Thursday, July 5, 2018

Anatomy of a Scam: How "Verification Code" Scam Works

You should NEVER send ANY verification code you received to ANYONE ELSE. Verification codes are for you the recipient, and you ONLY. It verifies to the system that it is YOU who send the request. By giving the code to someone else, you just gave AWAY a part of your online identity... and worse.

With that said, here's how one way a verification code scam can work:

If you post anything for sale on Craigslist, you can be unwittingly enlisted by a scammer to be an accomplice, even if you don't accept the offer.

The scam usually goes like this.

A) You list something for sale on Craigslist. It doesn't matter what.

B) You get a text reply that goes roughly like this:

Scammer: I want to buy (insert product name). Is it still available?

YOU: Yes it is.

Scammer: I sent you a verification code from (X). Prove to me you are real by sending me the code.

(X) can be Google, Yahoo, Craigslist, Microsoft, etc.

C) A few moments later, you get a text message from a "short code" (4-6 digits only, not a phone number) or a phone number. It may or may not be in English.  It does contain a verification code.

At this point, you should cut contact with the scammer. 

The scammer is registering a new account on (X). However, instead of entering their own phone number for verification, they entered YOUR phone number instead. Thus, (X) is verifying that the request came from you. (Not the scammer)

If you give scammer the code, you have linked YOUR phone number to scammer's account. You also enabled them to get an account they shouldn't be able to otherwise.

This has various consequences when the scammer's account is eventually banned for scamming. You will be unable to register for any new accounts on (X) using that phone number. In the worst case, police may track you down instead. And you will have a hard time explaining why is your phone number used to register a scam account.

The effect of this differs by service.

On Craigslist, the scammer can now post ads for 90 days without further verification. And in the future, should you want to register on Criagslist, you may be blocked from doing so.

On Google, this can enable them to obtain a Google Voice number (for phone calls and text) and Gmail address.

For Yahoo and other email services, this allows their registration to go through.

So don't fall for this scam within a scam. 



NOTE: Edited 11-DEC-2018 for wording and link to Kaspersky blog entry