A sucker is born every minute, but this time you aren’t because you won’t let a scammer try to steal access to your Venmo account. You’re better than that and convincing what the aforementioned phishing attempts could be.

How This Phishing Scam Works The attacker somehow gets your email address and phone number, probably from one of the trillion Data breaches that happens regularly. They then initiate a password reset request with Venmo and call later trying to convince you that you have been hacked and that you should change your password to a password they suggest.

Here is the full story, courtesy of the author Reddit User:

It started around noon. I received an email stating that someone tried to reset my password. I ignored it.

Hours later I got a call from someone pretending to be from Venmo. sounding very professional. They said they had a breach of my account and asked me if I would approve a payment for a few hundred dollars and that I should have gotten an email about someone trying to get in and that they were successful. Of course I said no and was a little alarmed for a second, but decided to play along.

They tried to forge Venmo’s number, I think. All but the last digit of the number was the same, I know because I googled it on the phone.

What really got me off was that they said I had to reset my password to a password they gave me in order to undo this “fraudulent charge”. At this point I decided to play dumb and mess around with them a bit, kept them on the phone for a good 5-10 minutes pretending not to know the app’s layout and trying to do what they said. I eventually got bored and told them I knew it was a scam. The man got angry and hung up.

It was obviously a scam in the end, but I’ve never seen one they work out. They prepared to reset my password so I could get an email so I was on the alert and call later like a breach had indeed occurred.

There are a number of red flags in this scenario that should make the scam obvious to savvy readers, although not everyone is that level-headed in the face of an obvious phishing attempt, and I can absolutely see people get excited about it when they see it are not i don’t think about it.

Illustration for article titled Dont Trust Phone Calls from Venmo or any other service

G / O Media can receive a commission

Be careful if you receive a password reset request

For starters, every time you get a password reset request out of the blue, be on high alert. At the very least, you should be careful about communications or messages related to this service for the next few days – whether it is the “company” you are contacting for clarification, e-mails asking you for one Link to click to change your password, or anything in between.

When in doubt, know that you are in control of your interactions with a site or service. Instead of clicking on a link in an email purporting to be from a specific company, go to the app or service on your phone or web browser as you normally would, log in and reset your password the old-fashioned way if you want this as if this is something you have to do. Also, if a service offers this, check to see if other devices have recently signed into your account and set up two-factor authentication when you’re there.

Basically, do not respond to a prompt as that prompt may be a scam. You can edit your security settings at any time via the settings of an app or a service. They don’t need anyone or anything to send you there. Just download the app or website yourself.

Illustration for article titled Dont Trust Phone Calls from Venmo or any other service

Be careful with a “company” calling

I’ve been into technology for nearly 15 years and I can’t tell you the last time a company called me to discuss the details of my account. Google won’t post me when someone tries to reset the password on my Gmail account. Facebook has better things to do than ask me if I enabled 2FA. I’m verified on Twitter but they never felt like talking about the security of my account.

I’m sure there are exceptions, but in general companies won’t call you to talk about your account. They’re just a minor flaw in their systems – an account of potentially millions (or Billions) that they just won’t notice – and most likely won’t contact you in person to discuss. An automated email, sure, but a phone call? Unlikely.

When someone claims to be from a company and contacts you for information about your account, such as: You do not have to answer questions, for example about your passwords, payments or other sensitive issues. You can contact the Site or Services yourself to confirm that that person’s communication (and request) is valid. In other words, if “Amazon” calls you and asks you to change your password over the phone, hang up and contact Amazon Customer Service to see if it was a valid request. (Or really, in that case: hang up and just change your password yourself. You don’t need anyone’s help.)

Illustration for article titled Dont Trust Phone Calls from Venmo or any other service

Don’t accept someone else’s password

And this is a big problem, if a company contacts you about an aspect of your account and wants you to do something about it, think twice before making that change. Some online retailers really want you to change your password to something they provide? Would they really ask you to turn off two-factor authentication or make some other change to your account that sure makes it easier, not harder, if someone is taking advantage of you? If so, the obvious spoiler is that someone is trying to take advantage of you.

As I said, this probably all sounds like boring, obvious advice for the savvy tech user, but I think of my parents as I write this (and my less tech-savvy friends) who could easily be alerted to doing something what they shouldn’t do because of an allegedly unsafe setup. I understand – it can be scary if you believe someone has broken into a master account that you are using, especially if it is a financial service. (Take my gmail, not my money.)

When in doubt, remember that you don’t have to do anything someone or something suggests. Take advice on the situation, check that it is authentic, and take the usual steps you would otherwise take to secure your account yourself – if necessary at all.