Past 06:00pm, I received a call from a number (+63 916 602 3695) I didn't recognize while I was in the middle of rushing work deliverables. Most of my day had been lost to meetings and interviews and that hadn't left me with enough time to work on the reports that were my actual priority for the day. So I was a little distracted when the call came in.
I'm old enough to have lived during that time when we never knew who was calling, so I have no qualms about answering unknown numbers. Plus a lot of times these calls are work-related, so I really need to take them. The caller introduced himself as being part of Unionbank's fraud department and claimed that they had blocked a number of suspicious transactions from a "known hacker". He sounded professional enough and was generally trying to reassure me that the transactions had been blocked but he was going to transfer me to his manager to walk me through the next steps in the investigation process. He even put me on hold with proper hold music and all as he transferred the call.
The call initially disconnected, but he immediately called back, and a "James Cabreros, Operations Manager" came on the line and recapped the situation and again tried to reassure me that they were going to get to the bottom of things. At this point, I was a little panicky as I was worried that this might have been about our corporate account and not just my personal payroll account, so when I asked about this, the manager stated we could look into it as well.
This whole time, I was still a little hesitant since the phone number was just some unknown number and not clearly identified as a Unionbank number. But the two guys I had spoken to thus far seemed to be focused on the case and had not tried to ask me for any personally identifiable information (PII) as one would expect scammers to do. So I kept talking to them but also kept trying to mentally puzzle through how real this was or not.
I expressed my concerns to James and asked if he could already send me an official email with the details of the case so that I could get some assurance that he was indeed from Unionbank. That was I could study the email header and make sure he was legit. He then said he would start forwarding evidence of the hacker's activities both via SMS and email. He obviously knew what my phone number was. He didn't ask me to provide my email. So that felt...legit. But his "evidence" of the hacker was initially in the form of SMS messages of the transactions that Unionbank had received but had blocked. The message generally followed the format of an OTP request, but it had been sent with a shortcode name "ITM.TEST3" via the ITEXMO service. That again felt odd, but I let this continue on. But then he alternated this with an email that was supposedly evidence of the hacker trying to change my password earlier in the day but by then the hacker had redirected the email to her email instead of mine.
The password reset email was a legitimate Unionbank password reset email given the email header data...but it was also dated at the time of the call and not earlier in the afternoon. But James said that I should take a screenshot of the email and to write the code down for reference as we had more "evidence" to send of the various OTP requests that the hacked had allegedly redirected to her phone or email instead of mine. He didn't ask me to read the OTP code aloud and I wasn't planning on reading it aloud even if he did.
By this point, I had repeatedly challenged his identity as a Unionbank representative and restated that I was being especially paranoid especially since this was a call about a hacking attempt. I told him that he should understand my predicament given he works in fraud and he generally agreed and continued to reassure me that he was going to help me address this case. And this was amid a few cases of the call getting dropped and him immediately calling back. But the red flags started to come in.
When I had mentioned our corporate account, he confirmed where I worked without me giving our company name and reassured me that we'd look into the corporate account. However, he only mentioned our operating name - but not the name of the local company on record, which is the actual account name for our corporate account. He also wanted me to confirm the current balance in the corporate account, to which I refused since I wasn't fully convinced of his identity. And when he asked me to read out the unlock OTP that had been emailed to me (after another of his SMS "evidence" texts), then I stopped him. Both the password reset OTP email and the account unlock OTP email (because I triggered the incorrect login lockout while we had been on the phone together) had time stamps that matched the present time of the call and not earlier in the day. The fact that he wanted me to give him the OTP to unlock my account felt very wrong and that's when we firmly entered scam territory.
So I told him that this felt off and I wanted to call the Unionbank hotline and confirm everything he was telling me. He tried to gently dissuade me from this course of action and said that the customer service rep would just transfer me back to him, but I answered that I'd love for that to happen since that would really confirm his identity. He made a promise to call me back in a while to discuss my call with the hotline and to offer a "direct number" to try calling in case I hadn't been able to get through to a customer service agent by the time he called back.
But I almost immediately got a rep by using the fraud transaction option of IVR as I figured this would get me to a live person faster than just going through the general customer service inquiry route. I gave the case number that James had made me carefully write down and even read back to him - UB-021-4611-2291-182, to which the rep replied that it was the wrong number of digits for their typical case numbers. She promised to check my account but wanted me to go through an OTP verification - in this case, I received an SMS code that she didn't want me to read aloud. She instead transferred me to another IVR just to enter the code myself, then once validated it transferred me back to the agent (this felt like a decently clever system). Once I had the agent on the line again, she informed me that there were no indicators that my account had been flagged for fraud nor were there indications on the account that their Fraud team had attempted to call me at all. That was the final nail in the coffin and I went on to share all details of the calls that I could so she could file a report and forward to their fraud team for action. She advised me not to entertain calls from the number moving forward, so I blocked it right after.
No money was lost. I updated my password for my online account just in case. I made sure OTPs were required for all transactions. All the usual stuff.
When I received my phone log to get the number of the scammer, I was surprised by the fact that all of the phone calls had dropped exactly at the 12-minute mark; Each call - whether from the first "agent" or his "manager" - had lasted exactly 12 minutes and 0 seconds. Only the last call had been shorter, and that was because by then I was committing to call customer service myself.
I recognize that things got a lot closer than I would have liked. Had I given him either the password reset OTP or the unlock account OTP, I probably would have been a goner as that would have compromised my online bank account and would have triggered a chain of events that could only end with the scammers draining my bank account. They made good use of scare tactics with their hacking story and I can see how this might work on a lot of people. They consistently shared the name of the "hacker" that had gotten into my account, her alleged mobile number, and other little factoids that made the whole scenario seem so real. In hindsight, the steps they were claiming the hacker had taken to compromise my account were pretty much what they were trying to do to me - they needed me to inadvertently consent to giving them access to my account so they could change my contact details to their own email and phone number and then go wild on my account after.
Tobie praised how calm I was as I talked to these "reps" for nearly an hour and for that I have my years of call center experience to thank. I literally used to handle product training for US telecommunications companies and part of that training was explaining the principles of social engineering and how scammers are able to use careful questioning to get victims to reveal important information needed to gain access to their accounts. I just never expected that training to come in handy in this way.
Be careful out there, dear friends. These people employ very well-thought-out methods designed to trick and confuse you and get you to make emotional decisions in the heat of the moment. I got lucky today and I'm documenting this whole situation to potentially help others. But this is also a reminder to myself to remain even more vigilant because I feel like I got way closer than I should have to losing a lot of money than I should have despite my experience. A little paranoia can come in handy for cases like this.
Comments
Post a Comment