How I protected myself from Phishing Attack

How I Survived A Phishing Attack

The Plot

I was looking for a new broadband internet connection from Jio Fiber. So I filled up their registration form and got the confirmation message – Coming to your area soon! We are expanding our network rapidly and will contact you once in your neighborhood. (Have been repeatedly doing this for a couple of hundred times)

Sometime in July 2020, I received a call from one of their sales executives inquiring if I’m interested in Jio Fiber and with great excitement, I said – ‘Yes’🙃 But after checking my location details, he informed me that their service isn’t available in my area and the conversation ended. I saved his phone number for future inquiries.

Jan 15, 2021, 03 PM: I received the call from the same person inquiring about any requirements for a Jio Fiber broadband connection. I agreed and he sent two team members to visit my residence and get me registered.

Jan 15, 2021, 05 PM: As expected, the team member arrived sharply within 2 hours. At first, they completed my e-verification process and then initiated the payment request triggering an SMS to my phone. This  SMS contained a unique, self-expiring payment link to Jio’s website. After verifying the URL properly and getting fully assured that the payment is being made to Jio Itself, I completed the payment process through my mobile phone.

The sales team member verified the payment completion and left my residence while promising that their service team will be in touch with me regarding the installation process.

SO FAR SO GOOD.

I wasn’t available the next day and therefore requested them to get the installation done on Jan 17, 2021, and that too within 10 or 11 AM because due to poor daylight, it becomes quite difficult to work outside during the dusky evening time. Also starting earlier will provide them sufficient time to troubleshoot any last moment technical glitch.

THE CLIMAX

I waited till noon on Jan 17, 2021, but no one turned up, nor did I receive any SMS or phone calls updating me about the installation. I called the Sales executive and he told me that there are some delays from their end and the service installation team will reach out to me shortly.

Jan 17, 2021, 1:46 PM: I received the 1st official Jio Fiber SMS informing me that the service engineer will be visiting my premises by 6:30 PM. As mentioned earlier, I didn’t prefer them to visit my home after dusk hours but I didn’t want to waste another full day by rescheduling the appointment and therefore chose to continue with their preferred timings.

Jan 17, 2021, 06 PM: After awaiting the whole day and having no-one calling or visiting me, I tried to call the salesperson but he didn’t answer. At times, I found his phone number busy but again when I called him, he didn’t pick up my call. At this time, I felt being cheated and started looking for support options from Jio. I was however assured that my money is safe since the payment was done to Jio through their official website and I have received the confirmation message from the bank once the payment was completed successfully.

At first, I tried to call the Jio Fiber phone numbers 1800-893-3333 & 1800-896-9999 for manual assistance but ended up connecting with the IVRS system and I didn’t have the patience to follow its tedious instructions. After trying for a few minutes, I hung up.

Out of desperation, I publicly tweeted @JioCare and asked them to call me. I also added my phone number at the end of the tweet. And that was my mistake.

@JioCare responded to my tweet which IMHO (in my honest opinion) didn’t make any sense. I tried calling the mentioned phone number 1800-893-3999 and the concerned person wanted to talk to my Local Referee and the call got concluded with no proper resolution.

A few minutes later, I received a call from a number +91-85978-57024, and the TrueCaller App installed on the mobile phone flashed the unknown caller’s name as Customer Care. I received the call and the male person on the other side told me that he is calling on behalf of Jio’s customer care and inquired about my complaint I posted through Twitter.

I updated him that no-one showed up for the installation process or cared to update me. The person on the other side listened patiently and told me that there is a verification process that needs to be done before the installation can be done. And for this, he asked me to install an app. ‘An App?’, I asked and then informed him that the e-verification is already done by the sales team who visited my residence. The person on the other end now informed me that the previous e-verification was unsuccessful due to some system errors and therefore insisted me to go through another round of verification process and ensured that this is the final verification.

🙂 At this time, I was doubtful about his intentions. He suggested me to go to Google Play Store and search for ‘QS’ which took me to Team Viewer App.

