Even InfoSec pros run into telephone scam artists

Even InfoSec pros run into telephone scam artists

I was a happy user of Unitymedia Germany for almost 2 years with a package that included internet, phone, and TV. When I moved a few months ago, I also wanted to move my internet connection with me. But, I was informed that for the same monthly price, I could keep the internet and phone but would need to pay an extra 20 euro a month for TV. In a world of Netflix and other streaming services, who has time to watch old-fashioned TV? To save that 20 euro, I decided to cancel my TV and stick with only internet and phone. Everything was rosy till one day……

Hello, it’s me and I have a deal

I got a call from a person informing me that he was calling from Unitymedia. My German is still rusty and to have a detailed conversation, I went to my German colleague so she could help me with translation (as the person from Unitymedia didn’t speak any other language but German). He then started telling me that Unitymedia had decided to give me a free TV connection as well at no extra cost (so he clearly knew what plan I had). To move things forward, he started confirming a few things with me like billing address, email address, date of birth as well as my Unitymedia customer ID. Like any other customer would be, I was satisfied with his answers as well as his politeness. He then told me that to enable a TV connection, he needed me to confirm my IBAN number which identifies my bank account. He said he already had it, but could not tell me it on phone, but rather asked me for it so he can verify his information.

Warning bells are ringing

That’s when the first warning bell started to ring. As both my colleague and I are very security conscious, we gave each other a puzzled look and she asked him a question: “Why do you need IBAN.” He tried explaining but could not, so he gave the phone to another person from his office. This other gentleman started saying that it was for legal reasons he could not explain, but he still wanted us to verify it. We told him clearly, “Sorry but no sorry.” We still believed he was genuinely from Unitymedia and asked him to send the request by email since I could not give any financial details over the phone.

Tempers start rising

He was getting bit upset and said he could send an email, but unfortunately that it would be from his private email and not from a Unitymedia email. That was warning bell 2 and it was clear that something very fishy and scammy was going on. At this point, he was really upset and almost on the verge of screaming about what a mistake we were making by not sharing the IBAN (which was a company policy and he was just following the rules) and thereby not getting a free TV connection (which he had been asked by the company to provide me with). In the end, we hung up and they never called back.

Number not known

Immediately after the call, I posted the query on Twitter with Unitymediahilfe with the suspect phone number. The official Unitymedia responded that they did not know this number. Here is the twitter feed:

Something rotten almost happened

In the end, by being security conscious, I avoided a potential financial loss – even though I am not sure what could have been gained by accessing my IBAN. It was shocking to see that he knew so much about my identity. I do not get any paper bills from Unitymedia, so there is no question of someone getting hold of my paper mail. It is certain that the information leaked somewhere, but I do not know from where.

Security pros can also get scammed

Even though I work in a security company and am security conscious, I was still closely engaged with this scammer. It made me wonder what could happen to other people who may think (wrongly) that they are not an attractive target for scammers and hackers. The reality is that a similar situation could happen to anyone, anywhere, anytime. It’s critical to take preventative measures to protect our devices as well as our privacy. A key part of this is being aware of what should be shared – and what should not.

This post is also available in: GermanFrenchItalian