Posting this here because maybe I can help someone else NOT fall for this BS.
Going down the road today on my way home and I get a phone call; caller ID says its my bank, USAA. I answer and this nice young man and I had the following conversation:
THIEF: Mr Sumo, this is USAA’s fraud department. Have you just attempted to make a $1000 purchase in a Target in Denver?
ME: Ummm… nope. I’m literally in Texas right this minute, so no.
THIEF: OK, sir, I’m going to quickly authenticate you with our system. You’re going to be getting a text message from us with a PIN, I need for you to read that to me.
(I get a text message from USAA, my phone recognizes them from previous security checks, so I think I’m good, right? Nope.)
ME: I read the PIN
THIEF: OK, thank you…. hang on my computer is being slow….
We had a little more conversation but here’s the gist of this: While he was calling me, his buddy in the next room was on the phone with the real USAA telling them that he needed the account PW reset. They, of course, sent a two-factor authentication PIN to my phone. I read that PIN off to my guy, who fed the other guy and BOOM, they were in. Clever girl.
Before I could pull over to handle this I had a flurry of emails from the bank in my mailbox:
- Your account PW was changed.
- Your account name was changed.
- Your security questions were changed.
- You added Joes Blower as a payee (the literal name they used!)
- You transferred XYZ to Joes Blower (this one repeated for several attempts)
Understand that I work professionally with computers and am super skeptical about most things. I stay up to date on scams and security. My radar was up the entire time I was chatting with him and I STILL walked into it. From my POV this was the real deal.
The part that I missed, and the part I want to convey… Large companies like this will almost NEVER call and start asking you for info. What I SHOULD have done was this: As soon as he mentioned the Target transaction, I should have said thank-you and hung up, then looked up the number for USAA’s fraud and called them. I thought this was them, I fell for it.
The credit union is already working on returning the cash. Because these guys didn’t try transactions here in TX the bank shut things down pretty good and the thieves only got a few hundred. I’ll get that back. But now I’ve got a shiney new login that I have to use and worries about what info they might have seen while in there. Yay! Plus, USAA is sending me one of their nice two-factor key fobs that would have stopped this.
Strangely enough I just read a few weeks ago that SMS PIN’s were hackable. I thought the article meant that you could hack them electronically. I never expected a literal man-in-the-middle attack!!