Call Back, Fight Crime!

 

phone-notes

Dear Merchants,

If you get a call from your store’s platform company, be it Shopify, Amazon, Eventbrite, or anyone else, tell them you’re busy and will call them right back. That’s it! One other thing. Don’t call back any number they give you; instead, contact your provider using a number or email address you already have.

This time of year, there is a rash of account takeovers and simply saying you’ll call back instead of answering their questions can stop many of them in their tracks. Why? Happy to explain.

Here’s an example of a local merchant, with listings on Amazon, who lost control of her account TODAY.

The store owner received a call from “Amazon” asking her to make some critical changes to her account. The caller ID on her phone displayed “Amazon” or “Amazon Support”. (She was a bit rattled after everything and didn’t remember exactly. She does remember seeing a 206 area code.)

First, they asked her to “prove” her identity.
(This is how the thieves obtained the credentials for the account.)

Then, they then walked her through some minor, innocuous changes. She didn’t think any of these changes seemed important.
(These changes may have only been for verisimilitude. Since they did call for an important update, they need to have you make a change.)

Then, they called back. This time, one of her employees answered. That employee didn’t believe it was Amazon, but the store owner continued to cooperate with them. She remembers the criminals closing by warning her she might not be able to access her account for a while.
(They may have called back because Amazon’s anti-fraud measures had temporarily blocked them. Clearly, they were buying time with the account access warning.)

At that point, they had everything they needed and completed their account takeover, making it impossible for her to access her own store. With their helpful warning, she wouldn’t have worried when she couldn’t access her account, if nothing else had happened. Luckily, something did!

She was busy at her brick and mortar store, unaware there was a problem until she received a call from a customer. He wanted her to confirm a deal listed on her online store for a drone. This was not an item she carried. Staff in the store checked, however, and saw that it was now listed online, along with a lot of other expensive products they didn’t sell, for prices that were clearly low. Of course, when she tried to access the store account to remove these items, she couldn’t. She couldn’t even reset her password since her email address was no longer associated with her account. At first, she was at a loss as to what was happening and what she could do. The employee who was suspicious, someone I know, called me and explained the situation.

As we talked, the owner was confused that criminals could call from an Amazon number. Of course, they were not calling from Amazon. Anyone can easily spoof caller ID information. I get frustrated with my bank when they authenticate my identity “since you’re calling from the number we have for you”. This is BAD authentication. With about 15 mins of work, I can call you on a SIP line that shows any name/company and number as the caller ID. Thieves have these things set up for fast and easy impersonation. Don’t fall for it.

Next time, she will say, “I can’t talk, I will have to call you back” and hang up. Even if they say it’s urgent and try to keep her on the call. She will NOT give them any information.

In this case, the drone customer caller really saved the merchant! She was alerted early and I helped them contact the real Amazon to start the process of account recovery, hopefully minimizing her losses.

Please note that this type of scam is used by criminals pretending to be your bank, your credit card provider, and even HR at your employer. Information you provide could allow them to charge your card, access your bank accounts, or steal your identity. Tell them you can’t talk and will call them back. Then, contact them using an existing channel of communication.

Advertisements