A while ago, I got a phone call from my teenage son. At least that’s what my Caller ID said.
It was vaguely possible he was calling me, even though he was in his room on the other side of the house. (Because — teenager.) But it seemed highly unlikely, since his cell phone hadn’t been working for about two weeks. He’d dropped it down the stairs right before that, and I’d been too busy to get it looked at, especially since he had only left the house once since mid-March. Maybe a loose wire it had fixed itself, I figured.
I was a little surprised to hear a woman on other end of the line, and more so when she said she was returning my call to her. I certainly hadn’t called her. Just in case I’d accidentally dialed someone by mistake, I checked my phone’s call log. I hadn’t called anyone recently. I had, however, accidentally hit my son’s phone number when I went to message him an hour or so prior, resulting in a half-second of the phone line ringing before I hung up.
I asked her what number she was calling from, since I couldn’t see the number that had come up on her call — just the Caller ID with my son’s name on it. Had a number gotten mislabeled? The number she gave me was indeed listed under his contacts in my phone. It was weird, but he’d had a different phone, carrier and number a year or so prior, and I hadn’t ever deleted that number out of my contacts. She must have gotten his old number, I figured.
(Here’s where I admit I stopped memorizing phone numbers a decade or two ago, when phones all had 20+ numbers they’d memorize for you. I’m using the excess storage space in my head for Irish verbs, glass beadmaking and guitar chords.)
I apologized for having rung her accidentally, telling her she must have gotten my son’s old number.
And I didn’t think anything more of it.
Until two weeks later, that is, when I got a very similar phone call — only, this time, it was a man calling, saying he was returning my call. I didn’t even remember making an accidental call this time. But, again, my son’s number came up on Caller ID. I chided myself for not having removed the old number from his contact information after the last call, when I had meant to do just that. Until I went to remove it (again) and realized that I HAD removed it after the last call. Both calls had come in under his current number, not his old one.
And that was the moment I knew I had a larger problem than a teenager with a broken cell phone.
I immediately checked our cell phone usage online, discovering a slew of data usage, and text messages and phone calls to numbers I didn’t recognize, all in the weeks since his phone had stopped working. Since he’d complained of not having data service on his phone while it was broken, I knew none of that activity was him.
I then called up our mobile phone carrier, telling them I had received a call from my son’s number, with strangers on the other end, and his phone still (apparently) broken, and that I’d found a bunch of activity on his line that I knew wasn’t him.
The first person I spoke to dismissed the problem as one of “spoofing.” I run into a lot of circumstances where tech support people don’t realize I’m pretty good with technology and insist the explanations for tech problems are simpler than I already know they are. I know exactly what spoofing is (putting up a fake number on Caller ID to hide the identity of the caller or steal an identity from the real owner of the phone line), and this wasn’t it, especially with the inexplicable usage on my son’s account in recent weeks.
He wanted to report the spoofing to their fraud department and told me not to worry about my account security. It was a common but relatively harmless problem. But I persisted until I managed to speak with someone who understood what was really going on. From there, I got transferred to the carrier’s fraud department, where they confirmed what I had feared — someone had, weeks earlier (not coincidentally about the same time my son’s phone stopped working), gotten access to our account and had taken the SIM number assigned to my son’s phone and moved it to a different phone.
They had functionally stolen my son’s cell phone account and had been using it for nearly a month, all while I footed the bill.
The fraud department quickly blacklisted my son’s number, the SIM number and the device that had appropriated it. Problem solved. Halfway. The other half of the solution involved taking his (apparently working) phone to a local carrier store and getting a new SIM card assigned that could then be restored to our account. It took a little while, but it got done. And all was back to normal.
Except, when I got back in my car to head home, I got a phone call. On his phone. From a number I didn’t recognize. I answered it.
“Who’s this?” the caller demanded. “The person who’s phone number was stolen by the person you’re calling,” I replied. “We’ve taken it back and filed a fraud report. You might want to talk to them about that.” I hung up.
