Well, they got me (phishing/scammer)

[SouthPaw]

About a week ago, I got a text notification from chase that my credit card was being used to purchase $950 worth of gift cards from some sports fan website. Chase asked me to verify the charge, and if it wasn?t me to respond ?no? and they would decline the charge, and reissue the card. It wasn?t me, so I responded no and the old card was cancelled, and a new one was shipped. I use my credit card for pretty much everything. The protection and points make it worth it for me so it?s the only thing I really use.

Well tonight I received my card and I begin updating all my auto pay accounts. It then dawned on me that I received an email from Xfinity a few days ago asking me to update my card since the old one was no longer active. I click the link and start typing in all my info. I hit submit and receive an error. I refresh the page and it takes me to go a random GoFund Me page. I then realized, it was a fake. I had just entered all my personal information, including my address, credit card info, mothers maiden name, ssn, etc. I couldn?t f*cking believe it. I just spent the last hour locking all my accounts, changing all my passwords, locking my credit, credit cards, etc. I should have known better, but lack of sleep, not paying attention, letting my guard down etc, they got me. Thankfully it?s really easy to get credit protection (Experian) and lock your info, but none the less, I got had.

It never even occurred to me, but my gf is the that pointed the perfect timing and it was a planned attack. They knew my card got declined, and likely was cancelled and a new was issued. They may or may not have known I had my card on auto pay with Xfinity, but they waited a few days before sending the email. They also assumed/knew that it was due at the end/first of the month so it was all about timing. I really can?t believe I fell for it. My gf even made a comment about it, as she knows I?m a freak about security. This isn?t a pity but a reminder to be careful. These hackers are getting smarter and more clever each day. I?m hoping that with all the new security features available through Chase and Experian, nothing major comes of it. I have a 12 month protection plan in place, and my credit completely locked. If someone runs my credit, it will be declined, and it will notify the company running it it?s locked due to identity theft.





Some suggestions, make sure all your sensitive account logins (bank, email, etc) have two factor identification login setup. Make sure your accounts are backed up with alternative emails/phone numbers that only you have access to. The first thing they will do is go in and change all your passwords to make things inaccessible to you. Contact your bank and have them lock your accounts and info. If you aren?t signed up for experian already, I highly recommend it, as it?s free. The protection plan is $25/mo and they offer a 12 month credit watch for free. What a pain in the ass.

[rondog]

I wish all the scamming asshole criminals like this all over this planet would simultaneously get hit by lightning, or meteors! If you're smart/skilled enough to fuck over people like this, use your smarts/skills for good, honest things! Why be a useless criminal piece of shit preying on your fellow humans? I just don't get it.....

[ray1970]

Pro tip. Don?t click links in emails like the Xfinity one above and don?t call any phone numbers provided in those emails to give them personal information.

If you suspect your Xfinity billing information legitimately does need to be updated just log into your account as you normally would or call their known customer service number.

I get literally dozens of emails every day because my account is being frozen or my service is being suspended and I need to update my payment information. Xfinity, Amazon, Verizon, Netflix, credit card companies, you name it. Most of them look very legitimate at a glance but there is almost always a tell tale that gives them away. I used to enjoy spotting the giveaways? the weird email address, the email address that looks legit at a glance until you spot the 1 in place of an I, etc. now I mostly just delete them and move along.

[eddiememphis]

Ray said it.

Don't click any links to make changes or add info.

Always log in to the website. That will be coming soon though- fake sites that look and operate like the real thing.

When you think about it, Xfinity is ripping you off as well, making you pay for channels you don't watch and those that you do are about 40% ads anyway.

[SouthPaw]

Pro tip. Don?t click links in emails like the Xfinity one above and don?t call any phone numbers provided in those emails to give them personal information.

If you suspect your Xfinity billing information legitimately does need to be updated just log into your account as you normally would or call their known customer service number.

I get literally dozens of emails every day because my account is being frozen or my service is being suspended and I need to update my payment information. Xfinity, Amazon, Verizon, Netflix, credit card companies, you name it. Most of them look very legitimate at a glance but there is almost always a tell tale that gives them away. I used to enjoy spotting the giveaways? the weird email address, the email address that looks legit at a glance until you spot the 1 in place of an I, etc. now I mostly just delete them and move along.

Yup, I have no idea what I was doing or thinking. I've been sick, I was lacking sleep and just got caught off guard. Really dumb on my part.

Ray said it.

Don't click any links to make changes or add info.

Always log in to the website. That will be coming soon though- fake sites that look and operate like the real thing.

When you think about it, Xfinity is ripping you off as well, making you pay for channels you don't watch and those that you do are about 40% ads anyway.

Hopefully this serves as a reminder for others. I really cannot believe I fell for it.

[TRnCO]

scammers are indeed getting very good and sophisticated.

