Before I go any further, the moral of the story
What actually happened:
As soon as the scammer called her, he entered her number on the Vodafone "forgot my password" screen which sent a code to her phone
He used the code which she received and read back to him to change her password, her address, and various other details
He ordered an iPhone 16 Pro on her account to be sent to her "new address"
Here is her perception of what happened:
She received a call on her mobile from the Vodafone Customer Loyalty team. Caller said that he had good news, and that she was entitled to a loyalty reward
Caller sent he needed to verify that he was talking to the account holder before proceeding, and sent a verification code to her phone
The verification code was grouped in her phone messages with prior messages from Vodafone (suggesting that all was in order) and at his request she read the verification code back to him
He kept chatting for a couple of minutes while he was organising her loyalty reward, in the course of which he called out her address for verification, and also some of her credit card details (I'm not sure what exactly)
He concluded that all was in order and that her loyalty reward was on its way to her, and that she might receive a few messages later but that she could safely ignore these
She went off full of the joys and thinking how great life is when the gods smile down on you
The Outcome
She received a call on Tuesday from the Vodafone fraud team
It took a considerable period of time for the call to proceed as the details they usually use to verify the caller (DOB, address etc) were not correct
Eventually the call progressed to the point where they verified that she had not requested aa phone upgrade and they confirmed that they were in a position to cancel the upgrade as the phone had not yet been despatched
The National Cyber Security Centre have issued an alert in relation to this scam. It contains a description of the scam, some useful pointers on how to protect yourself and what to do if you’re a victim
NCSC Advisory Upgrade Scam targeting Mobile Phone Users 09 December 2024
Also detailed here: https://www.rte.ie/news/ireland/2024/1209/1485540-cyber-scam/
And discussed with Adrian Weckler here: https://www.rte.ie/radio/podcasts/22469716-national-cyber-security-centre-warning-people-abou/
In Conclusion
The three lines above under What actually happened are generic and are not limited to phone upgrade scams, this technique could be used in many situations to access the likes of bank accounts, online store accounts etc.
- Never ever give, call out or read back a One Time Code, Verification code, PIN code, PAN code.
- If you call your bank (not the other way around) they may ask for two digits from your PIN number to identify you. Unless you are certain that you are speaking to your bank on a call which you initiated, or if you are in any way suspicious, do not proceed.
What actually happened:
As soon as the scammer called her, he entered her number on the Vodafone "forgot my password" screen which sent a code to her phone
He used the code which she received and read back to him to change her password, her address, and various other details
He ordered an iPhone 16 Pro on her account to be sent to her "new address"
Here is her perception of what happened:
She received a call on her mobile from the Vodafone Customer Loyalty team. Caller said that he had good news, and that she was entitled to a loyalty reward
Caller sent he needed to verify that he was talking to the account holder before proceeding, and sent a verification code to her phone
The verification code was grouped in her phone messages with prior messages from Vodafone (suggesting that all was in order) and at his request she read the verification code back to him
He kept chatting for a couple of minutes while he was organising her loyalty reward, in the course of which he called out her address for verification, and also some of her credit card details (I'm not sure what exactly)
He concluded that all was in order and that her loyalty reward was on its way to her, and that she might receive a few messages later but that she could safely ignore these
She went off full of the joys and thinking how great life is when the gods smile down on you
The Outcome
She received a call on Tuesday from the Vodafone fraud team
It took a considerable period of time for the call to proceed as the details they usually use to verify the caller (DOB, address etc) were not correct
Eventually the call progressed to the point where they verified that she had not requested aa phone upgrade and they confirmed that they were in a position to cancel the upgrade as the phone had not yet been despatched
The National Cyber Security Centre have issued an alert in relation to this scam. It contains a description of the scam, some useful pointers on how to protect yourself and what to do if you’re a victim
NCSC Advisory Upgrade Scam targeting Mobile Phone Users 09 December 2024
Also detailed here: https://www.rte.ie/news/ireland/2024/1209/1485540-cyber-scam/
And discussed with Adrian Weckler here: https://www.rte.ie/radio/podcasts/22469716-national-cyber-security-centre-warning-people-abou/
In Conclusion
The three lines above under What actually happened are generic and are not limited to phone upgrade scams, this technique could be used in many situations to access the likes of bank accounts, online store accounts etc.