| ▲ | klik99 4 days ago |
| Literally got something similar to this last Friday. Sounded legit. My one weird trick that works every time - give me a ticket # and an official phone number to call back to and I can confirm the phone number is legit. This way you can continue the conversation if it is actually legit, and if it's not legit then all good. The guy who called me said "I can send you an email to show it's official" and I thought of that immediately when I read this article. No dice, he refused to give me a number to call back on, so I knew it was fake. EDIT You can spoof from email addresses and you can spoof phone numbers - if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real. |
|
| ▲ | vunderba 4 days ago | parent | next [-] |
| I personally don't even allow them an opportunity to give a "phone number" either. I always ask them to identify their company and the branch that they are with - and then personally go to the official website of the company (i.e. https://amazon.com, etc.) and look up the phone number there. A little less convenient for a LOT more security. |
| |
| ▲ | bigiain 4 days ago | parent | next [-] | | For some reason I can't seem to find my local Google branch's phone number on their website... | | |
| ▲ | MobileVet 4 days ago | parent | next [-] | | This was so much funnier than I wish it was… ugh. Contacting Google. Good luck. | | |
| ▲ | cwmoore 4 days ago | parent [-] | | Wonder why I've never had that problem. | | |
| ▲ | tempodox 4 days ago | parent [-] | | Are you saying you can find Google’s phone number? | | |
| ▲ | cwmoore 4 days ago | parent [-] | | Yes. | | |
| ▲ | figassis 4 days ago | parent [-] | | You’re probably worth a lot of money rn. I would start an entire business just selling people Google’s number. Heck, I would start an entire Google support company rn, publish a phone number and proxy calls to Google. I’d screen calls then also sell Google my services. You’re welcome. Build this in 2 months. I want 30% ownership. | | |
| ▲ | marklubi 4 days ago | parent | next [-] | | I make them hundreds of thousands a year even with their commission from my app sales. Still don't have a contact there (same with Apple). They're happy collecting their commissions and avoiding you. The only good thing is that (for the most part) the payment method is just a password/faceid/touchid away. | |
| ▲ | cwmoore 4 days ago | parent | prev [-] | | Duh. EDIT: also thank you, but and 0.0% is fine. |
|
|
|
|
| |
| ▲ | BobbyTables2 4 days ago | parent | prev [-] | | It’s not (248) 434-5508 ? |
| |
| ▲ | II2II 4 days ago | parent | prev | next [-] | | I have the fun of making outbound calls to offer people a public service and collect payment if people desire it. Most people gladly hand over their credit card details. A few years ago, someone wisely asked why they should trust me. (It only happened once in a decade!) I said they don't have to. They could look up our phone number at an easily verifiable government website, then call back; they could call any facility operated by the department; or they could visit any facility. Said individual provided their credit card details right then and there. Virtually noone cares about security. | | |
| ▲ | rapind 4 days ago | parent | next [-] | | I don’t trust anyone calling me who isn’t already in my contacts. Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number. Now try and convince your family to do the same (especially parents who are prime targets). | | |
| ▲ | II2II 4 days ago | parent | next [-] | | > Callers from legitimate businesses treat me like i’m questioning the moon landing when I tell them I’ll need to call them at an official number. Not to justify their behaviour, but: most businesses are not set up to allow for callbacks or they're set up to actively discourage them. For example: they may be contracting out to call centers or employee performance may depend upon making a sale. My situation is unique since all calls our handled internally and my performance is not based upon making a sale. That's said, the current situation pretty much dictates that a secure option should be offered to clients. | |
| ▲ | benmanns 4 days ago | parent | prev | next [-] | | The trouble is, you have to place the outbound call to those contacts to trust them. People could spoof an incoming call from numbers in your contacts and it will look as legitimate to you as a receiver as if the real number was calling you. With voice spoofing, it's now possible to call someone as [grandchild] with [grandchild]'s voice with a pretty horrible story about what's going to happen if some Bitcoin or Google Play gift cards are not purchased and handed over immediately. | | |
