Client keeps contacting me over his identity theft...

[thecomputerguy]

I'm not sure if this is even I should be responsible for addressing as I have really no experience or authority regarding Identity theft.

A REALLY good client of mine who is on a big-time MSP monthly bill has called me to have conversations about how he keeps getting hit with fraud. He's had to replace his cards a couple of times, he's been notified of attempted account openings under his name. I do know that his email system at O365 is fine (MFA), and I regularly check sign in logs and see nothing to be worried about.

I just told him all I really know about it is that if your vital information gets leaked by some third party and they get ahold of your SSN, DoB & Address, that's about all they need to commit fraud.

He asked about monitoring services but I personally don't have a lot of experience in that so I couldn't give him any advice there.

He went ahead and signed up for Norton LifeLock and now he's calling me again because he is getting Alerts every week from Norton about attempted account openings at Payday lenders and Cell phone stores.

The last issue to happen was they got a legitimate bill from one of their legitimate vendors for something they didn't buy. Thankfully it was a small item but it made no sense. The item they purchased was basically like the Amazon Prime version of this vendor. It qualified my client for free shipping for the year. What's the point of this type of fraud? They are attempting to upgrade my clients business account for them?

My client was about to pay by check when the realized that no one meant to purchase this. When we look it up online at the vendor it shows that it was a WEB purchase, which is NOT how this client normally purchases. It shows it was purchased by someone who created an email to impersonate my client. Instead of like johnjamesdoe@contoso.com they created a johnjamesdoe@gmail.com. It had a phone number listed and when that number is called a guy named "Steve" answered the phone, spoke perfect English and he had no idea what the heck was going on either other than he himself had ALSO been receiving calls from payday lenders looking to approve loans for my client or John James Doe.

Steve was also very confused and didn't know how to stop these calls.

I haven't had a chance to call the vendor and ask them how in the hell they approved a purchase when it didn't come from my client, it wasn't how they normally ordered, it didn't use my clients email, it didn't use my clients phone number but yet they still got invoiced for it.

The vendor is a reputable Fortune 500 company so I doubt they are in the scamming business - https://www.grainger.com/

What if anything is my responsibility here?

 

[Metanis]

This may be one of those times where you have to "take one for the team".

First priority would be to make sure his email accounts are truly locked down. If the bad guys can read his email then he is well and truly hosed.

Check his Microsoft profile and ensure there are no questionable logins. If necessary go through the steps to tighten his security. Review his business practices and try and find if he's left any back doors open. The thieves have some reason to believe this guy is worth investing their time. Although they will eventually give up if they keep getting blocked. Hackers work on a commission basis, if there is no commission they'll find an easier mark.

Report the Gmail address to Google as a scammer. If possible try and take control of it. Try and implement johnjamesdoe@outlook.com and the yahoo equivalent and any other email domains you can think of to block the hackers from using similar attacks.

Let your customer know you're going above and beyond the terms of your agreement and perhaps they should use the Lifelock service to help in the process. Gently try to offload the Identity crisis to the client and the Lifelock people.

 

[putz]

Other than checking the services you manage for the client (as outlined in your service agreement), it's not your responsibility. If the client still wants you to help them, I would be hesitant. If Identity Theft consulting isn't a service you offer and don't claim to be an expert in it, the client maybe dissatisfied with the outcome once they are hit with a bill. Then its ultimately time lost on your part if they don't pay.

One of the best things you can do, and most people should do it, is put a freeze on your credit at all 3 major credit agencies.

What To Know About Credit Freezes and Fraud Alerts

Credit freezes and fraud alerts can protect you from identity theft or prevent further misuse of your personal information if it was stolen.

consumer.ftc.gov

I did it after T-mobile got hacked for the millionth time.

 

[britechguy]

If Identity Theft consulting isn't a service you offer and don't claim to be an expert in it, the client maybe dissatisfied with the outcome once they are hit with a bill. Then its ultimately time lost on your part if they don't pay.

That's the least of it, as far as I'm concerned. If you take on this responsibility, you have literally taken on this responsibility, and it's an unforced error if you do.

Identity theft should not be something that any one of us takes on if we did not market services specific to this to begin with. Fault almost always lies with the individual, or chance. I've been part of T-Mobile, Anthem, and Equifax breaches and never had any issue (and I did freeze my credit and accept identity theft monitoring). My partner, by contrast, has had his credit card numbers pilfered on at least 8 to 10 occasions, and I know the card has never left his possession in each case. We just had our latest go round in the last month, with a charge being made somewhere we've never even been.

 

[thecomputerguy]

This may be one of those times where you have to "take one for the team".

First priority would be to make sure his email accounts are truly locked down. If the bad guys can read his email then he is well and truly hosed.

