A friend of mine got a call on his phone and he regrettably picked it up. The number was 267-332-3644. The area code is from Bucks County, PA, where he used to live many years ago.
But since his multiple anti-scam phone filter apps did not flag the number as a scam, and it was from a place he used to live, he picked it up.
The caller was so heavily accented that he almost could not understand what was being said, but he heard enough to understand this: It was supposedly T-Mobile, his current mobile phone carrier, calling to offer him a six-month 30% discount and a free electronic device because he has been such a good customer.
Yes, we have all heard of this scam many times before, but what was different was that they were able to tell him his account number, login name, phone numbers, address, the last two months of phone bill amounts, and knew that his wife had a line that was also on the bill. With that, he believed he was talking to T-Mobile support.
Note: Whoever he was talking to could have obtained this information from many different sources, hacked or leaked. Anything they told him could be found on his bills.
In order to confirm his 30% discount, they needed his account PIN. Most cell phone and cable services now have a four-digit numeric PIN that customers must repeat to make account changes. Lucky for him, he did not remember it.
No problem, the (fake) T-Mobile reps would send him a one-time password (OTP) code to his phone that he could repeat to them, which they could accept instead of the PIN. And sure enough, moments later, T-Mobile (the real T-Mobile) sent him a text message.[1]
My friend did not realize that all that was happening was the scammers trying to reset the password on his T-Mobile account using the password reset feature available on the legitimate T-Mobile website.
Kudos to T-Mobile for sending this warning along with his account recovery code. The problem is that it simply is not clear enough for many people who believe they are dealing with T-Mobile support and have been told by the person on the phone to expect the reset code.
I am not sure how you can update the message to be even more helpful…because it is already saying what any customer needs to be warned about…but it is still not clear or helpful enough for many customers to avoid becoming victims. Communication about scams is not easy to do.
My friend typed yes in response to the message and got his account recovery code.[2]
He gave them the recovery code.
The scammers were not finished.
They said that because he was such a valued customer, he had won a free iPhone 16 Pro, Apple iPad, or Apple Watch Ultra. Who does not want that?
They wanted him to confirm his credit card number…the whole number… in order to get the discount and iPhone he had selected. My friend initially refused and said he needed them to share the last four digits of his credit card number with him, which any legitimate sales organization would normally have.
They began to get angry with him…and my friend, finally strongly suspecting a scam, made an excuse and ended the call.
He called T-Mobile using their legitimate number. They confirmed that it was probably a scam and told him they did not see any unauthorized activity on his account. Sadly, they did not instruct him to update his account password and/or PIN. I told him to do that as soon as he could.
The big remaining question is, how did the scammers have my friend’s account information? The answer is that lots of places…likely dozens to hundreds…have that sort of information. It can be stored and accessible for all sorts of ancillary businesses, such as the people who mail you your bill, or any of the hundreds of resellers who have legitimate access to that sort of information in order to resell additional services. Surely, one or more of those services have been compromised…if not the phone company itself, where scammers can then get access to that information or buy it later on the black market.
My cable bill, until recently, even printed my account PIN on my bill. Only recently did they announce that they were proactively removing the PIN from the billing statement. Hmm, wonder why?
When I did a look up on the phone number used by the scammers (shown below), it said it was used by Verizon…not T-Mobile (see below), although my friend said when he lived in Bucks County years ago and originally got his phone number, he was with Verizon Wireless. Perhaps, the scammers had this old information when they used the fake number that appeared on his phone.[3]
Defenses
The primary defense against this type of attack is to realize that scammers can have personal information related to your account in order to conduct scams. It is very common. Most of the phone companies have been compromised multiple times, and customer information has been stolen. Each phone number has multiple channels to your information that can be or is accessed by other authorized parties. Those authorized parties can be compromised.
Make sure your family, friends, and co-workers understand that any unexpected contact from anyone can be a scam, and even if they have some of your personal information, that does not mean they are legitimate. Nope, I hear about these sorts of scams all the time.
In this instance, the real T-Mobile message said they would never contact you and ask you to reset your password using a recovery code. Potential victims need to understand the difference between their account “PIN” being “reset” and their password being reset. Two different things, but I can completely understand the confusion or miss.
Here is a key sign to watch out for to avoid this type of scam: Don’t let an unexpected INBOUND connection to you…whether it’s a phone call, SMS, or whatever, initiate a password reset or OTP code action that you then interact with. This is where the scammers get victims. But if you call the company’s legitimate support number or go to the company’s legitimate website, and it results in those things, then it’s very likely legit. If you initiated what led to it, it’s good. If you didn’t, be careful.
Use PHISHING-RESISTANT (if possible) multi-factor authentication (MFA) to protect your accounts. It is too easy to trick people out of their PINs, passwords and one-time password (OTP) codes.
If someone calls you saying they are from your company, tell them you will call the company’s main public, legitimate number and inquire about that “great” offer. If they tell you that you cannot access them through the company’s main, legitimate phone number (which may be true even if it is a legitimate offer), well then, you will just have to pass up on that “great offer.” There is just too much risk to continue, especially if the caller is asking you to reveal your PIN, password, or other private information.
If you think you have been scammed or partially scammed, call your company (on a known legitimate phone number), report the incident, and change your password and PIN (just in case). It cannot hurt to closely monitor your account for a few weeks or months to make sure that unauthorized activity has not happened.
The key message of this post is to realize that scammers can have some of your personal information to use in the scam to make it seem more realistic.
You will learn more about:
