Beware requests to confirm big purchases!
The first text—this one’s from Amazon—asks you to confirm you bought an iPhone 12 for $1,130. “Just let us know if you did not make the purchase, and we’ll cancel it,” the text reads. A second message asks for confirmation of a $499 splurge on a dating service subscription. What? Scam confirmation requests—whether they arrive by text, phone call or email—have surged as hackers tap the recent dump of phone numbers and email addresses leaked onto the internet.
Remember Facebook’s latest data leak in late April that exposed 32 million U.S. telephone numbers? LinkedIn experienced a similar attack that month after public client data was scraped from its website then bundled for sale by hackers. In LinkedIn’s case, thieves obtained data from over 500 million user accounts.
Imagine receiving a text asking you to confirm a 75″ television purchase. Maybe that text arrives late at night or even wakes you up after midnight. Or you’re exhausted when an email pops up asking you to confirm a four-figure transaction. What emotions would you feel if you believed the charge had hit your credit or debit card?
Panic, fear, anger, and disbelief are all likely reactions to these confirmation scams. What are the odds that you’ll click to learn more? It’s easy to imagine someone falling for this scam. Just don’t be a victim.
Subscription expiration notices for services you never bought, shipment delivery difficulties and other variations are common too.
Keep calm and thank the feds
Would your reaction to a confirmation communication on a $2,350 purchase be any different if you knew the federal government had your back? The Federal Credit Billing Act (FCBA) protects consumers against unauthorized credit card charges. It should be reasonably simple to check that card and dispute any unapproved fees, but these confirmation requests are totally bogus. It’s the link in the message they want you to click. So keep calm and don’t.
If you’re antsy or alarmed, ask a friend to check the message. Never panic. If you let emotions guide your decision, it will probably be harmful.
Haste is another enemy that scammers try to trigger. Read the communications carefully. Twice. If your credit card was actually charged, you have weeks before the bill is due—plenty of time to clean up the mess.
A second federal law, the Electronic Funds Transfers Act (EFTA), governs debit cards, and the protections here are slightly different. With debit cards, funds instantly leave your account.
Financial institutions get up to two weeks to restore funds after an investigation. Not great news if your rent’s due tomorrow. That’s one reason why some data security experts prefer the more robust protection of credit cards. EFTA covers online usage, payment transfers like Zelle and ATM withdrawals.
If you know the worst that could happen and can fix it quickly, you’ll worry far less about scam texts and other deceitful transactions, giving you time to react and make a sound decision. You’ll sleep better, too.
Be aware of other warning signs
Hackers don’t have graphic design degrees, but they know how to imitate genuine websites, and the communications customers will recognize. Watch for these tricks:
- Hackers will imitate the design and color scheme of Amazon, Walmart, Facebook and other genuine firm communications you might expect
- Check for oddities in the communication, including a return email address that doesn’t look quite right. It may be customersupport@amazoontactics returns.com, and a hasty individual sees “consumer support” and the first letters of Amazon, then clicks.
- For bogus texts, check the return phone number. Often it’s missing a digit or two, so you cannot call the sender. You can only click.
- Don’t count on “External Sender” warnings from Outlook and other mail programs to protect you from spam; these can be easily disabled.
IDShield monitors user emails, phone numbers and other vital data that con artists love to exploit. If we detect an email where it shouldn’t be, you’ll receive an alert, but tracing this sort of compromise back to the source can be difficult.
You can also check out haveibeenpwned.com, a website run by security researcher Troy Hunt in Australia. He knows a great deal about pwnage a.k.a. hacking. Hunt manages a massive database of compromised emails and passwords. The website recently added those 32 million compromised phone numbers in the wake of that recent Facebook leak. Even the FBI shares data with his site.
Of course, there’s the occasional legitimate message to confound your efforts in detection, like this one Twitter distributed in April 2021:
“Some of you may have recently received an email to “confirm your Twitter account” that you weren’t expecting. These were sent by mistake and we’re sorry it happened. If you received one of these emails, you don’t need to confirm your account, and you can disregard the message.” Twitter Support (@TwitterSupport).
It’s far better to suspect a legit communication than to trust a scammer’s message. In this Twitter case, the risk did not demand haste. So keep calm, sleep well and guard your data.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.