Phished! Lessons learned from my smartphone stumble

When it comes to tech scams, in the immortal words of Antonio Banderas’ Puss in Boots, I have shamed myself.

It was probably only a matter of time. Hadn’t I parried “Windows tech support” phone scammers to a draw? Damn, I was good. But that feeling of secure self-assurance slowly tipped toward cockiness at the end of a long week as my newish T-Mobile smartphone rang.

By Stomchak (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia Commons

(photo by Stomchak, via Wikimedia Commons)

“Hello,” the cheerful female phone robot began in my paraphrased memory. “We’re calling with a customer satisfaction survey for your T-Mobile account. For participating, you’ll be offered a discount on a mobile accessory or service.”

What the automated voice couldn’t know is that I was really happy with my T-Mobile service since I switched from another carrier. Of course I’d take the survey. I punched through the half-dozen or so questions, ranking coverage, customer service, clarity of bill and value for the price on a four-digit scale.

At the end, it asked me – as T-Mobile’s customer service line also does when you call it – to record my name. Then record my billing address, punch in my ZIP code, and finally, for account confirmation, to punch in the last four digits of my social security number.

Yes: This is indeed like those movies where you’re screaming at the idiot college student to not investigate that nighttime noise downstairs in the vacation cottage. But they don’t hear you, either.

“Thank you. You’ll be contacted by a representative with details of your discount,” intoned the Borg Queen. Click.

Uh oh, texted the pit of my stomach to my cerebellum.

Oddly, my suspicion was raised about being “contacted later” and not immediately getting specific discount information. Part of me assumed that they had the social already, so the request was just confirmation that I was indeed the person to whom the T-Mobile account belonged, and not some random person who was using that mobile phone.

Not them, not their fault, really

Not them, not their fault, really

I checked the caller ID again: valid T-Mobile customer service number. I called T-Mobile customer service: same-sounding automated-attendant female voice, including a request to record my name. I asked the human customer service representative about the survey call and was told: sir, we never ask you for an SSN – even in a survey – because we already have it.

And now, so did the caller ID-spoofing, phone robot mimicking, extraordinarily clever phishers.

With my social, they could easily get access to my account and make changes, perhaps assigning a new SIM card, billing many expensive international calls, and leaving me with a lovely Google Nexus 5 brick that would become far more expensive at my next monthly invoice.

And they – or someone else – didn’t stop trying. Two days later, I received a mobile text that read, “For security purposes, your T-Mobile account has been locked; visit this [URL] and confirm data.”

True, my T-Mobile website access had been locked as a fraud prevention measure after I reported the phishing attempt. But in this case, the tell was obvious – a web address ending in .lt. For Lithuania. I didn’t click.

Strangely, no one I spoke to at T-Mobile, from customer service to risk assessment (fraud) reps, had heard of this automated survey trick targeting T-Mobile customers. But it’s not a new phishing scam everywhere. The rep in risk assessment said she knew from personal experience the automated-survey tactic has been used for cable and electrical service phishing attempts and added, “It’s just crazy how in-depth they’re getting these days.”

And it’s clear that as tech makes everything cheaper and easier (including automated phone surveys; heck, SurveyMonkey offers them) it makes everything cheaper and easier for phishing scammers, too.

By Kungfuman (photographed by myself (Kungfuman)) [GFDL (http://www.gnu.org/copyleft/fdl.html) or CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0/)], via Wikimedia Commons

Whac-A-Phisher? (photo by Kungfuman [CC-BY-SA-3.0] via Wikimedia Commons)

When I followed up with a T-Mobile spokesperson, at first what I got were common-sense and relatively generic personal information safety tips (similar to my first interactions with Microsoft on the Windows tech support scam; after all, no company wants to shout to the world, “Hey, scammers love us better!”).

When I pressed, it became clear that security precautions, no matter how good, were at best a challenging game of Whac-A-Mole. “The ‘phishers’ are getting more and more sophisticated in all that they do – which includes automation, spoofing, etc.—which is why we need to be even more on guard,” I was told. “Unfortunately, we have seen this before in a number of forms as have other companies.”

Basically, I had fallen victim to a classic “social-engineering” phishing attempt. And not out of fear, or greed (two typical motivators). Out of my nerdy, altruistic like for T-Mobile. The shame.

Even though my account is now protected by a verbal as well as a web password, another piece of my sensitive personal information is out there. It may never be used. Or, like a dormant virus, it may quietly lurk and infect my future financial life in a way I can’t yet foresee.

What is surprising is the price of security. Like often quoted for freedom, it is eternal vigilance. But in this case, it’s vigilance from doing something, even momentarily, that is intensely stupid.

Frank Catalano (@FrankCatalano) is an independent industry consultant, author and veteran analyst of digital education and consumer technologies whose regular GeekWire columns take a practical nerd’s approach to tech. And yes, he knows that classic tragedies usually begin with a protagonist’s fall from presumed invulnerability. But usually not technological.

  • JB

    I don’t know what T-Mobile you talk to, but I’ve been with them for years and every time you call customer service or tech service, they ask for the last 4 of your social. First the robot does, but you can tell it “I don’t have it.” Then when the human comes on they ask for the last 4 of your social again, for “security purposes.”
    However if you gave out your info to a cold call or a text, that’s on you.

    • http://www.intrinsicstrategy.com/ FrankCatalano

      Correct. This was on me, because it was an automated survey that represented itself (and sounded exactly like) one from T-Mobile. I’m also asked for the last four of my social whenever I call T-Mobile, but those are calls I initiate, same as you.

      • JB

        Sorry, it threw me off when you wrote that the human t-mobile CSR informed you that they never ask for your SSN “because they already have it.”
        I actually got a survey call from t-mobile the other day, the number was unfamiliar and out-of-state so I looked it up after not answering (how I found your blog lol)
        They called again of course and I answered to listen to the automated spiel. I actually had been in contact with customer service earlier so the survey made some sense, however they did not ask for a SSN, and definitely did not offer any discount on anything for participating.