Combo Pretexting / Vishing / SMS Social Engineering Attack
Someone on Reddit described how he was the victim of a very sophisticated social engineering attack. This is his story:
"I have different passwords for every website I log into, 2-factor authentication when possible; I thought I knew all the scams and could spot them a mile away. This one still got me.
I was meeting a friend at a bar. Two drinks in I got a call from someone identified by my phone as my large bank. I'm fully aware this could be spoofed, but it did not raise alarm bells yet. I was at a bar I did not frequent and have gotten calls from my bank before on suspicious charges that were legit, so I answered expecting this to be the case.
The person I spoke with said they were with my large bank and they've identified fraudulent charges on my account but they need to verify my identity before they can discuss details. They said they sent me a text message (via the cell number they just called, which is my first clue this is phishing). They asked me to read back to them the 6-digit number just texted me to verify my ID.
Being two drinks in, slightly expecting what this was about, I had zero alarm bells going off. My bad, this was stupid of me. I read the number to them. They suggested it timed out and I needed to read another number they texted to me. Minimal time had passed, a mild spidey sense was tingling, but I still was not concerned enough to ask questions and read them a second 6-digit code.
This person then read off 5 recent charges on my account, 4 of which I recognized as legit and a 5th that was a $1000 charge to a credit card I did not own. I immediately identified this as a fraudulent charge and they said: "no prob dude, we'll freeze your card and send you a new one". They even gave me the last 4 on the card it was coming from. I was appeased enough to continue (sadly).
Finally, they said they sent me one final 6-digit code to confirm that they were crediting my account back with the $1000 fraudulent charge. I just needed to read the final code they texted to me. At this point, things seem weird to me but they got me at a good time. I was 2 drinks in, was interrupted from hanging with a close friend I hadn't seen in months and was outside trying desperately to avoid the loud noise inside the bar but still dealing with traffic noise outside. I just wanted to be done with this. I read them the final code and they thanked me and hung up.
At this point, I see why my phone had been vibrating constantly through this call. I had 4 emails from my bank. 1) Your username has been reset, 2) your password has been reset, 3) Welcome to Zelle! an awesome $$$ forwarding service, 4) You've just forwarded $1000!!!!!
I called my bank via the number on the back of my card. After being on hold for 45 min trying to get the fraud department, I start to tell my story only to have the call drop (I'm pretty sure they hung up on me). I called back and was on hold for 1 hour 20 min (my account has been compromised >2 hours by this time) to get a second person. He told me this was a scam they've been dealing with for 3 months and I needed to go into a branch with 2 forms of ID to deal with it. There was nothing he could do tonight.
This dude spoofed my bank when calling me on my cell, requested a reset of my username, password, and approval for $1000 transfer. I stupidly read off the confirmation numbers I received via text to him, he entered them into my bank website to approve all these requests. My bank has known their customers have been getting scammed for 3 months and didn't bother to warn anyone. I now have to go into a branch, hang my head and tell my shameful story to a person and beg for access to my account because someone else has control of it all night tonight."
Good lesson to be learned: Never, ever give any kind of confidential data to someone WHO CALLS YOU. Always call back to the number on the back of your card.