The Nuclear Option: (Almost) Never Answering the Phone

There are a few scams that happen in-person (the fake utility worker being one of the most common), but the majority rely on some sort of communications technology.

This gives the people running the schemes the advantages of a physical buffer (less likely to be identified, or slugged upside the skull by an enraged victim), global reach (not limited to immediate local surroundings) and scalability (the ability to scam hundreds of people simultaneously, instead of one at a time).

According to FTC statistics, the telephone was the contact method for 69% of scams reported to the agency in 2018. By comparison, in 2008 phone calls only accounted for 7% of that total (email was the king back then, at 52%). If it seems like you’re getting more and more fraudulent phone calls over the past decade, it’s because you are.

Of course, there are various techniques for spotting a scam phone call in the moment, and one tried-and-true method of responding (hanging up without saying anything), but while I’m not a big fan of scorched-earth responses to daily irritations, there is one option that isn’t brought up often enough: simply (almost) never answering the phone. Basically, if the phone rings, you let it go to voicemail.

It can be hard to get used to. You don’t have to be all that old to remember a time when a ringing telephone was kind of an event. People would race each other to the kitchen to answer it. “The phone is ringing! It could be anybody!” And that’s exactly why you should consider letting everything go to voicemail now—it could be anybody.

The next step is to not automatically go through your missed calls and call back every number. If a legitimate caller has something important to tell you, they will leave a message. Sometimes a scam that sounds convincing if you pick up the call can sound completely unbelievable when you hear it as a voicemail. Like the prerecorded robocall that started playing as soon as your voicemail picked up, so the pitch starts mid-word about 20 seconds in. It destroys the credibility. It also gives you time to think about how to respond (which is to NOT respond, at all).

You probably don’t even have to ignore every call. While you can’t trust caller ID, the chances that a scammer is going use the name and number of a friend or family member is low. Besides, you’ll know right away if it really is who you think. You’re not going to mistake a friend for a prerecorded “press 1 to lower your rate” scheme. If you’re expecting a call from a business, it is reasonably safe to answer. Again, you’re not going to think, “Well, my dentist usually only calls to remind me that I’ve got an appointment, but today they’re telling me I owe unpaid taxes. Better go buy some iTunes gift cards.”

The real issue with caller ID is when it says things like “Microsoft” or “Social Security” or “Internal Revenue Service,” or when it shows some random local phone number. Unexpected calls that are not in response to something you yourself initiated? Ignore.

How Much Should You Worry About RFID Card Skimming?

At some point you’ve either heard warnings that high-tech crooks are remotely reading people’s debit and credit cards using handheld RFID readers, or you’ve seen a wallet advertised as having built-in RFID-blocking features. More than likely, you’ve seen both. But is there really anything to worry about?

But before we get into that, what is an RFID chip?

RFID chips are embedded in some credit and debit cards, and are designed to let you pay by holding the card near an RFID-enabled card reader, instead of swiping or inserting the card into the machine. Contactless payment, in other words. U.S. Passport covers issued since 2007 also have this type of chip, and you can set up a “virtual wallet” on most smartphones that can be used for contactless payments, even if the cards you add to it don’t have the chip).

The RFID chip is not the same as the EMV chip that is embedded in nearly every credit or debit card these days.

Your card will tell you if it has RFID technology embedded. The big four credit card companies each have their own name for this feature:

  • ExpressPay (American Express)
  • PayPass (MasterCard)
  • PayWave (Visa)
  • Zip (Discover)

An RFID-enabled card will also either say “RFID” or have an icon that looks like radiating waves (similar to a WiFi signal), or both. Tap-and-go is promoted as a desirable feature of these cards—they want you know you can use it.

But, along with RFID cards came the usual anxiety about new technology: with your credit card just throwing out this radio signal containing all of your personal information all the time, it was going to be a cinch for some wily hacker to sit back in a shopping mall and just collect the data from every single card in every purse and wallet that happened to pass within 50 feet, right? And, right on cue, “security experts” emerged on websites and in online videos showing how it could, in theory, be done, under ideal circumstances. “Electronic pickpocketing” was the anxiety du jour.

