A good dose of skepticism may be just the thing when a bad guy is trying to trick you into sharing information in order to steal money or items. This slide show can help you better understand the "Man in the Middle" scam. This is where bad guys fool you into giving them an authorization code that's been sent to you from a company. Then they use the code to fool the company, pretending they are you.
HTML Editor Component
*Contents may not have visible height
Slider
The Man In The Middle Scam
This is not Mr. Johnson.
He has Mr. Johnson's log-in information..
...Including his phone number.
...
He wants to take over Mr. Johnson's account to commit fraud.
He just needs the one-time PIN companies send to confirm identity to complete the take-over.
So he'll try to get it from Mr. Johnson, who doesn't realize he's about to be sent a PIN.
Now the "Man in the Middle" scam begins...
Bad Guy... "Congratulations. I'm calling with good news about your account. You've been randomly selected to win a $100 gift card."
Mr. Johnson... "Ok great, thank you."
Bad Guy... "Can you read the prize code I just sent you via text message to verify your account."
Mr. Johnson... "Yes. It's 123abc."
Bad Guy... "Perfect! We're sending you that gift card now."
STOP! You've just been scammed.
The bad guy hacking your account just needed the one-time PIN to convince the company he's you. Which you just read to him.
Here's what the customer in this example should have done...
Bad Guy... "Can you read the prize code I just sent you via text message to verify your account."
Text..."PIN: abc123... do not share this information with anyone."
Mr. Johnson...(click to end call)
Hang up and call the company's customer service department using the number on your bill.
Mr. Johnson... "I just received a call from someone with your company offering me a $100 gift card. Are you currently offering that?"
Customer Service "No, that is part of a scam to steal access to your account. They might already have your log-in information. Let me show you how you can change your password to better protect your account."
To learn more about fraud protection and cybersecurity, visit Cyber Aware.
In the "Man in the Middle" scam, the bad guy literally puts himself between you and a company where you have an account. In that middle position, he can convince the company he is you - and convince you he is the company.
To begin the scam, the bad guy already has your account information, including the phone number associated it. He logs into your account and then wants to steal from you or the company by making changes, ordering items or moving money. When he submits the request, the company may text an authorization code - or one-time PIN - to your phone. But you don't know it's coming.
The bad guy calls your phone number and pretends to be the company. He may offer you a prize or describe an issue related to your account, such as a shut-down of service or purchase of items. He says to resolve the issue, he needs the code you just received. That code is the authorization code you didn't know about. Do not share the code.
If you give him the authorization code, he has what he needs to complete the transaction.
A bad guy may also use this technique if he doesn't have your password. If he has your user name and phone number, he can simply click "forgot password." He then calls you and uses the same trick to get you to share the new authorization the company sent you. Once he has it, he has access to your account.
Here’s how you can better protect yourself from the “Man in the Middle” scam.
- Be skeptical. Don’t believe them and don’t engage in a conversation.
- Hang up. Hang up the call. It’s not rude, it’s smart. Then call the customer service number on your bill to see if the prize or issue is true.
- Do not share information with people you do not know. Someone calling you like this is not someone you know, no matter how convincing they sound. Do not share PINs, passcodes or passwords even if they appear to be calling you from the company number. That’s called spoofing, and you can learn more about that on this Cyber Aware blog.
- Protect devices: Protect your information at the very beginning. Keep your device anti-virus and malware protection software current and updated. This will help prevent bad guys from getting any personal information in the first place.
- Use multiple authentication: Turn “on” any additional security measures on accounts, including security passcodes and authentication methods. Added measures such as these increase protection and help you control access to your accounts
- Change your account information. The bad guy probably already had access to your account. Go in right away and update your password and security settings. Contact the company to ask about additional security measures or monitoring for your account.
If you believe a caller is trying to scam you, hang up. If you suspect you are a target of fraud on your AT&T mobile phone account, you can report it to our Fraud team here. If you suspect fraud on another account, call the customer service number on your bill for help.
These steps will help you identify “Man in the Middle” scams and better protect your personal information.