Who would have thought that just a few short days after I wrote a blog post about social engineering I would get called with a major social engineering scam? This one was at my house, not at work, but the same principles apply: never give out information you wouldn't want a scammer to have, never agree to give them money (or passwords!), and verify their authenticity with a known trusted source.
This morning, I received a call from a person claiming to work for Briggs Security, trying to coordinate a time when they could deliver a prize I had won from Publisher's Clearing House. I of course started out by telling him I didn't believe him. So he gets his manager to call, and his manager says, "This is not a scam, you have won 2.5 million dollars through Publisher's Clearing House, and all you need to do is call the claims department." He gives me a Winner number, a package ID number, and the actual check number to write down. Then he gives me some phone numbers to call so I can schedule a time when they will come bring me my check. Isn't that great? Two and a half million dollars, and I didn't even enter any contests! When I mentioned that minor detail he told me that people are automatically entered when they pay utility bills on time.
The next part of the conversation is where things started to get dicey. He wanted to know if I worked, if I was disabled, and when I would be home. But that's not all: He also wanted to know the name of my bank and my mother's maiden name as a password for future interactions. (Imagine now red flags waiving violently in the wind and alarm bells ringing loudly.) I of course do not want to give him my mother's maiden name, as that information is used widely on the Internet to verify identity. What if he goes to my bank's web site, is able to guess my username based on the information he has, and now he has my mother's maiden name? This could easily be the "secret" that my bank uses to reset my password. Scary! The next thing I was supposed to do was call the Claims Department. Once I got off the phone with him, I went to Google and looked up the phone number for Publisher's Clearing House. I called them and reported the call I received.They confirmed this was a scam, and warned me that they would probably try to get me to pay for insurance or shipping, or something like that, which is where they make their money. I decided to go ahead and call the Claims Department so I could gather as much information as possible and use it to report the scam at fraud.org. When I talked with the Claims Department, they asked when they could deliver the check, and then they started to explain that I needed to pay for shipping and handling. I didn't point out to them that they claimed to be hand-delivering the check (which normally does not mean you pay shipping and handling) - that their whole cover was that they were the security company who would be accompanying the Publisher's Clearing House delivery team. Regardless, I told him, "Oh, no. I won't be paying for anything." He paused and said, "Excuse me?" I repeat myself: "I won't be paying for anything. If I have to pay for anything, I don't want to participate." Then he hung up. Just in case you ever get a call like this, the phone number I received the call from was (876) 485-9735. The Claims Department phone numbers were (876) 782-6915, (914) 412-2425, and (702) 545-6252. Remember to protect yourself and your employees! Educate them about social engineering and remind them to never, ever give information out to people who call or email them out of the blue (and that includes clicking on links in email) - not even if they claim to be from Publisher's Clearing House.
Comments
Nuts! I can't believe that happened to you. I've often thought about social engineering my parents just so that they'll be more aware to experiences like this but I'm not sure I could carry out something quite so elaborate as this. It's like a 419 scam in the US. Well done on their part but even more well done on your part for pegging it for what it was... not that I'd expect anything less!