Check his Microsoft profile and ensure there are no questionable logins. If necessary go through the steps to tighten his security. Review his business practices and try and find if he's left any back doors open. The thieves have some reason to believe this guy is worth investing their time. Although they will eventually give up if they keep getting blocked. Hackers work on a commission basis, if there is no commission they'll find an easier mark.

Report the Gmail address to Google as a scammer. If possible try and take control of it. Try and implement johnjamesdoe@outlook.com and the yahoo equivalent and any other email domains you can think of to block the hackers from using similar attacks.

Let your customer know you're going above and beyond the terms of your agreement and perhaps they should use the Lifelock service to help in the process. Gently try to offload the Identity crisis to the client and the Lifelock people.

The my sign ins section shows no successful sign ins from illegitimate sources. There are a couple failed login attempts from bad IP's but nothing is successful.

Devices listed on his My Devices page are correct. Only two devices and they are both his.

Security info shows no additional authentication methods added to his account.

His password he provided to me so I could login to his account is a complex randomly generated 12 character password including upper, lower, number, symbol.

Account is protected by MFA.

Azure sign in logs show no successful bad sign ins... a couple of unsuccessful sign ins failed similar or identical to the my sign in's section.

OWA shows no rules created.
OWA shows no forwarding.
I exported his Outlook search history and it all looks legitimate so nothing is being searched for in his mailbox.

So ... I'd say there is literally nothing here then would indicate any external access to his account.

 

[nlinecomputers]

Someone may have cloned his sim card on his phone. He needs to talk to his banks not you. Change account numbers. Someone, like a close relative that he doesn’t suspect has access to his accounts.

 

[Markverhyden]

The reality is if a "customer" falls for a scam they on the easy picking list for years to come. Nothing you can do about it. Certainly don't rely on the institutions to do the right thing. Set up alerts on everything and at relatively low values.

Customer called me in a panic. It was the end of the month, July, so she logged, BoA, in to manually reconcile everything as she always does. They keep a balance in the mid-10k range. Most transactions are in the k range with an occasional payroll into the low 10k range. Handful of electronic payments, all scheduled online bill pay directly with the company. Comcast, etc. Someone had made a successful withdrawal through some fly by night outfit called Finzeo using P2P. The amount was 20-30 times greater than their next largest transaction. The customer has never used P2P. Caught within 30 days so the bank as to make good. 5 days later another one in the in the high 10k range. I tried to get the owner to question the bank but be he just doesn't want to deal with it. When I went in to check their notifications incredibly the second P2P should have produced a notice but didn't.

Personally I've had calls from my CC provider as well as banks several times for attempted fraudulent transactions. At the end of the day our information trickles out in all kinds of ways. I picked up a Visa from Chase many years ago. Have never done anything with Chase before and did not use the card for some time. Yet within 30-45 days I started getting emails with the fake account security things.

While these are far worse than telephone sales people I've just come to accept scammers as part of the landscape. And tell my customers the same. Engage in due diligence and make like a duck.

 

[timeshifter]

Finzeo using P2P

What do you mean by P2P? A bank to bank transfer?

 

[britechguy]

What do you mean by P2P? A bank to bank transfer?

One could look at it that way. It's just peer-to-peer, and payment apps can do this. Zelle is considered to be peer to peer payment, even though it's an intermediary from one bank to another.

https://duckduckgo.com/?q=P2P+transfer

There's no "truly short" answer to what P2P means, in practice.

 

[Markverhyden]

What do you mean by P2P? A bank to bank transfer?

Just what it stands for. Search DES : P2P without the spaces. For some reason colon P, , is a smiley face! LOL!!!!
. Peer to Peer. See pics below. You can google the various fields to understand what they mean. Another incredible thing is the website they used for my customer is actually not their website. Search Finzeo Web. Screams of fraud.

 

[Markverhyden]

One could look at it that way. It's just peer-to-peer, and payment apps can do this. Zelle is considered to be peer to peer payment, even though it's an intermediary from one bank to another.

https://duckduckgo.com/?q=P2P+transfer

There's no "truly short" answer to what P2P means, in practice.

P2P requires institutional access unless the transfer is within the same financial company.

 

[britechguy]

@Markverhyden

I'm not attempting to start a flame war here, but the "requires institutional access" part does not seem to be part of the definition as it's commonly used. There are tons of articles out there that say what this Forbes article, What Is Zelle And How Does It Work?, does: Along with PayPal, Venmo and other popular mobile payment options, Zelle is a peer-to-peer (P2P) payment solution that can speed up payments between you and your friends and family or help you manage your small business payments more efficiently—all without paying any fees.

Hence my 'no "truly short"' comment.