🙂 I inquired about what he plans to do with this App. He replied that this App will be used to connect Jio’s server with my phone and get the verification completed.

🙂 With immense interest, I further asked what do you do after the Jio Server is connected to my phone and he told me that there are some easy steps which I needed to follow once the connection is established. And after saying so, he immediately inquired if I have got the app installed.

I replied to him saying ‘Yes!’ and he asked me about my Team Viewer ID 🤣😂😅

I didn’t have a spare phone for further experimentation with him and neither did I have the patience to entertain such scammers at that time and therefore concluded the call by asking him if he has seen the latest movie Jamtara

After a pause ………. he disconnected the call. For those who’re unaware of Jamtara, it’s a Netflix movie showcasing a group of small-town young men running a lucrative phishing operation from Jamtara, Jharkhand.

What could have happened?

Phishing scams have been there for quite some time. People used to get lucrative emails from someone living in a distant land (mostly Nigeria) informing that their prince has passed away or killed and some notorious person wants to take over the entire kingdom and its wealth and the person sending this email wants to relocate to some other country and have the prince’s royal money transferred. To do that, they wanted to get a bank account where these millions of dollars can be parked temporarily. And the possible victim of the email would be given a lump sum amount as a reward to park such temporary money. But to get the prince’s wealth, advance money has to be sent for some sort of processing & verification fees. With the passage of time and the introduction of new technologies, these scammers have found new ways to cheat people.

In my case, the scammer deployed scraping tools on social media websites i.e., Twitter which helped them identify dissatisfied customers. He won’t have been able to reach me if I would have NOT tweeted my phone number publicly asking @JioCare for the call back since I wasn’t able to reach them. The scammer called me and leveraged upon my mental state towards directing me in doing things thus enabling him to get full access to my phone and he would have carried forward his malicious plans accordingly.

Similar Incident

Shopclues Fraud

My cousin found a lucrative deal of a pack of 12 face towels at Shopclues.com and therefore without further ado, he went ahead and placed the order with COD (Cash on delivery) as his preferred mode of payment.

Shopclues Phishing Scam

For those unaware, Shopclues is a digital marketplace that enables sellers to showcase and sell their products to interested customers. Most of the orders are fulfilled and shipped by sellers themselves. Shopclues doesn’t check & verify the content of these shipments. Instead of sending the towels, the so-called seller sent my cousin – 2 sets of defective rice lights. My cousin insisted the delivery person return the money but it didn’t work. He was a poor man delivering goods at doorsteps. However, he advised my cousin to contact Shopclues for any returns/ refunds related issues.

Shopclues has a dedicated page for returns and replacement wherein it clearly mentions that the return requests for any Damaged/Missing/Empty Package/Wrong Product should be filed within 2 days of delivery. It further provides all the detailed instructions about returning the product to Shopclues.

Instead of looking for support through their website, my cousin (out of anxiety) googled for Shopclues support phone number and ended up getting the phone number – +91-98833-98924. He called the phone number and the scammer responded to him as Shopclues phone support. At first, he listened to the entire issue that my cousin faced, and then like any professional customer service personal expressed his sorrow on behalf of Shopclues and how the company failed to live up to the customer’s expectations.

To gain confidence, he further added that the customer i.e., my cousin doesn’t have to return the product since it’s a different product. And then told him that he would be initiating the refund right away. But to get started, he would like to get the customer verified. He collected my cousin’s Debit Card number details and then initiated a purchase worth Rs. 1,099 through Amazon India.

After a few minutes, my cousin received the following message through his Bank and he realized that he was the victim of online fraud.

Dear Customer, tx#VU9682298435 for Rs1099.00 by SBIDrCARD X2256 at AMAZON on 23Jan21 at 14:08:20. If not done forward this SMS to 9223008333/18001111109/9449112211 to block card.

My cousin visited the nearest police station to file a report about this incident but soon discovered many other complainants in the police station who have been duped of much higher amounts. And the law enforcement authorities were overwhelmed with several complaints.

Are Phishing Scams happening only in India?

No, Phishing scams are happening around the world.