| ▲ | rapind 4 days ago | parent [-] | | I'll give you an example. When the Bank calls me about something important, I tell them to give me their department / extension and I'll call them back. I then look up the bank's phone number on their website (it's actually in my phone already, and on my bank cards) and call them back. This process doesn't care about them calling from a spoofed number. We've had big problems with spoofed number scams and the CRA (Canadian version of the IRS) recently. | | |
| ▲ | 0xffff2 4 days ago | parent [-] | | So in other words, you don't trust any incoming calls, even if they appear to be from a number saved in your contacts? | | |
| ▲ | rapind 3 days ago | parent [-] | | No. If it's someone I know, and I can tell that's who they are from their voice, and they aren't suddenly trying to pry a bunch of financial information from me, then I trust them. I also don't even accept calls from unknown numbers by default, unless I explicitly turn that off temporarily because I'm expecting a call from someone not in my contacts. There are plenty of other ways to get ahold of me. AI speech still has some noticeable quirks (I cloned my voice earlier this year to produce some tutorials). Once those are ironed out, I may increase my paranoia a bit. It's going to be hard for an AI faking a relative to get my bank password, if that even happens. There are far more lucrative targets with that level of investment. I think just being on guard and not trusting potential anonymous sources is "good enough" for now. |
|
|
| |
| ▲ | intrasight 4 days ago | parent | prev | next [-] | | I've not once had a legitimate company not say "good for you in taking the extra security precaution of calling us back". | | |
| ▲ | nothrabannosir 4 days ago | parent | next [-] | | No kidding!? I have never had someone take this in stride. Responses have ranged from surprise to defensive condescension. It rarely even works at all, and the two worst offenders were both banks. One UK, one USA. I almost had the check for my rent bounce after three days of this rigmarole and ended up having to just go with it. Where do you bank? I'm looking for recommendations. | |
| ▲ | plasticchris 4 days ago | parent | prev [-] | | Even better, once I had a financial institution tell me I needed to read them a one time code someone would text me. They were actually surprised I had a problem with it when it’s the scam playbook. | | |
| |
| ▲ | BobbyTables2 4 days ago | parent | prev [-] | | I suspect far more people question the moon landing than the authenticity of caller! |
| |
| ▲ | nothrabannosir 4 days ago | parent | prev | next [-] | | To be fair I give just about anyone and their dog my CC number. Chargebacks work and my life is that little bit easier for it. Playing Jason Bourne with your credit card number is not worth the effort if you ask me. I would even say this is a net positive for the economy: the cost of fraud is outweighed by the lower barrier to payment. I'm sure you'd have made fewer sales had people been more worried about security. Net positive then, right? | | |
| ▲ | alvah 4 days ago | parent [-] | | Depending on which country you're in and which bank you're with, chargebacks are nothing like as straightforward as they used to be. I just completed yet another one, which involved 2 separate phone calls totalling over an hour (so probably not worth it on a $/hour basis), accepting the risk that if Visa rejects the claim I'm liable for a further $50 charge (this is new), and generally 3 months of hassle until I got most of the money back (less the international transaction fee, as the merchant had fraudulently claimed to be in the same country as me, but charged me from the UK). | | |
| ▲ | nothrabannosir 4 days ago | parent [-] | | For the record what kind of chargeback are you initiating, and why does it have to go through visa rather than the bank who issued you the card? Unauthorized card-not-present transaction initiated by a third party? Some cbs are harder than others to get ruled in your favor, but the one where a criminal takes your card and uses it without your knowledge is by far the easiest one to get awarded. It involves one call to your bank and you get a new card, all fraudulent charges reversed. If your bank doesn’t want to honor the request yes you’ll have to contact the payment network (visa/mastercard) and I’m sure there’s someone in this thread who has experienced that for an unauthorized transaction chargeback but it’s exceedingly rare. Merchant error chargebacks , on the other hand… very different situation. | | |
| ▲ | OkayPhysicist 3 days ago | parent | next [-] | | The US makes chargebacks exceptionally easy. Non-Americans have a much less useful credit card system, which is why debit cards are more common in most of Europe. | |
