Security pro here. I came pretty close to falling for the “this is the power company and we are cutting off your power unless you pay the bill in the next 45 minutes” scam. It was late in the day during winter, so I knew if it got cut off, my small children were going to have a miserable night; and I was on a crowded bus and unable to get out my laptop to log into the website. I also knew my credit card had recently been rotated and that maybe I had forgotten to update it on the power company’s site. So I had a couple reasons to believe the situation could be real. The only thing that tipped me off was that they suggested the best way to pay quickly was to go buy iTunes gift cards and read them the numbers over the phone. If these boneheads had a way to take credit cards over the phone I might have been sunk.
I'm happy enough to live in a country where this is considered so inhumane that this is very obviously a scam.
I understand why you'd (almost) fall for this. I think it is wrong to assume you never will. So put safeguards in place, it may be good to start thinking about how those could look like. I have no idea... I'm very afraid my parents will someday waste a lot of money on a scam like this. Or, you know, me.
Yeah, just cutting off power out of nowhere is way too hard for me to believe. You always first get a couple of warnings over the course of a couple of months.
I've got to admit, although I'm not a security expert at all, all of these scams sound way too unlikely for to me fall for. But then again, it's easy to think that when you're behind your desk reading an article called "how I got scammed". It's very different when they reach you when you're already stressed and confused. Who knows what I'd fall for. I hope I'll never find out.
If they had taken credit cards, and made fraudulent transactions, maybe they could have made a few purchases in retail stores, but as soon as you detected that fraud you’d call the bank and issue a chargeback - a hassle but you’re not out any money.
Also, banks are smart. If a single CC is being simultaneously used in multiple physical locations, that’s an immediate red flag for fraud. My bank also asks for OTPs when I make online payments at novel/obscure websites.
A scammer who got my full CC number couldn’t make a fake physical card since it’s chip-and-pin; or at least not use it at any mainstream retailer which would require a chip transaction. So they’d be limited to online ones. I suspect the bank might even be passed the IP or other fingerprint details when authenticating the transaction, resulting in OTP requirements when risk is detected (online transaction from foreign country when I live in my country).
As long as you have a couple of CCs (so you can still pay for stuff if one gets deactivated due to fraud), CC fraud will typically be detected by the bank and refunded, along with new card issuance.
My main CC company will also text me randomly asking if any of the last three charges was unauthorized, with their details. Sometimes the card is paused until I respond. This most typically happens when I’m traveling. If I text back that they’re all legitimate then the card works again immediately; if one is fraudulent then they get me on the phone to confirm the details and issue a new card.
The CC companies seem to be pretty good about not having false alarms when you travel any more (though if you’re traveling internationally, giving them a heads up helps avoid issues) - I believe it’s simultaneous use from multiple geos that trips fraud alarms.
RE chargebacks: stolen cards are often monetized these days with a scheme known as "triangle fraud". Here's how it works:
0) the scammer somehow acquires Person A's credit card info
1) the scammer sets up an online store on Amazon or similar and sells some popular item at a 20% discount (eg Nespresso pods)
2) the scammer doesn't actually have that item in stock, but when they get an order from Person B, they use the stolen card to place another order with a legitimate seller and set the destination address to Person B's address (basically drop-shipping but where the victim is paying for the cost of the goods being sold)
3) Now the scammer has received already-laundered clean money from an online transaction, and Person B got the product they wanted on-time and at a steep discount. They're happy, and certainly won't be complaining to their credit card company.
4) when Person A reports their card stolen and tries to perform a chargeback, the legitimate seller who acted as an unwitting drop-shipper ends up eating the cost.
DEFCON 27 had a talk on exactly this by Nina Kollars, which I suspect is where the Nespresso reference comes from. It's an excellent overview of the topic of triangle fraud. :)
Almost impressed at the cleverness of this all! Especially since, if it's done right, all parties see "business as usual" - and even if they DO suspect a scam, nobody has any incentive past a moral one to say anything.
Wait what? The person with the stolen credit card will report the fraudulent charge causing a chargeback for the seller - how is that “business as usual”? If the business is getting hit with chargebacks they sure as fuck have a financial motivation if not moral one to report it.
This relies on churn and hoping that a percentage of the fraudulent charges go unnoticed. But if it’s oversight then it’s not really that party “seeing” anything.
Someone noticing they are being scammed means that it's over anyways. What I'm saying is that, as the scam is happening, you are going to get at least 1 "legit" looking transaction where the cash is already in the scammer's hands. The person with the stolen credit card is often someone elderly or unable to notice major financial decisions, which makes them perfect marks for being scammed in the first place. What I'm saying is that, to all the parties involved except the scammer, there is no obvious signs that something fishy is going on.
Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good. Banks may or may not eat the loss depending on a number of factors, size being one of them: 4+digit amounts will likely never be reimbursed.
But yeah, CC are safer, it's one of the things you pay for (typically by mean of higher prices, as merchants pass on their CC fees to customers).
> Sadly in Europe a lot of these transactions are done on debit cards, which make redress much harder if not impossible - once the money is out of the account, it's gone for good.
While this is true, it's also much harder to do a fraudulent payment. The card number itself is not enough; you actually have to go through the bank's payment system with its 2FA, and that's not something a thief can easily fake.
