A message is spreading on social media that claims criminals can trick victims into handing over a SMS password reset code for their account by using a simple social engineering trick.
Examples of the warning can be seen below –
Somebody called me with the phone number 079710****3 telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actually saw as 6310.
He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.
I got online to find out more, only to discover he was actually trying to reset my bank online/yahoo mail password and that he is a fraudster, an account hacker. If I had given him the code which was sent to my phone, he would have used it to reset my bank online/mobile app account.
Please let us be careful and vigilant. Fraudsters are devising new ways every day.
This is a new way of defrauding people…
Share to prevent others from being defrauded.
P.S. It’s not the real password!
Somebody called me with this phone number 07060714545 telling me he was doing some registration online and he mistakenly put my number on what he was registering, that my number is similar to his number and that the password of what he was registering was sent to my phone which I actualy saw as 6310.
He was now appealing to me to give him the reset code that was sent to my phone so that he could finish his registration. I told him to call me with the number he claimed was similar to mine so that I could verify his claim, he told me he didn’t have credit in that line.
I got online to find out more, only to discover he was actually trying to reset my bank online/yahoomail password and that he is a fraudster, an account hacker and also a 419er. If I had given him the code which was sent to my phone, he would have used it to reset my bank online/mobile app account.
Please let us be careful and vigilant. Fraudsters are devising new ways every day.
TLDR: This is a social engineering trick that could potentially be used as part of a targeted scam against a specific individual. HOWEVER it is unlikely that this would be a popular scam for two reasons – firstly, a criminal would have to somehow have to know the would-be victim’s username or email, and be able to pair that with the victim’s phone number in order to carry out the scam. Secondly, most account providers will say on the SMS message what the code is for, i.e. a password reset code, which should tip the victim off to the scam. Additionally, many types of accounts – especially online banking accounts – don’t allow account holders to reset their password with a code sent through text message.
–
The warning essentially claims a criminal could call a victim pretending they accidentally entered the victim’s phone number when registering for an online account, and consequently their registration code was sent to the victim’s phone instead of their own. The criminal would ask the victim to send the code, which in reality is a password reset code for the victim’s online account (either a Yahoo Mail or online banking account according to the warning above.)
The victim would duly provide the criminal with the code, unwittingly providing the criminal with access to the victim’s account, in effect bypassing the account password.
Theoretically a criminal could try and dupe a victim in this way, but this scam would only work under a very particular set of circumstances.
As we stated above, the criminal would have to know what their victim’s login username or password is, and would also have to know what the victim’s phone number is and that it is associated with that particular account. Even if the criminal selected the “Forgot Password” option and asked the account provider to send a password recovery code to the associated phone number, the account provider would not provide the full phone number to the criminal (most account providers ‘star out’ most of the digits) meaning the criminal would need to find another way to pair phone numbers to account usernames/emails.
Sponsored Content. Continued below...
Another hurdle faced by the criminal is that account providers will identify themselves when sending an SMS message containing a password recovery code, as well as state what the code is intended for. Yahoo, for example, will identify the code as a ‘Yahoo Account Key’. Microsoft state it’s a “password reset code”. This would make is difficult for a criminal to persuade a victim that the code is actually an account registration code, as described the warning above.
What’s more, this isn’t likely to work for online banking accounts that have stricter security protocols and do not allow users direct access to an online banking account just by using a code sent through SMS.
It is also worth noting that despite the claims made in certain variants of this warning, this isn’t a 419 scam. 419 scams involve a criminal falsely promising a victim a large amount of money providing the victim sends a smaller up front fee first, which is then stolen.
To summarise, while it could be argued that this is something to be wary of, it is extremely unlikely you’ll be targeted with this scam, or that this scam would have a high success rate. The fact that criminals would need to ascertain your phone number as well as hope you don’t realise that the SMS is a password recovery code (and that you indeed are willing to hand over the code without question) would mean this scam is likely not going to be worth the effort.