| ▲ | alvah 3 days ago | parent | prev [-] | | Merchant fraud this time. Done through the (soon-to-be-ex) bank but they brought up the charge from Visa. It’s possible that my current bank is particularly bad at this, as they are bad at everything else. I have had the runaround with merchant error and stolen card number chargebacks with other banks though. |
|
|
| |
| ▲ | danielktdoranie 4 days ago | parent | prev | next [-] | | “I have the fun of making outbound calls to offer people a public service and collect payment if people desire it.” Oh so you’re a telemarketer. | | |
| ▲ | II2II 4 days ago | parent | next [-] | | Nope. I only sell services that people previously requested, though it is often months earlier. (As I suggested, it's a government job.) Sales is just one of the things tacked onto my job description over the years. And to further crush that cynicism: most people are overjoyed when I call them. | |
| ▲ | reaperducer 4 days ago | parent | prev [-] | | Oh so you’re a telemarketer. Not everyone who makes outbound calls is a telemarketer. The healthcare company I work for has a whole department of very nice people who make outbound calls to offer free health and nutrition classes to poor people. Yes, they're free. As an employee I am also required to take one of the classes each year, so I know what they entail. Yes, they cost our company money. No, they're not sponsored by some corporation or ad company, and no we don't sell people's information on (HIPAA and all that). The real world isn't a tech bubble cage fight. |
| |
| ▲ | BikiniPrince 4 days ago | parent | prev | next [-] | | In the rare case something worms it's way to collections I just ask for the certified letter. Now in ten years that only happened once. I even called the hospital asking where my bill was and they said I didn't owe anything. Three months later collections! | |
| ▲ | nradov 4 days ago | parent | prev [-] | | The great thing about credit cards (as opposed to obvious scams for suckers like cryptocurrency) is that consumers don't have to care about security. They can dispute fraudulent charges and never be out any money. |
| |
| ▲ | misnome 4 days ago | parent | prev | next [-] | | There are a lot of contact numbers for e.g. banks and often it’s not obvious how to re-contact the department you are talking to. So, I’m happy to take a number, but I have to be able to find it on the conpany site somewhere (will also accept generic e.g. “call the bank fraud line and supply this reference number”) | |
| ▲ | docmars 4 days ago | parent | prev | next [-] | | I simply don't answer my phone for anyone not already in my contacts, unless I'm expecting a call from a contractor or local service. I assume if I have a problem with any of my accounts, I'll eventually find out and self serve to go and fix it, as much as possible. | |
| ▲ | cortesoft 4 days ago | parent | prev | next [-] | | But this is google, who don’t have a phone number to call them. | |
| ▲ | marklubi 4 days ago | parent | prev | next [-] | | Just to add on, never say "yes" when you get a call from an unknown number (or maybe from all numbers, just be careful). "This is he(or she)", or "who are you trying to contact" handle most situations. Just don't let scammers get you saying something in the affirmative. | | |
| ▲ | avidiax 4 days ago | parent [-] | | What happens if you say "yes"? | | |
| ▲ | marklubi 4 days ago | parent [-] | | They have you acknowledging something at that point. Doesn't really matter what it is when they can take it out of context. Edit: Many of them are scammers, they don't play by the rules. | | |
| ▲ | tpxl 4 days ago | parent [-] | | How does that help them? It's not gonna pass any legal scrutiny. If they were going to lie, it doesn't matter whether you said yes or not at any point in the call. | | |
| ▲ | marklubi 4 days ago | parent [-] | | > It's not gonna pass any legal scrutiny Probably going to cost a lot to get to that point, probably more than they will scam you for. They're after the quick hit that gets them something right away while also believing that you won't take it that far. It's like knowing how to pick a lock vs just throwing a rock through the window that's next to the door to gain access. They both get you there. | | |
| ▲ | tpxl 3 days ago | parent [-] | | Scenario 1: You don't say yes and they lie you acknowledged something. You sue or you don't. Scenario 2: You say yes and they lie what you acknowledged. You sue or you don't. The math on your end doesn't change, no matter what you said. |
|
|
|
|
| |
