I’m super cautious with these messages like I’m sure we all are but on Monday I ordered a printer from Amazon. They said it would arrive on Wednesday. On Wednesday I was working from home and I got a text from “Purolator” saying they’d tried to deliver my package and failed. Shit! I’d been listening to beats too loud to hear the knock on the door! I ran outside to see if the delivery guy was still on my street. No one was around…and then I realized, damn, they got me (to dash outside, anyway).
These things can fail 99.99% of the time but when they land on someone at just the right moment, it’s so easy to just go on autopilot and do the dumb thing.
I had an issue on the toll payment device on my car, so I was expecting some 'pay now or you get a fine' message. I got one on my phone, but when I logged in directly to the toll company website my account was in the green. I was _so_ close to following the link I just got lucky that I prefer using my laptop for admin rather than my phone.
Exactly. Once I was connecting to my VPN in AWS and was totally prepared for 90% of the websites to throw human verification at me. Then a faked cloudflare one almost got me. It was 3AM and my brain was barely functioning. (it didn't work, only because it instructed me to run a PowerShell command and I was on macOS).
This type of stuff is diabolical for old folks who just weren't inoculated to these scams. I feel terrible for them. Get calls often asking me to help interpret.
A few weeks ago I told them: "I will never be offended or hurt if you ask suspicious questions to check my identify if I suddenly need sketchy wire-transfers or a pile of Amazon gift cards."
Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.
In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.
Keep it very simple: never give an SMS authentication code to anyone on a phone call, in response to a text message or email, or as part of any checkout or purchase. They are only to be used when logging in to an online account. Anything else is a scam.
Even that may be too complicated, now that I read it back.
Unfortunately there are many companies that actually rely on SMS confirmation codes in real-time, which include reading it back to them.
A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.
I think we're at the point where both phone and SMS are such insecure and easily spoofed channels that we should basically not be using them for anything related to business or money. Maybe even for communication, given how easily scammers can fake a loved ones voice and phone number.
The screenshots don't show spoofed SMS. Who is going to spoof a +212 or a +27 phone number when sending to the US. It's not that easy to get spoofed SMS to the US anymore. But it doesn't matter if sending from an international number works just fine. Same thing with email, but often worse ... DMARC makes it hard to spoof email, but most email clients only show sender name and not sender address, so it doesn't matter.
Phone call caller ID is getting harder to spoof, with stir/shaken, but I'm not sure that's fully rolled out either... and calls from a 'random' number still get answered, so spoofing isn't needed for normal scams.
What do you mean? How would passcodes help phishing?
The solution is passkeys, which prevent phishing and more secure than passwords. I like how they replace SMS codes. But they are a pain to use and not that many sites support them. Every site that does 2FA should support them.
Readit News
These things can fail 99.99% of the time but when they land on someone at just the right moment, it’s so easy to just go on autopilot and do the dumb thing.
Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.
In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.
Even that may be too complicated, now that I read it back.
A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.
Deleted Comment
Hope you don't have to do 3D-Secure for a purchase, I guess.
Deleted Comment
Phone call caller ID is getting harder to spoof, with stir/shaken, but I'm not sure that's fully rolled out either... and calls from a 'random' number still get answered, so spoofing isn't needed for normal scams.
The solution is passkeys, which prevent phishing and more secure than passwords. I like how they replace SMS codes. But they are a pain to use and not that many sites support them. Every site that does 2FA should support them.