Immediately, wallets and passport covers and other items (fanny packs, anyone? RFID-blocking jeans?) appeared on the market that claimed to block these frequencies, and they sold like hotcakes. Interestingly, a lot of those same experts who could demonstrate how this crime could be carried out also happened to be selling wallets, or at least promoting a paid affiliate link to buy one from somebody else.

There are a few things to know about electronic pickpocketing before you seek out (and spend money on) an item that is supposed to prevent this type of fraud.

First, the range of this type of RFID chip is about 10 centimeters (under four inches) and even that’s kind of pushing it. Outside of a vacuum, and with anything less than a NASA-level RFID reader, a thief would have to get extremely close to you to even have a chance of being able to pull this crime off. Like, probably touching you with his or her reader. And even then, circumstances are seldom ideal. What if you have two RFID cards on you? Those signals would be scrambled and worthless. And someone loitering around a crowd of people, holding a device up to every purse and back pocket in the place, is going to attract a lot of attention. “Be seen by literally everyone” is usually the opposite of what most crooks want to happen.

Secondly, any time a crime (however unlikely) has that “high tech” aroma to it, it’s easy to imagine the perpetrator as some kind of super-smart criminal mastermind, and there may have been a time (think: 25 or 30 years ago) when that was the case, but a lot of the “hackers” of today are the same people that would have been snatching purses a few decades ago. They’re not masterminds, and they don’t wait around for “ideal circumstances.” They go for the easiest, surest thing, and RFID skimming is neither. It is far easier, cheaper and faster to install a skimmer on an ATM or gas pump, or to buy a database of cards stolen in a data breach—and the success rate is much higher.

Finally, you’ve probably heard people claim to have been a victim of RFID skimming, but there have been no documented cases of fraud being traced to this activity. Real card fraud happens every day, but these almost always originate either with a skimming device (that captures magnetic stripe data—becoming rarer as the EMV chip becomes the standard), phishing attacks, or from retail data breaches in which millions of consumers are victimized at once. For an individual, it can sometimes be difficult to determine where the fraud happened, and so a lot of people just jump on the last thing they heard about. “RFID skimming? Oh yeah, that happened to me…”

In summary, RFID skimming isn’t something you need to be overly worried about. If a wallet or a passport cover has a feature to block these signals and it doesn’t cost anything extra, go ahead and get it. Or get some RFID-blocking sleeves for passports and individual cards if you want to, but you don’t have to spend much on these. I’ve seen a pack for under $10 that had enough sleeves for multiple cards and passports. But don’t pay a premium price just for the RFID-blocking feature, to prevent a crime that isn’t very likely to happen in the first place.

What a Credit Freeze Does (and Doesn’t Do)

When it comes to preventing identity theft, anything you can do to reduce your risk is generally a wise move, even if no one thing (or combination of things) can make you 100% safe.

One step you can take is to freeze your credit file with each of the three major bureaus (Transunion, Experian and Equifax). This prevents creditors from accessing your credit file without taking additional steps to verify your identity. Since most creditors aren’t going to open a new line of credit without being able to see your file, it prevents one of the more common forms of identity theft, which is to open new fraudulent lines of credit which are then maxed out and never repaid.

However, there are things that a credit freeze won’t do, and it’s important to keep those in mind.

While a credit freeze prevents new credit accounts from being opened in your name (unless the freeze is temporarily lifted before applying), it does not, on the other hand, prevent unauthorized access to existing accounts. So, even if you’ve got a freeze in place, you still have to protect account numbers, passwords, PINs, your Social Security number, etc. That means you still have to watch out for phishing and other schemes designed to convince you to reveal this information to people who shouldn’t have it.

Similarly, if your credit or debit card information is compromised due to a data breach, a credit freeze won’t stop fraudulent charges from being attempted. Your card provider may have security protocols that automatically detect suspicious transactions, but that will happen whether you’ve got a credit freeze in place or not (you’ll also have to get a new card, since your old one is compromised).

