Warning: Phone Scammers Are Now PERFECTLY Impersonating Utility Companies | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Several hours ago , I received a phone call; the caller ID displayed the accurate name and phone number of my local utility company.

As our area has, at times, suffered from power disruptions during winter storms, and we had winter weather yesterday and are expecting more tomorrow, I answered the call to see if the utility was advising of some repair that could impact service. When I answered, however, I heard a message that my account was overdue and that service was going to be cut off for non-payment.

Of course, scam calls warning about the termination of utility service if a payment is not made immediately are nothing new. But, today’s call was different than all others I have ever heard – the criminals perpetrating the scam did a far better job of impersonating the utility than I have heard on any previous live or recorded call conveying a similar scam attempt. And, as you may surmise based on my profession, over the years I have heard far more than just a few such calls.

During today’s call, not only did the content of the initial recorded message mimic that of messages from the legitimate utility, but the voice relaying the message, and the tone of that message, were both similar to, if not identical to, those utilized by the utility on its actual automated phone service system.

Criminals know that having one’s gas and electric service cut off when the temperature outside is below freezing outside is not something that most people want to risk. Hence, criminals do seem to increase their perpetration of utility-shutoff scams at times of extreme weather. As such, while I was nearly certain that the call that I received was, in fact, part of a scam, I both was curious about the scammers’ apparent level of sophistication, as well as wanted to ensure that there was, in fact, no billing mistake related to my account on the part of the utility. A billing error was certainly not out of the question – within the last year our local utility had, in fact, made a huge billing mistake impacting many customers.

As such, while I obviously would never give out personal information or payment details to anyone who called me under circumstances such as those under which I was operating during today’s phone call, I did not hang up. When prompted by the automated system, I selected the option to speak with a representative.

That’s when things got really scary:

The content that played while I was on hold waiting for the representative was identical to that regularly used by the utility.

The representative who ultimately answered did so exactly as would repristinates of the legitimate utility.

In fact, the tone and lexicon used by the person with whom I was speaking was exactly what I would have expected had I, myself, initiated the call to the utility.

On top of that, the person on the other end of the line had an accent that was entirely local – she sounded like she was from my area of the country.

Sounding just as if she were a true rep of the utility, she conveyed that they the utility had received my payments for September and October’s bills, but not for the bills from November and December.

I stated, of course, that I had paid both bills using the utility’s online portal – and she began to explain that she understood and would help me, and that she had earlier today spoken with several customers who thought that they had made payments online, but who did not actually complete the payments, because they made an error after the utility upgraded its website, and never clicked the new submit button after the review transaction page. She asked me if I had checked if the money for the payments had come out of my account – which, in order to keep the call going, I said I could check if she wanted me to do so.

By this point in the conversation, I had logged into the online system and seen that my account had a zero balance, and that the utility had received my payments made in November and December. That said, from an objective standpoint, the claim made about people not completing payments was reasonable and likely the result of research by the scammers – the utility had recently made upgrades to its website and online payment system, and upgrades often do lead to human errors.

At that point, I knew enough about the scammer’s sophistication – that they had both researched the utility and recent developments at it that were likely to impact customers as well as learned to accurately impersonate it. I was tempted to ask the caller if she could see my payment for $527.01 made in October – as that was not the amount I actually had paid, and her anticipated confirmation would confirm for me that the call was part of a scam – but, I did not need to see another red flag to understand the nature of the situation, so I decided to keep it simple and tell the caller that I was logged in to the utility website and saw that I had a zero balance so we need to spend some time on the phone figuring out how the utility’s disconnect system is getting an incorrect message about an outstanding balance, and, of course, she immediately disconnected.

(Later I did call the utility both to confirm that there were no errors in the billing system and to inform it of the level of sophistication of a criminal impersonating it.)

What should you take away from my report about today’s phone call: Scammers can now impersonate legitimate parties with such sophistication that it is impossible to intrinsically distinguish between a legitimate call and a scam call. Knowledge that you possess, and that the scammer does not but should if they were the legitimate party, can help a person identify scammers – but, data breaches and the like can also create huge dangers in relying on such. One of the best ways to reduce the likelihood of falling prey to phone scams is simple to execute, though: Never give out private information over a phone call that you did not place. If some party calls you about some problem with one of your accounts – call the party allegedly on the phone back at a number that you know belongs to them (such as a number that appears on your bill or on the back of a payment card), and place the call from a phone that you can trust has not been infected with malware or the like.



Click Here For The Original Source.

National Cyber Security