Here at work, several months back, we almost wired a scammer $320,000. The scammer had hacked into one of our contractors Email accounts and had been following along and saw that this payment was coming due. The scammer then started Emailing us asking for this payment ASAP, with the excuse that they needed the money sooner than later due to unforeseen expenses that they needed to cover. The scammer had everyone's Emails CC'ed to my co-worker, EXCEPT no one else was actually CC'ed at all. The scammer was only Emailing my co-worker although it looked like everyone else was also involved in the Email chain. The ONLY reason the scammer wasn't successful was because the original attempt to wire the money failed, due to having one digit wrong on the wire. Just before a second attempt of wiring the money, my co-worker finally had a red light flash in his head that something seemed fishy and he made a call to the contractor, and then learned that they weren't actually asking for payment at all.

Scammers are every where. If something seems odd, it probably is odd. Keep your guard up.

Also, at my office, we consistently receive "fishing" Email from work, as training for us all to learn what to look for.

And I don't even answer my phone if I don't recognize the number, including text messages.

[FoxtArt]

AI is dramatically changing the game too.

This is a good time to make you all aware of something ....

The firearm industry is targeted by pop-up fake storefronts. Many rank higher in search engines than legitimate stores.

For instance, lets pretend you are searching for 50 bmg primers. https://www.google.com/search?q=50+bmg+primer

They have been unavailable for a long time. (Ideal scam target).

See if you can identify the fake stores on page 1... there are a lot of them .

PRO TIP: Unless you have PERSONAL experience with the store, the BEST method to validate them is:

1) These fake stores usually don't accept credit cards. If you get that far, and there's no CC option, IT IS A SCAM. Don't proceed despite your belief in a good deal.
2) Look for a contact address and verify that on google maps. Often it'll be a field or some random house in California.
3) Obviously, the price is too good. If they are the cheapest thing out there for something low-in-supply, you should probably already be suspicious.

Otherwise these stores are AI generated, with valid certificates, fully crammed with various items, and in every way look like a normal, fully featured store.

[ray1970]

Here at work, several months back, we almost wired a scammer $320,000. Also, at my office, we consistently receive "fishing" Email from work, as training for us all to learn what to look for.

Same here.

I will admit it kind of pisses me off that we have a group of people who work for the same company that I do and who are tasked with trying to trick the rest of us into clicking their bogus emails.

They also have to look into anything that gets reported as phishing so you can bet that I try and keep them busy every chance I get by reporting almost every email that I receive as phishing.

The funny thing is that the people who get tricked the most are supervisors and other IT type people.

[CS1983]

To no one in particular:

1st step - unique passwords (and username if they let you choose your own without forcing into your email). Bitwarden, LastPass, and others work very well for this and sync w/ phone app, windows app, mac app, and cloud.

1a - if forced into email, and you use gmail, you can break up the email address with periods (I haven't tested underscore). Gmail views your email as a singleword@gmail.com example: john.smith1976@gmail.com is the same to Gmail as j.o.h.nsmith19.7.6@gmail.com; but to the place, it's a unique identifier since they cannot account for vendor specific oddities. As such, if you are getting spam or junk or phished because they got hacked or are shady, you would receive at email to "j.o.h.nsmith19.7.6@gmail.com" and that allows you to trace to the source of the leak. For anything particularly important (bank, health, etc.), try to use usernames instead of email, and if email and gmail, mess with them using the periods method.

2 - Using the URL feature of bitwarden, lastpass, etc., NEVER click on any links and instead see "this is from Xfinity" and navigate there directly using the link saved in your password vault. That way if it's some PITA website with a ton of subdomains (career.company.com, customer.company.com, etc.) you aren't screwing around trying to find the right place to log in. This is especially helpful with the giant clusterbungle that DoD and VA websites are.

3 - 2FA/MFA is helpful, but PLEASE choose a method that doesn't absolutely hose your access if you lose it. I had a job that wanted us to use an authenticator app which, if my phone died, would have rendered me unable to VPN. I thought it was stupid since any attack on our network could result in my phone being wiped remotely, etc. It is a good idea to have backup to backup.

4 - For goodness sake please keep the login info for your PW management solution written down somewhere safe in case you are incapacitated and your spouse, kids, etc., need to access to handle your business.

5 - Stop using dang excel sheets labeled "passwords" or whatever lazy version of an unsecured database you are using, if you are.

[Delfuego]

but lack of sleep, not paying attention, letting my guard down etc, they got me.

It has (or will) happen to everyone. Big + for tell your ordeal. This helps others a lot. When people are too embarrassed they bought shitty speakers out of the back of a van and don't tell their friends, their friends may get buy shitty speakers too.

MFA everywhere. Password mangers with unique passwords for everything. Single use email addresses and credit card numbers. Out-of-band communication. Don't use your real info for security questions. Yubikeys for services that support them.