We received an SMS the other day from Vodafone. This is the exact text:
Hi from Vodafone. There is some critical info missing on your account! Pls call us on 1555 within 24 hrs to fix it or we may have to disconnect yr service
That was it.
Context:
All required details were provided at the time of connection.
The phone is a pay as you go, recharge type account.
It has been connected and operating for 2 years continuously.
I no longer use the credit card recharge facility since the Vodapfone's 3rd party payment provider went bankrupt and service ceased.
1. I ask myself what details they could require that they don't already have? My credit card details? Personal details that they don't really need? Why suddenly now?
Alarm bells? Not quite yet.
2. I ask myself can someone attack my phone and redirect me to a phisher's number when I dial 1555?
Answer to self, well of course they can, they can hack the phone company or the routers or my local cell. The fact that hackers are syphoning peoples phone accounts through hacking and viruses springs to mind. What about targeted mobile phishing attacks?
Alarm level rising.
3. I re-read the text and decide that it is just too customer-unfriendly to have ever come from a successful multi-billion dollar corporation. More likely from a semi-literate hacker in a third world country, like spam used to be - a dead giveaway. Like
typical phishing scams preying on, in this case fear - Your service will be disconnected within 24 hours.
I'm fairly convinced by now that it is suspicious. Perhaps I'm just overly paranoid because of my interests.
I decide we'll call 1555 and play it by ear, not planning to give out any personal information.
I get a message saying all the customer service operators are busy right now and your call is being placed in a queue... something like that. Then a second later, presto a foreign sounding voice, from a different foreign country than I am used to hearing
at Vodafone, although I occasionally get a local, in this case the voice was decidedly Slavic or Nordic or from somewhere in between.
I'm not sure about this.
I am asked for my phone number.
Alarm Bells Go Off.
Surely when I call the carrier the phone is with they can tell which number I am calling from - haven't they heard of caller ID? When I later called their senior CRM fellow on his mobile, my number certainly came up on his phone!
Does that mean that all is needed is some personal data about someone to call up Vodafone and change their account, merely by telling the operator that you were the intended victim and quoting their phone number? From any phone?
I was later told that they would look into the text message, but that it was likely abbreviated to shorten it to 1 SMS. Save money? Seems like false economy to me. Vodafone's cost for an SMS must be less than the value of a pre-paid customer paying premium
rates.
I didn't have a lot of faith in the CRM guy's assurance that the text must be from Vodafone if it says Vodafone in the 'from' part of the message, and that no-one could divert my handest to another number inside their system. Maybe they don't use Cisco routers,
for instance.
I respond that I can only assume that a phone company who's call centre isn't able to tell what number I'm calling from, either doesn't trust their call centre, isn't capable, or is just plain unworthy of any faith. At the very least the call centre is operating
in the dark. A phisher's paradise and social engineer's playground.
Well I guess that's the end of Vodafone. I didn't even need the 'threatening SMS, you're not worth a second SMS or even a call, - the security and privacy hazards are enough to convince me. Are they that broke that they have to abbreviate your to 'yr'?
PS. I note that calls to 1555 are not free.