This afternoon I received an unexpected call from Verizon Wireless, my cell phone carrier. A customer service rep was calling to ask me if I had requested a change in billing address on my account. I had not. She informed me that someone in possession of the last 4 digits of my Social Security Number had attempted to change the details of my account. She said that when she pressed the scammer for more identity verification, the scammer hung up. She then called me.
Great, someone out there knows some things about me, like my name, perhaps my Verizon Wireless phone numbers or account numbers, and at least the last 4 digits of my SSN. Frankly, I’m not terribly surprised. Every day there’s a new story about some web site that let itself get hacked and lost all their users’ personal data.
The Verizon rep and I danced a bit as I attempted to discern whether this call itself was a scam. I’m suspicious by nature and consider myself fairly information security-savvy. So when the rep asked me to provide her with the last 4 digits of my SSN, I got cagey. We eventually compromised by agreeing that if I could log into my Verizon account (which I could) and change a certain field, she should be able to tell me what I changed. We did that, and I was satisfied I was actually talking to someone at Verizon. (I also Googled the caller ID number while we were speaking, but caller ID can be faked).
The rep had me set a billing password on my account which would henceforth be used as an identity check instead of my SSN.
My rep paused and said, “Uh oh.” Apparently the scammer was at it again, with a different rep. My rep noticed that the name and billing address had been changed on my account, while we both sat there and watched it happen.
The rep apologized and put me on hold while she IMed and then called the other rep. The other rep was not following the procedure for verifying the customer’s identity. Had the scammer gotten that rep earlier, it could have cost me dearly.
I had to wonder whether my setting of the billing password had taken effect before or after the second rep let the scammer through.
My rep reached the other rep, and they dumped the caller. My rep also sent a message to other rep’s supervisor.
“This guy has apparently been at this all day,” she said. The scammer had been calling rep after rep, trying to find a chink in the armor, a rep who wouldn’t properly verify the customer’s identity. There were notes in my account log attesting to this.
My rep had me reset my billing name and address. She said they’d report the incident to the fraud division. No clue what could happen next there.
I asked my rep what the angle here was. “What we usually see is that they change the address, then order a bunch of stuff to be delivered to the new address.”
So I have a first and last name (probably fake) and New York City street address and apartment number of somebody who was attempting to defraud me.
I tried the NYPD first, but they told me I had to go through my local police. So I filed a local police report, got a case number. Tomorrow I’ll see I can raise the interest of the NYPD.
What else might this guy try to hijack? I’ll be checking all my bank and credit card accounts to make sure I’ve got all possible security controls in place. Since my SSN may have been compromised, I submitted for an automated 90-day fraud alert with Equifax/Experian/Transunion.
Kudos to this one rep at Verizon for following procedure and contacting me. But shame on Verizon for (1) letting this guy try this all day long to subvert the system and (2) hiring the rep that actually changed my account information without rigorous validation of my identity.