A credit freeze also won’t prevent other forms of identity theft, such as using stolen information to obtain employment, medical services, government benefits or tax refunds, or to evade law enforcement.

A credit freeze won’t stop prescreened credit offers (for that, you need to call 888-5OPTOUT or visit https://www.optoutprescreen.com), and it also won’t keep existing creditors from viewing your credit files.

A freeze also won’t stop you from viewing your own credit reports, using your credit cards, or affect your credit score, which are misconceptions some people have about the process.

If you want to place a freeze on your credit files, the easiest way is to visit each of the major credit bureaus online and follow their instructions:

One more thing a credit freeze won’t do: remember its own PIN for you. When you place a freeze at each of the three bureaus, you will end up with a PIN for each one. It is important to keep this number in a secure location where you alone can access it, in case you need to apply for a new line of credit later. If you forget your PIN, you can reset it, but the process is not very convenient in most cases, as it requires providing additional documentation to prove that you are really who you claim to be.

Three Tips for Spotting Fake Reviews

If you shop online, you’re probably familiar with the “User Review.” These generally take the form of a star-based rating system (1 to 5) and a text portion where users describe what they liked or disliked about the product. User reviews on a site like Amazon are an integral part of their entire business model, as products can live or die on these reviews.

You’ve probably also encountered some fake reviews, whether you knew it or not. Usually, these are submitted by people who are paid by a company to artificially drive up a product’s average rating. Sometimes they are paid by a rival company to artificially depress a competitor’s score. Other untrustworthy reviews aren’t so much “fake” as they are “low quality.” This would include people poorly reviewing a book they’ve never read because the author has a political or religious viewpoint they don’t like, or people who submit reviews of something other than the item, such as “It was broken in shipping” (okay, fine, but Amazon has a process for that…instead of writing that in anger four seconds after you got the broken one, why not wait until you get a replacement and review that?). The one- or two-word reviews you see (“great!” “love it!” “terrible!”) are always low-quality, and may also be fake.

There are far more than three tips for spotting fake or low-quality online reviews; all you need to do is run a search on “how to spot fake reviews” and you’ll get hundreds of articles, but some of the tips are kind of involved, such as checking how many reviews each reviewer has submitted within a certain amount of time—dozens of reviews of random objects in a short span is a red flag—but who has time to do that? I’m more interested in techniques that don’t take up a lot of your time. Here are three semi-quick things you can do.

Check out the one- and five-star reviews first

If a significant number of the highest or lowest reviews are just one or two words long, or if there’s a lot of very poor spelling and grammar, it may be a sign that the seller has paid a lot of people to submit fake reviews for the sole purpose of affecting a product’s average rating. Off-brand electronics have a notoriously high number of glowing reviews that are completely worthless. However, this doesn’t mean all the extreme reviews are bad—if you find some that are well-written and thoughtful, those are worth considering.

Read some two-through-four-star reviews

For the most part, companies don’t pay people for two- or four-star reviews. They want extreme ratings that will have the greatest effect on the average. The reviews that live in the middle—between “didn’t like it much” and “mostly liked it” are generally going to give some reasons for their opinion. Are there almost only five-star reviews out of hundreds or even thousands? Not a great sign.

Ignore the super-emotional reviews

There’s no real reason for anyone to be that angry (or joyful) over a three-pack of furnace filters. If you’re looking at an album by a music group, a review of the bass player’s response to being asked for an autograph in an airport in 1998 is beyond worthless, as are book reviews that say, “I would never read this trash. One star.” I know, we’re all people, and true objectivity is impossible, but give more weight to reviewers who at least try to stick to the benefits and disadvantages of the item you’re looking at.

Netflix Payment Phishing Scams

Video streaming giant Netflix currently has something like 150 million subscribers worldwide and 60 million in the U.S.

That tells me two things: there are a lot of people interested in gritty dramas, true crime stories, and those documentaries that kind of end up being more about the person making the documentary than the actual subject of the documentary, and what a prime target for a phishing scam.

And sure enough, there is one.

In this case, the phony email message alerts the recipient that there was a problem with their monthly payment. “Please update your payment details,” it begins. There is a link that takes the victim to a website that will either infect the victim’s computer with malware, steal personal and financial information, or both.

There are always clues you can look for when you get this sort of email, such as the message using a generic greeting instead of your name, link text that says one thing while the link actually points to a completely different site, grammar and spelling errors, or even more subtle hints (the screenshot I saw of this phishing email mentioned a “Help Centre,” which is a British English spelling unlikely to be used by an American company contacting an American customer). But you don’t really need to get that in-depth. If you get something like this, go directly to netflix.com and log in to your account (don’t use any links or phone numbers from the message itself). If there really is a problem, they’ll tell you. After all, Netflix is a business. They’re going to make it as easy as possible to correct anything that comes between them and your subscription money.

Tips for Avoiding Apartment Rental Scams

If you’re looking for an apartment to rent, be forewarned that there are scammers out there waiting to take your money and leave you with no place to stay. Here are three tips to remember.

No sight-unseen rentals

If the landlord won’t let you visit the apartment before you agree to rent it and hand over money, walk away. Zero exceptions for any excuse they give, including overseas travel or missionary work. Scammers will pull photos of legitimate rental properties from the internet and post them as their own, then try to convince people to send them money to rent a property that is not theirs. At the very least, you need to make sure the landlord has access to the apartment (and make sure it’s not a dump).

First the contract, then the payment

As soon as a landlord wants you to make an upfront payment, before you’ve checked out the property in person and signed a lease agreement, something is not right. That’s your cue to walk away and report the listing as fraudulent.

There are a couple ways to pay, and several ways not to

A legitimate landlord is going to accept payment by check. There are some who might be set up to accept payment by credit card or electronic checks. The key with these forms of payment is that they are traceable. If a landlord wants you to wire money, pay in cash, or load up gift cards, once again something not-completely-legit is happening.

You (Still) Didn’t Win the British Telecoms Lottery

Any time an old Fraud Prevention Unit article sees a spike in traffic, that means an old scam, usually of the emailed variety and often of the lottery scam variety, has resurfaced. Due to a recent jump in traffic, it seems the old British Telecoms Lottery scam is out there making the rounds again.

I first wrote about this scam in early 2011. I’m not sure if the new version is the same or slightly altered, but here is the text of the one I got back then:

From: [redacted]@web.de
To: winners@btlottery.com
Sent: Monday, February 07, 2011 4:42 AM
Subject: Confirmed Today And Must Be Claimed Immediately

BRITISH TELECOMS PROMOTION DEPARTMENT.

The sum of $1 Million USD has been awarded to you by the BRITISH TELECOMS LOTTERY, Fill the form below for more details and E-MAIL: TO ([redacted]@gmail.com),

1. YOUR FULL NAME:
2. YOUR FULL ADDRESS:
3. YOUR MOBILE PHONE NUMBER:
4. YOUR AGE:
5. CURRENT OCCUPATION:

Yours Faithfully,
BRITISH TELECOMS PROMOTION DEPARTMENT.

There are so many things that don’t make sense here. If you had really won such a major award, why would you need to tell them your name? Why would a British company hand out such large amounts of money to random people who aren’t even British? Wouldn’t the prize be in GPB, not USD? Why would the message have been sent from a .de (Germany) domain? Why would the contact person be using a Gmail account rather than an official British Telecoms email address?

Regardless of the details, or whether the recent examples use this old text verbatim or if alterations have been made, the result would be the same: someone would ask you to wire a large amount of cash out of the country to cover “taxes” or “fees,” and then disappear. There really isn’t much that’s new when it comes to lottery scams.

Avoiding Mortgage Loan Modification Scams

There are a lot of people having trouble keeping up with their mortgage payments, and there are also a lot of people and companies offering fraudulent “help” that only makes things worse.

If you are at risk of foreclosure, there are legitimate ways to get help. You can contact your lender directly, call the Consumer Financial Protection Bureau at 855-411-2372, who will connect you with a HUD-approved counselor, or find out if your financial institution works with a credit counseling agency (REGIONAL members can contact Greenpath Financial Wellness at 800-550-1961).

