Strange India All Strange Things About India and world


There’s a sucker born every minute, but it’s not going to be you this time around because you’re not going to let some scammer try to steal access to your Venmo account. You’re better than that, convincing as said phishing attempts might be.

Here’s how this phishing scam works. The attacker somehow gets ahold of your email and phone number, likely from one of the squillion data breaches that happen on a regular basis. They then initiate a password reset request on Venmo, and later give you a ring and try to convince you that you’ve been hacked and that you should change your password to one they’re suggesting.

Here’s the full story, courtesy of this Reddit user:

It started out around noon. I got an email saying someone tried to reset my password. I ignored it.

Hours later I got a call from someone pretending to be from venmo; very professional sounding. Said they had a breach on my account and asked about me authorizing a payment for a few hundred bucks and that I should’ve gotten an email about someone attempting to get in and that they were successful. I of course said no, and was a little alarmed for a second but decided to play along.

They had tried to spoof venmo’s number I think. All except the last digit of the number were the same, I know because I googled it while on the phone.

What really set me off was them saying I needed to reset my password to some password they were giving me in order to reverse that “fraudulent charge.” At this point I decided to play dumb and messed with them for a bit, kept them on the phone for a good 5-10 minutes by pretending I didn’t know the layout of the app and was trying to do what they said. I eventually got bored, told them I knew it was a scam. The man got angry and hung up on me.

It was obviously a scam in the end but I’ve never seen one they elaborate. Took them actual prep to try and reset my password so I’d get an email so I was on alert, then to call later acting like there was in fact a breach.

There are a number of red flags with this scenario that should make the scam obvious to savvy readers, though not everyone is as level-headed in the face of a blatant phishing attempt, and I can absolutely see people getting suckered by this if they aren’t thinking it through.

Be wary when you get a password reset request

For starters, any time you get a password reset request out of the blue, you should be on high alert. Or, at least, you should be cautious for the next few days for any communications or messages related to that service—whether that’s the “company” contacting you to clarify something, emails that ask you to click a link to change your password, or anything in between.

When in doubt, know that you have control over your interactions with a site or service. So, instead of clicking on a link in an email that’s purportedly from a particular company, pull up the app or service on your phone or web browser like you normally would, log in, and reset your password the old-fashioned way if you feel like that’s something you need to do. Also, if a service offers it, check to see whether any other devices have logged into your account recently, and set up two-factor authentication while you’re there, if you can.

Basically, don’t act on a prompt, because that prompt might be a scam. You can always edit your security settings via an app or service’s settings; you don’t need someone, or something, to send you there. Just load the app or website yourself.

Be wary of a “company” that calls

I’ve covered technology for the better part of 15 years, and I can’t tell you the last time a company called me to talk about the details of my account. Google doesn’t hit me up when someone tries to reset the password on my Gmail account; Facebook has better things to do than ask me if I’ve enabled 2FA; I’m verified on Twitter, but they’ve never felt like reaching out for a chat about my account security.

I’m sure there are exceptions, but generally speaking, companies don’t call you to talk about your account. You’re just a blip in their systems—one account of potentially millions (or billions) that they simply aren’t going to notice—and more than likely won’t personally contact you to discuss. An automated email, sure, but a phone call? Unlikely.

If someone claims to be from a company and reaches out to you about something related to your account, like your passwords, payments, or other sensitive aspects, you don’t have to respond. What you can do is reach out to the website or services yourself to confirm whether that person’s communication (and request) are valid. In other words, if “Amazon” calls you up and asks you to change your password over the phone, hang up and contact Amazon’s customer service to see if this was a valid request. (Or, really, in this case: Hang up and just change your password yourself. You don’t need someone’s help.)

Don’t accept someone else’s password

If—and this is a big if—a company contacts you about some aspect of your account, and wants you to do something about it, reconsider before you make that change. Would some online retailer really want you to change your password to something they provide? Would they really ask you to turn off two-factor authentication, or make some other change to your account that sure seems like it’s making it easier, not harder, for someone to take advantage of you? If so, the obvious spoiler is that someone is trying to take advantage of you.

As I said, this probably all sounds like boring, obvious advice to the savvy tech users, but I’m thinking about my parents when I write this (and my less tech-savvy friends), who might be easily alarmed into doing something they shouldn’t because of an alleged insecure setup. I get it—it can be anxiety-inducing if you think that someone has broken into a main account that you use, especially if it’s related to a financial service. (Take my Gmail, not my money.)

When in doubt, remember that you don’t have to do anything someone or something suggests that you should. Take the situation under advisement, check to see if it’s authentic, and do the regular things you’d otherwise do to secure your account by yourself—if you even need to at all.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *