Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

Just a heads-up about a twist on an old scam, courtesy of my mom. Last night, my mom, who is in her mid-80s, had a $450 charge made to her Scotia Bank Access/Visa debit card for a baseball hat from a real store, shipped to her real address. $450 for a hat? Seriously?

A scammer, pretending to be her bank, called to alert her to the fraud. In older scams, they’d call about fake charges and try to get your card details. Here, the scammer knew about the real charge because they made it, and already had all my mom’s info: card number, expiration, name, phone, email, and address. They may have more of her data - this is only the information I can confirm from what was used to make the purchase.

Mom did exactly what I always tell her - she said she needed to talk to me first. Great work Mom! The "bank" agreed to call back and conference me in. Before the call, I checked her bank account and saw the fraudulent transaction. During the call, the scammer read off her card number and purchase details but never asked for new info. He told us the bank had frozen the card, and the charge would be reversed in an hour.

After hanging up, I still had a bad feeling, so I told my mom we should call the bank directly. My mistake was procrastinating 20 minutes before having her make that call. I thought, well, must be the bank as he already had all the information scammers usually seek and never asked for anything new. What scammer would proactively call and warn you they had scammed you? What scammer would call back and conference me in? That would take insane nerve. I dug into the phone number he used and quickly confirmed it wasn’t a bank number. So, despite not giving him any additional info, I knew it was some type of scam, though I couldn’t figure out the angle. I immediately had the account frozen. Here’s the twist: my initial thinking is exactly what the scammers were hoping for because it builds trust with the victim. I believe the scammers are playing a long game, sacrificing a bunch of smaller transactions in hopes of getting full access to my mom’s bank account and becoming the main contact for “fixing” the issue.

 

The scammers are persistent - this morning, my mom got a "bank" text about the suspicious transaction asking her to verify it. I suspect she will continue to be targeted by this specific scammer(s) for a long time to come. Abviously very stressful for someone 80+ who has no technical inclination.

How did they get her information? My mom still had her card in her possession. She was recently notified by Nova Scotia Power that her information was exposed in the Nova Scotia Power data breach. Since she pays her power bill directly from her bank account, that’s likely how her information was compromised. Frustratingly, Nova Scotia Power has not provided - and likely will not provide - individual victims with specific details about exactly what personal information was exposed.

 

A few takeaways: The Nova Scotia Power breach appears to be highly intrusive. In addition to the details used in my mother’s case, Nova Scotia Power has indicated that compromised data may include dates of birth, customer account histories (such as power consumption, service requests, customer payments, billing and credit history, and customer correspondence), bank account numbers, driver’s licence numbers, and social insurance numbers. While this data hasn’t been widely dumped on the dark web, it is already being used in sophisticated scams. This kind of information is extremely valuable on the dark web and is likely being circulated in tight circles due to its high potential for exploitation. As a result, Nova Scotians can expect to be seriously targeted and exploited for years to come.
 

The other lession learned is you can’t trust any financial institution communication you didn’t initiate. Despite new technologies and regulations aimed at reducing spoofed calls (such as the implementation of the STIR/SHAKEN caller ID authentication framework), scammers continue to manipulate caller ID information to make it appear as though calls are coming from trusted sources, including banks, police departments, and government agencies. Always verify contact info yourself (such as using the number on the back of your card) and reach out directly to confirm any issues.

 

A tip for folks with an elderly parent like me - my mom has an Iphone so I was able to set it so she will only receives calls from people in her Contact List: Settings-Phone-Silence Unknown Callers. Can do the same for text messages: Settings-Messages-Filter Unknown Senders. Android has similar features. Of course this has a down side as they will miss calls/txt from folks not on their list but my mom is at a point where this is a must. If you still want to allow all calls, there are apps like TrueCaller that will provide better notification if an incoming call could be fraud or spam.