| ▲ | hedora 4 days ago | parent | prev | next [-] | | I usually ask for the phone number, find it on the corporate site, then call the branch office. Alternatively, ask for their license number, check the license, then call the number it lists. (Kills two birds with one stone for licensed professionals.) | |
| ▲ | Gud 4 days ago | parent | prev [-] | | Yes, why would you accept the phone number given to you by this stranger calling you as legit? | | |
| ▲ | 0xffff2 4 days ago | parent [-] | | You don't, but large organizations can have a lot of entry points (or none... but that's a different topic), so you let the caller pick the inbound number that will actually reach them or their department, but then you still independently verify that the number belongs to the organization before trusting it. |
|
|
|
| ▲ | dec0dedab0de 4 days ago | parent | prev | next [-] |
| Be careful with checking official numbers too, or at least tell any non-tech friends. Fake numbers have been ending up in search results on official looking websites. It's a real knife fight out there. |
| |
| ▲ | Waterluvian 4 days ago | parent | next [-] | | I find that when it’s legit a consistent thing happens, which smells of careful training: they instruct me to call the number on the back of the card, or on a bill. | | |
| ▲ | TOMDM 4 days ago | parent [-] | | Obvious next step to me is malicious bills sent to an address | | |
| |
| ▲ | skygazer 4 days ago | parent | prev | next [-] | | It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google. The web is untrustworthy, and Google transparently passes it to users. We'd probably be better off if Yahoo's quaint curated list of sites had won out. | | |
| ▲ | 4 days ago | parent | next [-] | | [deleted] | |
| ▲ | mschuster91 4 days ago | parent | prev [-] | | > It's interesting how easily Google results rankings are manipulated by bad actors, and how unvetted the scams are in paid adverts on and through Google. Well, SEO, I get that this kind of gaming is hard to prevent, not at Google's scale. But the AdWords scams? Or all the other fake ad scams, chumboxes and god knows what? The complete lack of audits around something that actually causes money to change hands should be outright banned. At the high end of ads, think large brand TV spots, you got entire teams of lawyers involved to make sure licensing, actor releases, technical details, corporate identity and a myriad of other things are taken care of. But at the low end? Some rando from St Petersburg can post an ad for a book "uncovering Western lies about NATO expansion", some Indian can post an ad for "Norton Removal", some American an ad for a f2p game with content that clearly does not describe the actual gameplay or some Chinese can post an ad for penile enlargement pills - and none of the four will get even one human eye on the ad before the campaign goes live and the ads are displayed to actual users, even though all four either violate Western laws outright or are at least banned by the providers/networks. And the problem isn't just limited to Google, Youtube, AdWords, Unity Ads [1], Taboola [2], Outbrain [3], Facebook/Insta [4] - it's everywhere, the entire low range of ads is infested to the core. Self-service ad platforms should be shut down, period - the industry has shown that "self regulation" doesn't work. [1] https://discussions.unity.com/t/does-anyone-screen-these-ads... [2] https://www.vice.com/en/article/taboolas-content-chum-boxes-... [3] https://www.skeptic.org.uk/2021/01/the-outbrain-drain-why-ne... [4] https://www.vice.com/en/article/instagram-and-facebook-are-o... | | |
| ▲ | eek2121 4 days ago | parent [-] | | Yes, and that same lack of lawyers/friction is what also allows legitimate small businesses to thrive. I've worked for many, and out of those many, none of them had lawyers involved at all. It is all about balance. Google could do more here, however the answer is not as obvious as you might think. Especially in an age where identities get stolen often and the lag time on catching said fraud is quite long. The issue is that the entities mentioned are doing...nothing at all. Not even basic MANUAL identity checks and payment checks. Automated checks work very well until they don't. | | |
| ▲ | mschuster91 4 days ago | parent [-] | | > Google could do more here, however the answer is not as obvious as you might think. Oh it is. A basic background check alone done by an actual human to see if the business is actually real, let's say this costs Google 1h @ 40 dollars plus 20 dollars for credit bureau fees. Google can offload that cost to the advertiser - even for a small cookie store, that's hardly an expense. And after that, vet the campaign material for each asset. When you have 200 dollars in ad spend (which isn't much), 10 dollars should go pretty far in having a human see if the "pizza store" didn't just place an ad for penile enlargement. > Automated checks work very well until they don't. The key thing is, the entire ad industry is amoral. No one cares about fraud or brand reputation any more, not when you see chumbox ads on "reputable" newspapers. So everyone seems to think "why should I leave a few dollars on the table?". | | |