Here are a few things to NEVER do:

Never pay an upfront fee to any company offering mortgage modification help. They will either take your money (and make your financial situation worse) and do absolutely nothing, or take your money and do something you could have done on your own for free (such as calling your mortgage lender and asking for a loan modification).

Never sign over the deed to your home to anyone.

Never believe promises of “guaranteed” modifications, or any offers to remove negative information from your credit report.

Never believe anyone claiming that your mortgage (or any other loans) are actually not legally binding because of some obscure piece of legislation they claim to have discovered, and that all you have to do is stop making payments, then tell your creditors that you don’t agree that your debt was a binding agreement under this or that section of federal law. No such clause exists, your debt agreements ARE binding, and you can end up being accused of fraud for pulling this stunt.

Never buy into promises of shortcuts. They’re not real.

Never do business with anyone selling mortgage help as a “forensic auditor.” Never make payments to anyone other than your lender, unless you’re using an accredited, reputable debt management program (such as offered by the aforementioned Greenpath) that you have thoroughly researched. The National Foundation for Credit Counseling (https://www.nfcc.org) is a nonprofit organization founded in 1951 that certifies credit counselors. Make sure the company you’re working with is certified by the NFCC, and look into their other certifications, but remember that anyone can save logos from the internet and put them on their own website. Don’t assume that an NFCC logo on a website means anything until you verify it yourself.

Funeral Notification Email Phishing Scams

There seem to be endless variations on phishing scams, but the goal is always the same: to convince victims to click on a link that takes them to a different website than they were expecting. Sometimes that website is designed to harvest personal financial information, sometimes it is set up to infect victim computers with malicious software, and sometimes it does both.

One variation is the fake funeral notification. A message with the subject line “Funeral notification” will appear to come from a funeral home, informing the recipient of the death of a friend and instructing him or her to click a link for visitation times or other information. If the link is clicked, the victim is directed to a website that attempts to install malware.

If you get such an email out of the blue, do not click any links. If you think it might be real, do a web search for the contact information of the funeral home the email appears to come from, and call them to find out if they sent the notification. Don’t call any phone numbers from the email itself.

There are other ways to spot this scam up front, though. If it does not contain the name of the deceased, and instead only refers to “your friend,” that’s a sign that it’s a generic email being sent to lots of people. Also, how would a funeral home have a list of a deceased person’s email contacts in the first place? They might publish a notification on their website, or publish viewing times in the local newspaper, but for the most part it’s up to the family and/or friends of the departed to contact individual people.

Here’s What a Debt Collection Scam Call Sounds Like

I was able to get my hands on the audio from an actual debt collection scam robocall recently, and it’s kind of interesting to listen to and pick apart.

Here is the audio, left on a friend’s mobile phone:

And here is a transcript of that voicemail:

[sharp inhalation] Yes! This is Jessica Thompson. I’m calling in reference to your federal student loan. Um, I need to discuss your repayment options with some new changes that have taken effect recently, so… [sharp inhalation] If you could please [unintelligible] just give me a call back, my number is 866-371-3232…um, I’m gonna go [ahead] and give you a reference number, if you would have this number handy when you call back, it just makes things a lot easier. Your reference number is 909902. Thank you.

A few points about this robocall:

  1. The caller never states the name of the organization calling. Is it a lender? A collection agency? The federal government? Is Jessica Thompson an independent student loan wrangler?
  2. If you search online for the phone number (in quotation marks) along with the reference number (also in quotes), you’ll find a lot of people who have received this exact same message with the exact same reference number. You’d think the reference number would be unique to each individual.
  3. It ends with a little bit of “electronic noise” (including a small beep) that wouldn’t usually occur with a live caller, which is a sign of a prerecorded robocall.
  4. Most telling of all: the person who received this has had their student loans, federal or otherwise, paid off for around 13 years now.

In any case, if you get a call like this, it’s safe to hang up or delete the voicemail. It’s nothing but a phony debt collector.