received a call or or there’s never been an attempt to get me to fall for the scam. And unfortunately, the scammer realized that I was onto him before I could even start recording the call. So I received it on my my cell phone. I was out I was looking for the app to record calls. While it was trying to string them along. And he realized pretty quickly that I knew what what the gig was. And the gig is it happens seems to happen more with T Mobile, but it happens with all cellphone carriers, at least here in the US that I’m aware of. So the big four are is really the big three now T Mobile and sprint. And that was the first red flag by the way, I’ll get to that in a second T Mobile sprint merge. So they’re 118 T and Verizon or the other so I have T Mobile. Go ahead try to scam me. I’m gonna catch it right away. And when I answered the call, if they called as a local number, I own a business. I was out. So I was a little distracted. And I thought maybe this is a client calling me or potential client calling me. And so I picked up and I couldn’t even hear him at first it was was muffled a little bit and not asked him to repeat what he said. And he said I don’t remember what name you use. But let’s say he used the name John. This is John calling from T Mobile sprint. And I know that T Mobile doesn’t say T Mobile sprint they say T Mobile. And that’s it. So then John, and I’m using Eric quotes here, as I always do on these podcasts like you can see them, maybe I should do a video podcast. Anyway, John says to me, there’s been an overpayment on your account. And we’d like to correct that we’d like to make the adjustment whatever. He, the premise was that there was an overpayment on my account. So I knew immediately where this was going to go, he was going to either attempt to get my banking information or to get my T Mobile information, and T mobile’s been compromised multiple times now. So it wouldn’t surprise me if, in fact, it was the T Mobile information. And so one of the reasons where these calls are going to continue to happen more and more, especially for T Mobile, but all of the providers is because T Mobile has been compromised. So the account information is out there. They know the phone numbers they know, they know who has accounts with T Mobile, the lists in the millions, I believe is out there, and the phone numbers that are attached to them. And probably mailing addresses, I don’t I don’t recall all the information that’s been compromised, but a lot of the information is out there. So what I will tell you will, I’ll get to, to the steps to prevent this from happening to you, from falling victim to this type of scam is you’re not going to be able to prevent the phone calls, but you can prevent from becoming a victim of the scam. So here’s how it works. So they’re going to call you most likely it’ll be a phone call, because text messages tend to. And for this scenario, you’re probably going to think about it before you reply. So you’re going to realize it didn’t come from T Mobile, especially if you’ve communicated with T Mobile in the past. So you’ll probably get a phone call from someone claiming to be representative of T Mobile. Or in this case, T Mobile sprint. And they will confirm who you are, which in itself is pretty dangerous. Because once you say yes, they have your voice recorded as saying yes. Now I intentionally disguise my voice. Sometimes I don’t even say anything when I pick up because if there’s a delay, then I know most likely is a scam. So then they’re going to say there’s been an overpayment on your account. So they tell you, you overpaid your bill. We need to correct a payment. Or they may insist that you have a credit due on your account for whatever reason, you know, over again, maybe overpayment or some other reason they might make up there was an outage. And yes, occasionally there are outages. So they’ll create a scenario where you’re getting money, or you’re getting money towards your bill more likely. Once they do this, and they’ve they’ve kind of hooked you. That’s why they call it phishing. And this is a form of phishing, it’s called if they do call you it’s called vishing. With a Wii. And so they’ve hooked you. And that’s why it’s called fishing. They’ve hooked you. Once they’ve convinced you that you’re going to get money back towards a bill and let’s face it, who doesn’t want money back on their T Mobile bill or their their cell phone bill or any of their bills, a cable bill, this could happen with the cable company, this could happen with the electric company in any of these companies. The problem is the scammers are more interested in smartphone accounts stealing people’s phone numbers, because people are using cell phone numbers for various reasons, including multi factor authentication. So this is why this is this is data that they want to steal. So now they’re going to ask you for personal information, they’re going to say that they need full name, address, date of birth, social security number and account details. Most likely to ask for login details are so far, you know if T Mobile account, what are your T Mobile credentials in so I’m going to get to how you can block that in a moment. That will help you but first of all, T Mobile doesn’t ask you for that information in No. No vendor, no service provider is going to ask you for that information. They’re not going to ask you for the account details. Because they already have it if they’re calling you. But anyway, so