An hour later, we’d received several more calls from numbers we didn’t recognize. At least one of those callers was very angry with the person they thought they were reaching at my son’s number, leaving us with the impression that the fraudster was up to no good on a number of fronts and had probably stolen my son’s number to hide his illicit activities behind.
At that point, we changed the outgoing voicemail message to note that the phone number had been stolen, that it was now reclaimed, and that anyone trying to reach the thief should contact them via some other means. And we stopped answering the calls. They soon stopped.
Lessons learned the hard way
Now, there’s a couple lessons to take away from this story: (1) If your cell phone suddenly stops working, especially if you haven’t dropped it recently, don’t wait to get it checked out. (2) Checking your call/text/data logs online may not seem important if you’ve got an unlimited plan, but you still should be doing that, and probably more often than just when a new bill is issued. (3) If you haven’t set a passcode on your voicemail, do it now.
The carrier advised me that that’s the most common way for someone to gain unauthorized access to your account — they can call in to the voicemail system, enter in your number for the voicemail account information and then use the system’s back-end to connect to customer service, where, for all intents and purposes, the call appears to be coming from the number associated with that voicemail account. They can’t get that far if they can’t get past a passcode prompt. So, if you haven’t taken a minute or so to set up your voicemail properly, now’s the time.
I don’t know how long this would have gone on if the phone thieves hadn’t been stupid enough to call the victim’s mother — and the owner of the account — back, or if I hadn’t thought to check our account usage online.
For us, this was an inconvenience of a couple weeks spent without one of our cell phones at a time when we least needed it, and a couple hours to resolve the situation. With the fraudulent activity noted on our account, nothing that person got up to with my son’s number comes back to haunt us. Lesson learned.
The grandparent scam
Meanwhile, I was also on the receiving end of a few calls from my father that same week, most with a theme of “This person called, and he said he was my grandson, and used his name, and it sounded sort-of like him, and he said he was in trouble. Is he there? Is he OK?”
This is not the first time this has happened. It’s a classic “grandparent scam.” And, thankfully, my father is smart enough to call me to confirm his suspicions that such calls are not legitimate. He gets a little anxious about his grandson, so he calls every time, just to be safe. He talks to my son and is reassured, and we move on.
What was unusual that week was the frequency and timing of the calls — several in as many days. Somebody had clearly targeted him. That was probably the wrong thing to do.
My father does tend to call me on another line when this happens, to confirm my son is OK, but he’s usually still on the line with the fraudster at the same time, and he has a habit of drawing out his special brand of torture for scam callers, engaging them in a long and twisty road of thinking they’ve almost got him on the hook, only to have him suddenly act confused or skeptical, then (apparently) giving in, only to leave them on hold for 10 minutes or telling them to call back after he’s had a chance to go to the store and buy that iTunes gift card they said would cover the cost of their fake tech support service, and then starting the process all over again, until he gets bored and calls them out on their scam and hangs up.
This is not what police advise you should do when getting a scam call. (It may, however, be somewhat entertaining.) What police actually advise you to do these days is simply not answer calls from numbers you don’t recognize. Not from 800 numbers, not from apparently local numbers (remember that spoofing thing?) and not from blocked numbers or non-descript numbers or random out-of-area numbers. If someone is calling from a different number and really needs to reach you, they’ll leave a message, and then you can call them back.
If you happen to pick up anyway, don’t engage with such callers. Don’t answer any questions. Don’t even reply with a “yes” or “no,” which, while it may sound innocuous, could potentially open you up to other problems with fraud. (Any fraud attempt like this can be reported to police, but since they often originate outside the country, it can be hard to pursue legally.)
If the caller purports to be a utility company calling about an overdue payment, hang up and call the company’s customer service number directly. If the caller claims to be the IRS or law-enforcement, seeking you out for some sort supposed wrongdoing, recognize that such agencies generally don’t call to demand payment of fines or address legal issues — they’ll likely send you mail.
Be skeptical. Better yet — don’t answer the phone. Sometimes, I learned that week, that’s the best option even when you DO recognize the caller’s number. It could actually be a phone thief.