Recently, I covered a T-Mobile scam where a friend of mine narrowly avoided losing money. In that scam, the attackers called up pretending to be from T-Mobile offering him a cannot-pass-up 30% discount on future T-Mobile bills.
While he was initially suspicious of the unexpected callers, they gained his confidence by repeating the amounts of his last two T-Mobile bills, billing address, and knew that his wife was also on the account.
One of our big questions was how the scammers had his T-Mobile account details. Had they hacked into T-Mobile or hacked into some other authorized party that has access to T-Mobile’s customer database? We did not know.
The details of this scam might explain parts of that scam and apply to other similar scams.
Another good friend of mine, at Truth-in IT, had an acquaintance who narrowly avoided a scam where the attackers were pretending to be from Xfinity (a Comcast service) offering them a discount on the next three months of bills.
In this case, the potential victim got a text to contact Xfinity using a phone number in the message about lowering their monthly rate. The victim, who uses Xfinity, initially fell for the scam. They called the provided number (never a good thing without researching first).
The callback number from the text message led to high-quality, on-hold, background music periodically interrupted by a professional voice actor describing Xfinity latest news and promotions, including a blurb asking, "Did you know that Comcast is partnering with Target Stores to sponsor big discounts for Comcast customers?
Random thought: I wonder if that voice actor knows their voice is being used in a scam??
When the call is picked up by a human representative, the scammers identify themselves as Xfinity reps and say that there is a promotion going on affiliated with Target. The purported Xfinity rep said they will pay off the victim’s current pending bill and offer a 30% reduced bill for the next three months as well. During the pitch they stated the current bill owed. The victim had already seen their next bill and the amount provided was the same as the scammer said it was. So, at this point, the potential victim is hooked. “It has to be the legitimate company!”, the victim is thinking.
The scammer told the caller that in order to get the current bill paid off and the next three months at a reduced rate, they had to pay an amount equal to the expected billing of the next three months, all at once now. And the victim had to go to Target and pay the amount due with Target gift cards. The victim is, of course, questioning this, but the scammer says that this unusual payment request is because Target is an essential part of the joint promotion.
After the victim goes to Target and buys the Target gift cards, the scammer says they will send another phone number where the victim can read the gift card numbers to pay the promotion amount due. If the victim does this, the fake rep says they will be sent another confirmation message confirming the promotion requirements have been met, and the three-month discount will be confirmed.
Here is the wild part…the scammers do indeed seem to pay off your current monthly bill. If you check your Xfinity account online or call the real Xfinity, Xfinity’s legitimate website or real reps will confirm your current bill has been paid off, although they cannot confirm who paid it. At this point, most victims will really believe they got a lucky promotion discount.
But within a few days, the “payment” will bounce, and the customer will be on the hook to pay it. So, the victim is out everything they spent on the Target gift cards.
Xfinity is aware of this scam and said they will never ask a customer to pay their bill with gift cards. Here are some related Xfinity links:
- Target Gift Card Scam *BEWARE THEY ARE GOOD
- Xfinity Target Promotion Scam
- Target scam still going around
- Retailer Partnership Gift Card Scam
There are a lot of Comcast customer victims.
But this left my friend with a nagging question. He is also an Xfinity Comcast customer, and he was wondering how the scammers got their friend’s account balance information in order for the scammers to appear more legitimate. So, he called Xfinity’s tech support number.
It immediately recognized his phone number, associated it with his account, and asked if he was calling about the account associated with this phone number and street address. Anyone can fake any phone number they like using today’s insecure phone system, so it is a bit concerning that anyone with his phone number could get his street address and potentially more account information without any additional verification.
As a test of the system, he said, “No, that was not the right street address.” The system asked him for the phone number associated with the account, which he entered.
It asked him for his street address, which he inputted.
It then asked if he wanted his account balance, to which he said, “Yes.” It then gave him the balance. It then offered to let him pay off that amount.
All of this is something a scammer could do with very little information on someone.
The scammer could do this completely randomly, sending Xfinity texts to anyone, and when that person calls in and is waiting to be serviced, they can detect the phone number calling, look up the person’s billing address on the Internet, and call Xfinity and get that person’s bill amount. That is, if they do not already have the information through some other means. Perhaps it is also how my friend from my previous scam story ended up in a T-Mobile scam.
The overall problem is confidential customer information being revealed too easily for means of convenience. In this case, Comcast’s security assessment of their phone service allowing billing amounts to be learned probably thought, “What’s the harm in some stranger learning some other person’s cable bill?”
Well, that confidential information can be used by scammers to better scam is the answer.
Lots of other companies and services allow similar, low authentication lookups. Investigative reporter, Brian Krebs, has been writing about similar issues for years, including here:
It is ultimately up to each service to decide what information has to be provided before revealing a customer’s account information, but in the case of Comcast and others, the threshold is just too low for the risk.
Customers need to have a healthy level of skepticism about any incoming, unexpected contact asking you to do something you have never done before (like paying off a bill using Target gift cards). At least do a little Internet scam check first or call the company on a known good phone number to confirm the ongoing promotion before doing what the fake rep wants you to do.
Many potential victims have reported the fake rep getting upset with them for any delay in getting those gift cards. They want the victim to get them now! A legitimate rep probably does not care whether or not you get the promotion, but even if they are incentivized to care, they probably are not getting upset at you for a minor delay.
Let me repeat my best advice again: If you get an unexpected message asking you to do something you have never done before (at least for that purported contact), research it further first using trustworthy methods before performing the requested actions.
A healthy level of skepticism can go a long way. Sharing stories of similar scams with others, including family members, friends, and co-workers, can also go a long way.
Here's how it works:
