Covid grocery scam

[fox]

I got a good one today, but I partially fell for it. I got an email message from a colleague asking for my number and I sent it. Next I started getting texts asking me if I would pick up groceries for him, that he was isolating. At that point I asked him to call me; he/she said he couldn't. Finally my Spidey sense kicked in, and I stopped responding and got hold of my colleague another way. This was a scam, and I stupidly didn't look at the address when I emailed back. The text area code was from New Jersey.

I suspect that the next steps were to ask me for credit card information, but it never got that far. But the person now has my mobile and home numbers. Can you think of any problems this might cause me and whether I should do something about it?

[ssfc72]

You might want to advise your carrier of this scam.  There is some scam where people's phone numbers have been hijacked by scammers pretending to be you and having your phone number re-assigned or a SIM card sent to them or something along that line. The scammer would then wind up with all your phone info that is on your phone.

[Jason Wallwork]

You did the right thing in confirming via a different method of communication.

Did you tell your friend to change the password for his email just in case his account was hacked? The scammer could have gotten your email from his contact list. However, I see that your Trent account list listed online so it could have been more easily gotten from there.

Therefore, going on I'd suggest not trusting any emails from a "friend" because everyone that wanted your email already has it: the scammers, spammers and bots.

Also, ask Trent if they really do need to list your email address online. Your Trent number is already there. Someone needing it can call you and get it that way.

The attempt was probably just was to get your number but for what purpose I can't imagine. Do you have any accounts with any websites that ask for your phone number information to either login or retrieve a password?

It seems more likely that he'd be trying what Bill said, wanting to contact your provider, pretending to be you and ask for a replacement sim card and having it sent to them and/or changing your number. Your SIM card doesn't store all the information on your phone. It's only about 128 KB but it's enough storage to store contacts, phone numbers, text messages, data usage and billing information. But that's bad enough and some sites use text messages for 2FA.

I agree with Bill that you contact your provider. Give them the info of what happened and ask them if a replacement SIM has been requested on your account or your number was requested to be changed. Then ask them to put a lock on your account so that no replacement SIMs, phones or phone number changes for a certain amount of time. A lock that even you can't circumvent.

When you contact them, note what information they require to ascertain your identity. They should ask for something more than publicly accessible info like name, address, postal code, phone number, email, birthdate.

Also, consider enabling the SIM lock feature on your phone. It will prevent the SIM from being used in a new phone or being swapped in your existing phone without entering a PIN. I suggest you contact tech support while you do this in case of any problem doing it.

[fox]

Thanks, guys. Jason, with respect to a SIM lock, once locked can it be unlocked? If not, it would mean I couldn't transfer it to my ZTE phone should my S9 break.

[ssfc72]

from 2017

https://www.itworldcanada.com/article/warning-protect-your-mobile-phone-numbers-from-being-hijacked/396018


from 2019

https://bc.ctvnews.ca/cellphone-industry-leaves-canadians-vulnerable-to-identity-theft-1.4576801

[Jason Wallwork]

Thanks, guys. Jason, with respect to a SIM lock, once locked can it be unlocked? If not, it would mean I couldn't transfer it to my ZTE phone should my S9 break.

I think so. I had my SIM locked my old phone. And on my new phone it asked for a PIN after moving the SIM card on startup. If I recall correctly. My brain is pretty addled lately.

[Jason Wallwork]

I just saw this and though with the headline it might pertain to what happened to you but it's actually a typical scam. Someone offers to buy groceries for you to get your credit card info. I don't think any of us here would fall for that. Scammers have always been bottom feeders but this pandemic really shows what lows they're willing to sink to. I won't say where I think they should go to other than to say that there are times I wished Hell was real.

[fox]

This was clearly an odd scam; I couldn't even find one like it on a Google search. I'm still not sure where, exactly, it was going. I'm guessing that by offering to buy my friend some groceries this person was going to volunteer to buy and deliver them, with my credit card of course. It never got close to that.

I did call Koodo about this and they put a note on my file, along with the phone number of the scammer. (Though the agent said that they switch phone numbers all the time.) Because I didn't click on any links or give out information beyond my phone number, the agent didn't think I should be too concerned. The agent said that before they would change my account password, for instance, they would have to answer a bunch of questions to identify me that they couldn't get routinely. Also, even if they got access to my phone information, there is little on there of value to them. I don't bank with my phone and I don't store credit card numbers on it. I don't even store credit card information on my Google account because I don't buy Play Store apps.

[Jason Wallwork]

Because I didn't click on any links or give out information beyond my phone number, the agent didn't think I should be too concerned. The agent said that before they would change my account password, for instance, they would have to answer a bunch of questions to identify me that they couldn't get routinely.Also, even if they got access to my phone information, there is little on there of value to them. I don't bank with my phone and I don't store credit card numbers on it. I don't even store credit card information on my Google account because I don't buy Play Store apps.

They not only change numbers all the time, they often fake the number you're seeing. You can set up software or install apps that do just that. It's good that you checked with them about how they would identify you. I've sometimes considered calling my provider and pretending to be someone else with only my publicly accessible info. And then see if I could get them to change my account info or get my old SIM cancelled and a new one sent to a different address.

Also, even if they got access to my phone information, there is little on there of value to them. I don't bank with my phone and I don't store credit card numbers on it. I don't even store credit card information on my Google account because I don't buy Play Store apps.

You missed one point I made but you don't need to answer it here and probably shouldn't. So just consider it.

I said:

Do you have any accounts with any websites that ask for your phone number information to either login or retrieve a password?

What I do with credit card numbers is to use them on sites when I make a purchase and then remove them so they're no longer on the server. Some services need your credit card number to charge you on a monthly basis so it may have to be stored permanently. I also have my credit card company email me every time a purchase is made as well as the balance on a daily basis. You can also use a service like VISA Verified and they give you a temporary credit card number to make a purchase that can only be used be used once.

[fox]

You missed one point I made but you don't need to answer it here and probably shouldn't. So just consider it.

I said:

Do you have any accounts with any websites that ask for your phone number information to either login or retrieve a password?

....

The only one I can think of is myTrent, and it's 2FA, with a message going to my phone that I have to validate. And it doesn't even ask for my phone number. Even if it was accessed by someone else, there is nothing on that site that is of non-academic use. I guess they could see my Trent emails, but again, they would need to redirect the message to their phone somehow.

[Jason Wallwork]

The only one I can think of is myTrent, and it's 2FA, with a message going to my phone that I have to validate. And it doesn't even ask for my phone number. Even if it was accessed by someone else, there is nothing on that site that is of non-academic use. I guess they could see my Trent emails, but again, they would need to redirect the message to their phone somehow.

Once they can access an account, they can change the number/email on it assuming it's in there. That's the point of locking your SIM card. Texts are a horrible form of 2FA as this article explains. If Trent supports Google authenticate or a hardware key (e.g. YubiKey) get that. Text 2FA is better than no 2FA, but only a bit better. There are lots of free authenticator apps out there.