they ask you for full name, address, date of birth, social security number, and account details. Never ever, even if it’s just the last four give your social security number out over the phone never. account details could include your cell phone number, your your cell phone bill, your account number, maybe some of the other numbers on your account. If you have multiple accounts, multiple phones on your account, things like that. Then they’re going to ask you for your bank information. So they’re going to ask you for your bank account or credit card information. And they’re going to claim and I’ve seen this happen with multiple All scams, so I’ll get to that in a moment. But they’re going to say they need this information in order to process the credit or the refund. Now, if it’s a credit, it’s supposed to go on your bill, even the refund and more than likely going to put it on your bill. In some cases, the scammer may even ask the victim to confirm their information by providing their online banking login credentials. No legitimate company would ever do that. So that’s silly to even think that that would be legitimate information. But unfortunately, people fall for this. And this is how these accounts get compromised. I did string along a gate tech support scammer before and they got to a point where they asked me
Speaker 1 10:46
for my credit card details, and I said, Well, why do you need that? And they said, We need this information to be able to apply the credit. It was a sorry, it wasn’t a Tech Support Scam was a Geek Squad scam. So they send you this fake invoice via email, and I get them all the time. So they send you a fake invoice in the email saying you paid, you know, $500 to Geek Squad, and call this number if there’s a problem. And so did you call the number and then they asked for your credit card number. And then one time they even asked to remotely connect to my computer? And I said, well, well, why do you need to do that. And they said, well, in order to process the refund, we have to remove the software from your computer, you know, so these these do happen. And I don’t think I recorded that one. But I may have I’ll have to double check. But it was a Geek Squad scam. And that that’s a fairly common scanner, I actually had that forwarded to me from a client of mine. And it got through all of the phishing filters and spam filters and everything and went wound up in your inbox. And the reason that happened, I’m getting off track here. But the reason that happened is because they sent it to a Geek Squad email address, and then BCC to everyone else. So it wound up in the inbox not not in the junk mail, not in the quarantine, not anywhere else in the inbox. So they getting a little more crafty with these types of things. So again, they want to gain access to your computer to steal information and probably install a backdoor so they can get back on later. And they want to. That’s why zero trust is so important. And they want to steal your personal information, including credit card numbers, or banking account numbers and things like that. And once they’ve gotten your bank information and your cell phone carrier information, that’s when the real fun begins. And I use fun as a form of sarcasm, they will start making unauthorized transactions, they may drain your bank account. And they may commit identity theft, or they may perform a sim swap. And as I mentioned a few minutes ago, that’s where they steal your phone number, put it on another smartphone. And now they can try to log in to all of the accounts that you’ve set up with multi factor authentication because well multi factor authentication for using SMS because now they’re going to get the text messages, and the phone calls and things like that. If you use an app, such as Authy, or Microsoft authenticator, Google Authenticator, then that they don’t have a way to steal that using this method, so let’s recap. You get a phone call, they claim to be T Mobile, in my example, was T Mobile sprint, which is the first red flag, they say there was an overpayment on your account. Or that you’re owed a credit. And you that’s where they hook you. And I think that’s where this one fell apart. Because I was kind of trying to find the record app on my phone while I’m trying to string them along. And I think he realized what I was doing, and he hung up. But once they’ve hooked you, there now ask for personal information. So they’re going to ask you for banking information, cell phone account information, full name, address, and they’re going to use as the guys that you This is how they’re going to apply the credit to your account. Once they do that, they’ve got your bank account information, they’ve got your cell phone information, then they do the real damage, then this is going to be either steal your phone number, sim swap, or they’re going to steal your banking information, wipe out your account, or both. Maybe they’ll do both. Now, I will tell you also, I heard from someone today where they were experiencing fraudulent charges, but very small amounts $8 $5 nothing huge. So a lot of times it gets ignored. People don’t pay attention enough and the $5 charges get ignored. But if you do that times 100 accounts every week, that’s, you know, that’s $500 that you make another times 1000 or 10,000. If you’re doing this to a lot of people, and a lot of people are ignoring the $5 a month, $5 a week charges, because it’s an active account, they’re making decent amount