Don’t Trust Phone Calls From Venmo or Any Other Service
A goof is born every minute, but this time you won’t because you won’t let a scammer try to steal access to your Venmo account. You are better than this, no matter how convincing the phishing attempts are.
This is how this phishing scam works. An attacker somehow takes over your email and phone number, likely as a result of one of the many data breaches that occur on a regular basis. They then initiate a Venmo password reset request and then call you and try to convince you that you have been hacked and that you should change your password to the one they suggest.
Here’s the full story, courtesy of this Reddit user:
It started around noon. I received an email stating that someone was trying to reset my password. I ignored this.
A few hours later I got a call from someone pretending to be from Venmo; very professional sounding. Said they had a hack in my account and asked how I would authorize a several hundred dollar payment and that I should have received an email saying someone was trying to log in and that they were successful. I, of course, said no and was a little alarmed for a second, but decided to play along.
I think they tried to fake Venmo’s number. All but the last digit of the number were the same, I know, because I googled when I was on the phone.
What really pissed me off was that they said that I needed to change my password to some password they gave me in order to cancel this “fraudulent charge.” At this point, I decided to pretend to be stupid and fiddled with them a bit, left them on my phone for a good 5-10 minutes, pretending I didn’t know the app layout and trying to do what they said. Eventually I got bored and told them I knew it was a scam. The man got angry and hung up.
Obviously in the end it was a scam, but I’ve never seen them develop. Took real training from them to try and reset my password so I get an email so I stay alert and then call later acting like a violation actually happened.
There are a few red flags in this scenario that should make the scam obvious to savvy readers, although not everyone is so balanced in the face of an outright phishing attempt, and I can absolutely see it trick people if they don’t. I’m thinking.
Be careful when you receive a password reset request
First, every time you unexpectedly receive a password reset request, you need to be on the lookout. Or, at the very least, you should be careful for the next few days with respect to any messages or messages related to this service – be it a “company” contacting you to clarify something, emails that ask you to click the link to change your password, or anything in between.
When in doubt, know that you are in control of your interactions with the site or service. So, instead of clicking a link in an email that claims to be from a specific company, open the app or service on your phone or web browser as usual, log in and reset your password the old fashioned way if you feel like that’s what you need to do. Also, if the service offers this, check to see if any other devices have logged into your account recently, and set up two-factor authentication while you’re there, if you can.
Basically, don’t act on the prompt because it could be a scam. You can always change your security settings through the application or service settings; you don’t need someone or something to send you there. Just download the app or website yourself.
Beware of the “company” that calls
I’ve been in tech for almost 15 years and can’t say when was the last time companies called me to discuss my account details. Google doesn’t call me when someone tries to reset my Gmail password. Facebook has better things to do than asking me if I’ve turned on 2FA; I’m verified on Twitter, but they never wanted to talk about the security of my account.
I’m sure there are exceptions, but in general, companies don’t call you to tell you about your account . You’re just a miss on their systems – one account of potentially millions (or billions ) that they just won’t notice – and most likely won’t personally contact you for discussion. Automatic email but phone call? Unlikely.
If someone claims to be a company representative and asks you about anything related to your account, such as your passwords, payments, or other confidential aspects, you do not need to respond. What you can do is go to the website or services yourself to verify that the person’s message (and request) is valid. In other words, if Amazon calls you and asks you to change your password over the phone, hang up and contact Amazon Support to see if the request was valid. (Or, actually, in this case: hang up and just change the password yourself. You don’t need anyone’s help.)
Don’t accept someone else’s password
If – and this is a big “if” – the company contacts you about an aspect of your account and wants you to do something about it, think before making this change. Does any online store really want you to change your password to the one they provide? Are they really asking you to turn off two-factor authentication or make some other changes to your account that will undoubtedly make it easier, not harder, for you to take advantage of your benefits? If so, then the obvious spoiler is that someone is trying to trick you.
As I said, this all probably sounds like boring and obvious advice for experienced tech users, but as I write this I think of my parents (and my less tech-savvy friends) who can be easily intimidated by the fact that they shouldn’t because of the supposed insecure setting. I understand it can be a concern if you think someone has hacked into the main account you are using, especially if it is related to financial services. (Take my Gmail, not my money.)
When in doubt, remember that you don’t have to do anything that someone or something tells you to do. Take the situation into account, check if it’s genuine, and do the usual things you would otherwise do to secure your account yourself – if you ever need to.