Seconds from a Scam

The following guest post was sent in from Kirstan. I think when you come close to being duped it’s human instinct to warn others of the danger and I feel the post does exactly that. Enjoy.

The first time they called, the circumstances were perfect. It was the end of the month and I was feeling poor, I’d been working at my desk for hours and was thankful for a bit of a break, and the guy on the phone was polite, confident, and well spoken.

He told me he was from o2, my network provider, and since I had been with them for such a long time, they were offering me a discount of 30% on my bill until the end of my contract.

I really have been with o2 for a long time, and since he called me at a time where money was on my mind a lot and here he was offering me a huge discount on one of my bills, I was thrilled.

It didn’t even cross my mind that he might not be from o2. He was offering me a discount, I didn’t understand how that could lead to me being scammed. 

He told me that in order to proceed, he needed to verify my identity. He said he would send me a one-time code from o2 and all I would need to do is relay it to him. I told him that’s fine and waited for the text.

I read the text a few times to ensure I understood it. It specifically told me that anyone asking for the code does not work at o2. Whilst I was still processing this, the second text arrived.

This one threw me even more. Why would an o2 staff member be asking for a code contained in a text message that said not to even share it with o2 staff?

When telling the man I couldn’t share the code because the message told me not to, I felt super deflated. I knew this was a scam now and there was no 30% discount and I was gutted. However his response was long-winded, confusing, and threw me off a bit. I think I was listening for any hope that this could be real and I might actually get this deal. He told me that because he had sent me the code, I should only give it to him. That it is important that I do not give the code to anyone besides him. He went round and round with a confident and well-rehearsed speech, and the way he spoke made me feel bad for distrusting him – he was actually really good at this.

Whilst he was speaking I was just reading the texts over and over.”NEVER share this code, including with o2 staff.” It really couldn’t be any clearer. I made up my mind, told him I was sorry but I did not feel comfortable sharing this code when the text message specifically tells me not to, and before he had the chance to argue back again, I hung up. 

As soon as the call ended, I felt embarrassed, ashamed, and a little scared. Why did they target me, what were they trying to do, did I accidentally give them any information they could use to scam me?

Your guess is as good as mine. I know that the code they needed is the same type of code I use to log into my o2 account online, so I assume that is what they were trying to do. But why? Maybe they were trying to find out more information about me, so they could call me back with another scam and be even more believable. Perhaps this was a gateway to sim-swap fraud – they might have been trying to port my phone number over to a sim card in their possession so that they could use my number to pass two-factor authentication and attempt to access other accounts of mine.

Whatever their reasoning, it was obviously an attempt to scam me in some shape or form. I have had numerous calls like this since, all from different numbers, but I know not to entertain the idea anymore though. If something sounds too good to be true, it probably is, and if your network provider is telling you not to share a code with its own employees, you should probably listen.

Tips to avoid being scammed like this:
  1. As Kirstan sadly had to come to terms with – if it’s too good to be true, it probably is. I know personally as a Yorkshireman, a discount like this would certainly be appealing but pausing and thinking about the likelihood of some unknown saviour offering a discount on an incoming call like this is everything. A few seconds of rational thought saved the day here.
  2. Beware the short code! I know it sounds silly but authentication is often condensed to a short six or eight digit code. The something you know element of security has been condensed into this code for convenience and we all know the tradeoff there. We should be extra vigilant when asked to share.
  3.  The scam might not be as simple as you think it is either, often some misdirection from a scammer can make you feel you are providing the code for one thing and often it’s going to be used by the scammer for something else.