Being a digital marketer by profession, I’m in charge of handling online advertisements for many clients worldwide. It was in 2018, I was handling the Facebook Advertisements for a US-based e-commerce company and one day my client realized that their Facebook account has been temporarily suspended due to some issues. And since it was past midnight hours in India, they couldn’t reach out to me for consultation and therefore went ahead to troubleshoot themselves.

At first, they tried to fetch the customer service phone number of Facebook’s USA but couldn’t find any. Then they Googled around for other websites and came across the phone number 1-855-490-9444. The client was desperate to reinstate their Facebook Ad campaigns and thus without further ado, contacted the said phone number.

At first, there was an automated welcome message which transferred the call to an agent who listened to the entire issue and then forwarded the call to another agent claiming to be the manager of the billing department. And to get the account reinstated, they wanted to have my client verify his account first. And for the verification process, they required my client to provide them Google Play Card worth $500. Surprisingly, my client followed their instructions and shared the Google Play Card code with them. But after each attempt, they informed him that the process was unsuccessful due to a timeout error and requested my client to buy another Google Play Card worth $500. To my great surprise, the client had to run from one store to another to buy these Google Play Cards and then share these codes with the scammers over the phone who was connected to my client throughout the day.

Below is a copy of the original transcript from my client.

Facebook Phishing Attack

At 7 AM IST, my client was able to contact me over the phone and I informed him that he’s a victim of an online fraud/phishing attack. He had unfortunately lost $7000 till then.

The scammers used Google Play Cards as their mode of funds transfer since it allows anonymous money transfers unlike Credit Cards or Bank Account where it’s easy to trace a disputed transaction.

As of February 2021, while I publish this blog post – the phone number +1-855-490-9444 is still active.

How To Identify A Phishing Scam

In my honest opinion, it’s quite difficult to identify a phishing scam at the right time. Phishing Attacks aren’t limited to common people only. NDTV’s Senior Journalist Nidhi Razdan was a recent victim of a phishing attack where she was offered a job at Harvard University and she quitted NDTV last year after a 21-year stint to take up the offer and fulfill her American dream.

 

 

 

How to save oneself from phishing attack or online frauds?

Phishing scams continue to proliferate at alarming rates and are becoming more and more difficult to detect. Being cautious can help you recognize a phishing attempt beforehand. Below are my suggested steps to protect yourself from phishing attacks:

  1. Don’t Panic – Phishing Capitalizes on Emotion

    I know it’s easier said than done. In most cases, the victims are mentally stressed when these scammers contacted them or they mistakenly contact these scammers and that’s when the mind fails to differentiate between the good and bad. Got some problem? Just sit back and relax. Do your research first. Chalk out a plan of action. Discuss with family members/ friends or someone whom you can trust and has sound knowledge about identifying and dealing with online frauds. You may even browse Quora.com – a Questions & Answer website and check if others are having similar grievances about the particular company or organization. But again not every suggestion posted on these websites is fully accurate. You need to double-check and use your brains before taking any action.

  2. Communicate Through Official Channels

    Many large companies like Facebook DO NOT offer phone support to their customers these days. And even if it does, these phone numbers aren’t available for the general customers. Facebook has FAQs (Frequently Asked Questions) & a community section which it believes to be a repository of all answers to customer questions. They have a Support section with limited options. You may refer to this article published at Business Insider suggesting steps to contact Facebook support. On the other hand, companies like Amazon India have a Help section for the commonly asked question and if you aren’t satisfied with the  FAQs – there is a link to the customer service at the bottom. Amazon India provides manual chat support as well as call-in phone support which in my honest opinion is an excellent step to prevent its customers from reaching these scammers. Companies like Walmart, Apple too have chat, email as well as phone support numbers clearly mentioned on their official website.

    Most of the online lotteries/ rewards are fake and are used as bait to allure innocent people. If you receive any such messages like the one mentioned by @Begumanxiety above, feel free to contact the concerned authorities through the proper official channel. @Begumanxiety received her due reply from @Jiocare and hope she saved herself from online fraud.

