There’s a new scam around that’s taking advantage of PayPal’s new payment system, Zong. While Zong itself seems to be absolutely above board, the fact that it’s new and that not many people know about how it works gives fraudsters an immense opportunity to scam people out of considerable amounts of money.
First off, let me give you a quick rundown on how Zong works:
- If you want to buy something from a vendor that uses Zong, you press the ‘Zong’ button and enter your mobile number.
- Zong sends you an SMS with a code. You enter the code online, and the purchase is complete.
Sounds pretty good, doesn’t it?
Now imagine this: You get a friend request on Facebook, or some other social network. It’s from somebody you know well. OK, maybe you’re just a leeeettle suspicious, so you take a look at their profile first, but it looks good, so you go ahead.
Some time later, you get a message asking you for your mobile number (“Sorry, I lost it, my dog ate my phone” etc.) Then you get another message, telling you you should have received an SMS with a code, and could you please tell them what that code is?
Can you see where this is going?
The scammer has, of course, just bought tons of stuff online, using Zong and the mobile number you so helpfully supplied. If you now give them the code, they can complete the transaction – and you’ll find out just how much they spent when your next phone bill arrives.
Now, the reason this scam works so well is that the messages seem to come from a trusted friend. Why shouldn’t you give them your number – you’ve known them for years, for goodness’ sake! Why would they try to do something like that.
The answer to that is that, of course, they didn’t. But they were a little careless with their online identity. Some social networks profiles are horrendously easy to duplicate if you make your profile settings public. Your pictures are public? Identity thieves can just help themselves. Your friends list is public? See the scammers twirl their handlebar mustaches in glee! Now all they have all they need to create a duplicate profile that looks almost identical to the real one. Next, messages to all the friends. “XYZ network has done something weird with my friends list, can you add me again?”
And sure, we all know social networks get flaky on a regular basis. A quick look at the profile, yes it’s them sure enough, no danger there, let’s do it. Identity theft made easy.
And the morals of the story?
- Take a look at your profile settings and hide everything from public view that the public doesn’t absolutely need to see. If you’re running a business you may have to make more information public – after all, you don’t want to hide things from potential clients – but your friends list at least should be hidden.
- Check your profile on a regular basis. Some social networks have this annoying habit of changing the privacy settings on profiles without telling you.
- To quote agent Mulder: “Trust no one.” If you get mysterious messages from a friend, find out exactly what’s behind it all. “I’ll tell you later,” is not an acceptable answer. A real friend shouldn’t take offense if you ask them to explain before you do anything.
My thanks to Mimikama for this information. You can find the original article in German here.