of money, so pay attention to your bank accounts. And I’ve seen this, this happened to me many years ago, that’s been gotta be over 10 years now, an account I had at the time. There were some charges against it for 300 500 800, small, relatively small amounts, you know, not in the 10s of 1000s. But it was enough to pique the interest of the bank. It happened over a weekend, they call me on a Monday, and asked if I was making purchases in France. This is definitely more than 10 years ago, I’ve never been in France. And so I knew right away, that’s what it was. And somewhere my card was, was swiped or or used in that information was stolen. So they may do something like that, too. And often, they’ll do smaller charges first to see if the card works. So you all you have to remember when they steal your card information, or your banking account information. It’s not you almost never used immediately, it’s usually put on the dark web to be sold. So it might not be it might be months before it actually gets used. So how do you protect yourself against these types of scams? Well, first of all, if T Mobile or any other carriers are going to call you, it’s going to show up on your caller ID as T Mobile or Verizon or 18 T or whoever it is, it’s not going to show up as a random number. In this case, it showed up as a local number. It’s really easy to spoof numbers and maybe I’ll do an episode on spoofing and risks that go along with that. Because what spoofing, I’ve I’ve used spoof apps to show people that you can listen to people’s voicemails you can crank call, you can scam people, it’s really easy to do. But just know that they will call from a T Mobile number, it will say T Mobile. Again, that can be spoofed but not as easily.
Speaker 1 17:21
So to carriers, or most companies, cable companies, definitely not cable companies. But most service providers are not going to practically call you and say yeah, you’re owed a credit or there was an overpayment on your account. Or they will probably send you some kind of notice or, or leave a notice in your login, the web portal where you log in, or they’ll just apply to credit. If there is an overpayment, they’ll just apply it. Never provide personal or financial information to anyone who contacts you unexpectedly. This used to happen a lot doesn’t happen anymore. But you would get these random phone calls where they would say we have an important business matter, we need to verify the last four of your social before we can share this information with now, if they know where you were roughly where and when you were born, they already have the first five of your social. It’s the last four they need to continue stealing your personal, personally identifiable information. Never give that out. Even though just the last four, it’s not safe. What you can say is, well, you’re calling me so you already have it, you tell me what it is. Most times they’re just going to hang up. Never provide your bank account logins or your T Mobile logins or Verizon or 18 T logins never provide any of those things. Never provide your phone bill information or speak as little as possible because there’s a good chance to recording you. And give as little information as possible. If you get this call at all. And again, if you get this call it is a scam. But if you if you’re if you have any doubt, just say I’ll call back. If you receive a suspicious communication contact the company directly using their official customer service channels to verify its authenticity. Use 611 every carrier has 611 as an option calling using 611 Be aware of common scheme tactics in red flags again, I said T Mobile sprint when he said T Mobile sprint that was a red flag to me. And I don’t know maybe you said that because he’s aware that they merged not too long ago and that some sprint customers might be off put by the fact that you’re saying T Mobile I don’t really know why he chose to do that. But I do know I’ve talked to T Mobile since it’s happened in the university T Mobile sprint common scam tactics like request for banking credentials. a prepaid gift cards is another big one Amazon cards, Apple cards. Don’t fall for that. Wire transfers definitely don’t fall for that. And then your account. So my account has a very strong password against one password as many characters as possible. All of mine are at least 20, uppercase lowercase numbers and special characters and your password and randomly generated passwords and then use a password manager to save all your passwords and don’t reuse passwords. So my T Mobile password does not match any of my other passwords. Setup, two factor multi factor authentication on the account and then also add a pin to your account so that when you do talk to a T Mobile representative, they can now authorize anything to happen to your account until you verified that pin on your account. Now, you may forget that pin. It’s okay. You can log into T Mobile and they will tell you this you can log into T Mobile and find the pin on your account. There is the alternative where they will send you a text message. The only problem with that is the scammers can send you text messages too. So hopefully this helps someone not to become a victim of this scam. Again, I’ve known that it’s been around for quite some time. This is the first time somebody actually attempted to scam on me. So hopefully this helps someone else not to become a victim. So until next time, stay secure.
Transcribed by https://otter.ai