  3. Google Search Results Are NOT Safe every time

    Google Search Result is a mix of lots of things – Organic search results, Google Ads, Knowledge Box, Featured Snippets, Local Pack Results, Rich Answers, Knowledge Graph & Carousels, and many more. Google has been working hard in providing authentic information through its search results. For example: Search for Walmart support
    Google Knowledge BoxAbove Google Knowledge Box information is verified by Google and stands to be correct. However, Google does not guarantee the phone numbers being displayed in other websites that are being displayed in its result results. And scammers leverage upon this weakness and float multiple websites with their fake phone numbers which are often mistaken by innocent customers.

  4. Be Cautious About What You Share

    Distressed customers often take on social media websites like Twitter & Facebook to raise their issues and businesses interact with them to provide a suitable resolution. However, the social media teams often request customers to DM (Direct Message) their concerns because they understand that revealing private information can be harmful. And like I experienced, these scammers are always looking for distressed customers sharing their private information including phone numbers. The same goes for phone calls – Do not share your private information i.e., Address, Zip Codes/ Pin Codes/ Credit or Debit Card numbers, etc with anyone claiming to be a customer support executive. If you have purchased a product from a particular company and are expecting a refund, then the company will refund your money to the source of payment while placing the order OR else if they have a wallet feature like Amazon, your money will be stored over there for future purchases. No official customer support will ever ask you to provide private information for any sort of VERIFICATION PURPOSE.

    Do not enter personal information in a pop-up screen. Legitimate companies, agencies, and organizations don’t ask for personal information via pop-up screens.

  5. Do Not Click On Links Listed Through Email / SMS

    Do not click on any links listed in the email message, and do not open any attachments contained in a suspicious email. At many times, they tend to hide the original website address using URL shorteners like Bitly. For example, The URL www.rahulbasu.in has been hidden inside a Bitly link – http://bit.ly/3pzXz85  .Be vigilant before clicking on any unidentified website links. Scammers also tend to have domain names similar to a company’s website i.e., www.wolmart.com [Notice the “o” instead of “a“]  and customers often ignore such small spellings and treat them to be the original website. This can be dangerous.

    According to The Motley Fool, some phishing emails and text messages claim to offer work-from-home job opportunities, information about health insurance or Medicare, or loans or other forms of financial relief.

    Install tools like McAfee® WebAdvisor which helps protect you from malware and phishing attempts while you surf, without impacting your browsing performance or experience.

  6. Do Not INSTALL Any Mobile Application

    No customer service personnel will ever ask you to install any kind of mobile or desktop application for the verification process. You can easily identify them as scammers if they are suggesting you install any such kinds of stuff.

  7. Do Not Transfer or Receive Money For Verification

    Certain scammers often inform people about winning huge prize amounts and to get the money transferred through Paytm, Google Pay initiates a test transfer to the victim’s account. These are scams. There’s nothing called easy money.

  8. Do Not Share your OTP (One Time Password), Debit Card, Credit Card, Net Banking Credentials with anyone

    To safeguard their customers, most of the banks have deployed OTP which acts as an added layer of security.  No customer service personnel will ever ask you to provide the OTP over the phone. Certain companies like Xpressbees, Delhivery India sends OTP to their customers which needs to be shared with the delivery agent once he/ she successfully delivers the parcel to the customer’s doorstep. This process has been incorporated to ensure a contactless delivery process. Companies like Decathlon India allows existing customers to sign in to their website using a Phone number and OTP (instead of a password). Thus Customers need to be well aware of these processes and share the OTP accordingly.

What are some online frauds you have experienced? Share your comments below:

💖 Spread Positivity: Share this story with friends
Share on whatsapp
WhatsApp
Share on facebook
Facebook
Share on linkedin
LinkedIn
Share on twitter
Twitter
Share on pinterest
Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

Similar Posts _

Proven Marketing Tips, Web Designs & Cyber Security Tips Right to Your Inbox

Get fresh, new marketing, web designing & cyber security tactics your competition doesn’t know about.