Cybercriminals are clever. Very, very clever. However, today they were not clever enough! First of all, did you know that Google allows people to sign into their Gmail/Gsuite accounts using their phone number? It’s important to realize this point! Most people routinely sign in with their email address. But a scammer was taking advantage of finding someone’s phone number, a powerful piece of information, and then using it as one part of a key to gain access to someone’s account.
On Tuesday, November 5 we heard from a friend of ours who is very tech savvy and aware of the scams that target people. We’ll call him Marty. Marty shared this scam with us and it surprised us because it was the first time we had ever heard this one before. It began when Marty posted something for sale on Craigslist on November 4. People who sell things on Craigslist are often targeted by scammers. Marty was selling a gently-used Yakima roof rack…
Not long after posting the rack, Marty got a text from 804-256-8521 saying “I wanna Buy”Yakima S53w whisperbar roof rack”you still available?” Marty was very skeptical that this was legitimate based on the way the question was written and the quotes wrapped around the item but he replied with a yes to see where this would go. The response he got surprised him…
“Can I send the code?” to which Marty said “What code?” The interested person on the other end said “sending a Google varification code to get this authenticity your post. If you did post, send the code.” [Clearly, English was not the first language of the interested person.] Marty also noticed that the person texting said “Google” code. This was a Craigslist item!
Seconds later Marty received another text from phone number 415-455-3630 and saying…. “Hi, We are from the Craigslist support team. we saw you recently posted “Yakima S53w whisperbar roof rack – $100 Recently we have had many people being everyone on Craigslist. If you do not confirm the code, your item and account may be removed. Can we confirm your account now by sending you a verification code.” The text continued with additional requests for, and explanation about getting a verification code…
And then suddenly, Marty received a verification code! And he noticed that this verification code didn’t come from Craigslist, it came from Google! In fact, Marty realized immediately that he was receiving a verification code that Google will send to Gmail account holders when the account holder forgets his or her password. If one enters a phone number into the “Forgot password” field, Google will send a verification code to the phone number listed in the account settings. Remember, the criminal targeting Marty already knew his phone number!
Marty’s suspicions were spot on! The interest in Marty’s roof rack was just an excuse for criminals to create a reason for Marty to expect to receive a verification code. If they could trick Marty into giving them the Google verification code, then the criminals could gain access to his Gmail account. Having access and control over someone’s email account is like holding the key’s to a user’s digital kingdom! Our email accounts are connected to everything we do… banking, credit card and other financial accounts. Amazon, Apple and other services in which we make purchases or have credit card information on file. A criminal’s access into someone’s email account can be monetized in a hundred different ways!
Now that Marty knew what this scammer was after, he decided to have a bit of fun with him. He came up with several fake 6-digit “verification codes” and shared them with the scammer, over and over, until the scammer realized that HE was the one being fooled!
This could have turned out very badly for Marty. It was a very clever ruse, using the sale of a Craigslist item as an excuse to ask for a “verification code” that was, in fact, sent by Google to gain access to an email account.
The lesson learned from this experience is simple… Never, ever provide a verification code to anyone, for any reason, especially if the person requesting it is doing so through a text exchange or phone call.