| ▲ | bcrl 3 days ago | parent [-] | | At what point does Know Your Customer kick in for ads? |
|
|
|
| |
| ▲ | avidiax 4 days ago | parent | prev | next [-] | | Yes, especially do not google the number that you were given on the phone. That is completely certain to turn up the scammer's official looking page and "confirm" the phone number. I have seen Microsoft support forum articles that list the "Facebook official phone number". The fact that it's not from Facebook doesn't make it less authoritative in a panicked person's mind. Google, Meta, Microsoft, and Apple really must start publishing an "official phone number". It is perfectly OK that this phone number just plays a repeating message saying that the user should browse google.com/phone. That website can explain that there is no phone support offered, and provide a bunch of links for common scamming hooks that leads to anti-phishing material. | |
| ▲ | gblargg 4 days ago | parent | prev | next [-] | | This happened to me once. I was calling Amazon and did a Google search on mobile. I called the big number that was at the top of search results. After I had given my account email, but nothing critical, I started becoming wary of the questions I was asked because they weren't relevant. I hung up and searched again and the result did not come up again, and Amazon's number was totally different. I looked up the number I called and it didn't find any results. So I'm guessing an ad scam. I definitely don't trust Google results with featured answers for things like that anymore. | | |
| ▲ | bcrl 3 days ago | parent [-] | | This happened to my father while I was around during the beginning of the COVID lock down. He searched for an Apple support number and was served a targeted ad for a phishing site. Because of the change in search a few years prior, ads now look very much like search results compared to the obvious visual distinction back in the Don't-Be-Evil days. The ad was sufficiently targeted that it only showed up on his device for the search -- nobody else would see it. Ephemeral ads are not a good thing. | | |
| ▲ | GoblinSlayer 3 days ago | parent [-] | | Ironically today even network engineers of all people can't type speedtest.net without google's help. Set your search engine to wikipedia and see them struggle. |
|
| |
| ▲ | klik99 4 days ago | parent | prev | next [-] | | Good to know. The guy who called me on friday felt like a targeted attack, I've been getting a TON of pokes at trying to reset my google password. It really made me feel like there's less and less you can trust online. Scammers are winning the arms race, and have the resources to create really good looking pages. | |
| ▲ | kevin_thibedeau 4 days ago | parent | prev [-] | | They also typosquat support numbers for people who misread them or assume things like toll-free is always 800 when it can be other area codes. Just because someone answers, don't give them enough PII to use your identity elsewhere. |
|
|
| ▲ | Braxton1980 4 days ago | parent | prev | next [-] |
| How can he spoof an email address without Gmail or the like flagging it? I'm not talking about the common name but the actual email address. |
| |
| ▲ | stavros 4 days ago | parent [-] | | That's what I'm curious about too. DMARC should make that impossible. | | |
| ▲ | hedora 4 days ago | parent [-] | | The last I heard, Google relied on spam filters for this. Supposedly, people have been fired after being falsely accused of harassment. The scam works as follows: Send a message to bob@gappsdomain.com and notavictim at the same domain. Arrange for the headers to be “from” bob. Now, notavictim reports Bob to HR. If the google admin is competent, they look at the headers, and note that Bob didn’t send the email. (Not sure if they catch the offender or not.) If they’re incompetent, they see the message in Bob’s from box, and recommend he be fired. This is a feature that enables dubious workflows, where Bob configures spam bots to bother his coworkers, but wants those messages to be auto filed in his sent box. I didn’t think it worked when spoofing unrelated domains like Google though. That’s just dumb. Maybe the attacker had the author’s IMAP gateway password and moved the message into the inbox? | | |
