Somebody generated an accurate credit report for me and used it in a phone phishing scam. They put on a worthy effort.

My phone rang at 2:09 PM on Thursday, May 2, 2024. The Caller ID said “CHASE,” all uppercase, with phone number 800-955-9060. The caller, with a thick Indian accent, said somebody used my Chase credit card to spend $710 with Amazon and $191 with somebody in California. He said the California transaction was probably fraudulent because I live in Minnesota.

Nice touch. Insert a hint about where I live to grab my attention and boost credibility.

I told him the Amazon transaction was also fraudulent, and we should cancel this card and send me a replacement. All standard stuff, even if it was unusual that a credit card company would do an old-fashioned phone call in 2024. But not unheard of.

Phone phishing prime target

My attacker had no way to know this, but I was primed for a phone phishing call. Several days ago, somebody called about an Amazon shipment, claiming the driver could not find my home address. But before giving me any additional information, the caller wanted the name on my Amazon account. I was not expecting any Amazon shipments, and since Amazon had never had trouble finding me before, why would they have trouble now? The call felt like a phone phishing scam and I asked him to give me something to show he really was from Amazon. I may have been just a little too blunt.

He said he would email me instructions on what to do and hung up. Yeah, right. No email came and I told all my social media friends about a scary new deep fake scam mated with a realistic LLM (large language model) to impersonate Amazon.

Next day, Cynthia from my Trafficking U publisher, Winged Publications, forwarded an email Amazon had sent her about the shipment of Print on Demand (PoD) copies of Trafficking U I had ordered. A couple digits in my home address were transposed, and Amazon called me by mistake instead of Cynthia. That Amazon call really did come from Amazon. We cleared it up the next day.

The phone phishing call

So, when Thursday’s call came in, at first, at first I ignored my skepticism. Until the caller said, “I see a red check mark by your Social Security Number. Okay? That is bad. It means somebody stole your identity. Okay?”

He also said my my debt to income ratio was high and that could be because identity thieves are opening credit accounts in my name, because my Social Security Number has a red check box. Okay?

Okay, I said. When somebody says okay too many times, it often means the high pressure sales pitch is coming.

He gave me an official case number, MN2652426, and offered to transfer me to the Consumer Protection Financial Bureau, where they would take care of me.

Sure, why not?

Mark’s turn with me, the mark

The phone rang and somebody else with a not-so-thick Indian accent answered and said his name was Mark Wilson. “Mark” asked me for a case number. I gave it to him and he rattled off all my credit card balances.

This was where the call got scary. Last summer, we built an expensive deck and took on a bunch of other expenses. We paid for it with interest-free credit card loans. “Mark” knew how much we owe all of our credit cards.

“Mark” told me the credit card companies sold my information to identity thieves, who stole my identity, and his bureau could make them cancel forty percent of my credit card debt.

Not a bad gig. But I needed to know more. I asked him how far behind are my payments?

He said our payments are all current. Which is accurate. Somewhere in the conversation, he said his program would temporarily lower our credit rating by a few points, but this would not be a big deal because we have an excellent rating. I wondered, why would he say that? As I compose this blog post, it just now hit me. Duh! My credit rating would drop because these guys wanted to use my credit cards to steal a bunch of money in my name.

Time to get down to business. He asked me for the last four digits of the first credit card to attack.

Enough was enough

Right about here was where I ended the call. I’ve seen videos of people play-acting to keep scammers busy for hours and hours and hours, but that would also keep me busy for hours and hours and hours, and every interaction risks saying something stupid. Enough was enough.

I told him I didn’t feel comfortable giving him those last four digits and asked if we could continue this later. He said asking to do it later is really a polite brushoff, and if I didn’t want his help, I could fight this on my own.

Follow-on

After we hung up, my phone rang off the hook with spam calls. I know cell phones don’t have hooks. Maybe the expression reveals my age. I counted fifteen spam calls the next day, about triple the usual volume.

Immediately after hanging up from that phone phishing call, I called the Chase Bank toll-free number and told them the story. Nobody from Chase had called me. Somebody out there with real consumer information is impersonating Chase.

Time to get proactive. I called Experian at 888-401-0550 and talked to a helpful live person who spoke American English as a native language. We decided to freeze my credit. Nobody can start any credit activity with Experian unless I contact Experian and okay it. I have to renew this every year. They gave me the phone numbers for the other major credit reporting agencies, Equifax at 800-203-7843, and Trans Union at 800-916-8800.

I navigated the Equifax automated voice response system to talk to a live person. We talked about options around monitoring and freezing my credit. I decided to freeze my credit with Equifax, and then they tried to upsell me on a monitoring program for $19.95 per month. I declined. The Equifax freeze renews every year.

The Trans Union automation was less friendly than Equifax. I pressed a wrong button the first time through. It would not let me navigate back up the phone menu tree and eventually disconnected me. I called back, found a live person, and we froze my credit with Trans Union. They said the Trans Union freeze would last forever; no need to renew it.

Now what?

I did not need to work hard to convince any of the credit reporting agencies that I’m me. That bothers me. I learned that anyone who knows my name, Social Security Number, home address, and date of birth can impersonate me and request a credit report. That also bothers me. That’s how the crooks who run this phone phishing operation got my credit report. After more than twenty years of data breaches, and especially after the Equifax data breach, my Social Security number, name, birth date, and home address are available on any number of underground websites.

How do we fix this problem? I made a video proposing a solution back in 2017, shortly after the Equifax breach that exposed 150 million American Social Security numbers. Too bad nobody looked it it.

Most of my my phish collection blog posts show email screen shots with brief commentary and a grade. This phone phishing scam deserved more space. I give it a B+. Enticing me with my own credit history was a nice touch, but the callers could have been more convincing.

For more phishing samples, see my phish collection. Don’t phall for phone phishing.