| ▲ | calmworm 4 days ago | parent [-] | | Google spam filters are terrible because they filter way too much legitimate email. I have been a paying business Gmail user for years, all DMARC, DKIM, etc… in place. My messages still go into client Gmail spam folders. It’s extremely infuriating. Google knows I’m not sending spam. They can’t deliver my email properly to their own inboxes? Nonsense. |
|
|
|
|
| ▲ | mihaaly 4 days ago | parent | prev | next [-] |
| I have no time and energy for the level of paranoia present web services RQUIRE. I started to cut back. One of the firsts: not accepting Terms and Conditions for a site my company delegated for the sole purpose of delivering my payslips (probably some others too, but marginal compared to this). I'd need to revisit the details to tell what was that exactly, but some sort of sharing some of my data with thrid party (subcontractor) thing. It is a recent develpment, I will see how it flies with my organization, but I'd be surprised if I could be forced to accept T&C just for receiving payslips. We have 2 other admin accounts for reporting time, absence, no more for me with some arbitrary service provider, thanks. (in the previous job of mine our absence tracking system sent me incentivised ads in the dashboard to attract others to their platform and some sort of weird discount system if I buy things here or there, quite repelling) |
|
| ▲ | glxxyz 4 days ago | parent | prev | next [-] |
| > if someone is calling from a legit number on caller id it means NOTHING I had to tell my bank this once a few years ago, when they called me up and then expected me to give them personal information to confirm my identity. |
|
| ▲ | 4 days ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | beeflet 4 days ago | parent | prev | next [-] |
| > official phone number Great idea unless the attacker has SS7 access. |
| |
| ▲ | klik99 4 days ago | parent | next [-] | | Yeah, if you're a high profile target then you need extra layers of security, but for regular folks that one weird trick is enough to make you just enough of an annoyance to make another target preferred. But in a world with Pegasus, and telecoms in smaller vacation countries selling off SS7, etc, etc - if someone good really wants to target you normal security protocols aren't going to cut it. | | |
| ▲ | beeflet 4 days ago | parent [-] | | I imagine it will be like SIM swapping attacks where attackers will pool all their money together, gain temporary SS7 access and conduct a ton of attacks in a short window of time. Reducing the per-attack cost. The phone network is just not a secure channel for any sort of communication | | |
| ▲ | kevin_thibedeau 4 days ago | parent [-] | | They currently lease temporary access to specific numbers from crooked middlemen for the weak claim that they're not "buying" the numbers. |
|
| |
| ▲ | wil421 4 days ago | parent | prev | next [-] | | Explain how SS7 access can allow someone intercept my call back to an official number like Bank of America or a number on Fidelity a 401k support page. | |
| ▲ | ElijahLynn 4 days ago | parent | prev [-] | | Can you expand on what ss7 means? | | |
|
|
| ▲ | doctorpangloss 4 days ago | parent | prev | next [-] |
| I don't know. Google could solve this all in an afternoon. It controls e-mail delivery, it is the e-mail delivery monopoly. Why deliver these e-mails? It just shouldn't. But because Google delivers spam from senders who spend a lot on Google ads; and e-mail traffic gets laundered into web ads traffic; they just can't do it. And because Superhuman charges more than $0, it can't do it either. Nobody can fix e-mail. If you can't see how phishing and Google Ads are related... you know, this is why it is hard to "just" pass a law. It's not because the law wouldn't fix the problem. It would, if you permit the status quo where Google is the e-mail monopoly. It's this whole A16Z "just pass a law" nonsense, where someone thought he was saying something really insightful because he didn't like Jon Stewart, getting in the way of my inbox zero, and simply never receiving non-personal e-mails at all. |
|
| ▲ | 8cvor6j844qw_d6 4 days ago | parent | prev [-] |
| > if someone is calling from a legit number on caller id it means NOTHING. You have to call back to a legit number to be sure it's real. This reminds me of one time where I got a call from a number I don't know, got yelled at something about spamming calls. Yelling includes threats about getting reported to police or whatever, which was confusing since I never had any history with this number. I suspect my number was spoofed. I'm not sure if there's any defense against that. Now my default is to ignore any unknown numbers. |
