Journalist Kelly Rissman of New York City had advertised some furniture online with not so much as a nibble when “Jaree” sent a message via the OfferUp resale app asking if it was still available.
Jaree asked for Rissman’s phone number, then texted to say she would send a code that Rissman could text back to verify she was a real person.
Eager to get out from under storage payments for furniture she no longer needed, Rissman agreed. A six-digit code from Google arrived quickly, along with something written in Filipino. Had she translated it, Rissman would have discovered it said: “—— is your Google Voice verification code. Don’t share it with anyone else.”
Rissman texted the digits back.
How the scam works
Jaree had no interest in furniture. Her aim was to trick Rissman into divulging her phone number and then a Google Voice verification code.
Here’s how a Google Voice verification code scam typically works:
- A criminal downloads the Google Voice app and links it to a Gmail account.
- Then they find a potential victim, for instance on a sellers marketplace. They say they’ve been burned in the past by bots and ask the seller to accept and text back a code to prove they’re a real person.
- When the victim texts the code back, the scammer can link the Google Voice number to the victim’s authenticated phone.
- The scammer uses the Google Voice number in fraudulent ads on marketplace websites or other criminal activity.
In other words, first the scammer is a fake buyer, then once they trick victims into authenticating Google Voice accounts, the scammer becomes a fake seller — potentially ensnaring a second generation of victims who pay for goods they never receive.
Rissman became suspicious and ended the call when Jaree said there had been a problem and asked if Rissman had another number to try.
Although she writes about scams, Rissman says she was fooled because this didn’t have the typical hallmarks: She hadn’t been asked for personal data or account numbers, and she hadn’t provided a way to steal her identity or her money.
Why Google Voice?
Google Voice lets users merge multiple phone numbers into one. There are plenty of legitimate uses for a Google Voice number. People can give it to business and personal contacts instead of having to juggle multiple phone numbers. Individuals can keep their cell phone numbers private, and businesses can find an available number with the last four digits that they want.
But scammers want a steady supply of new Google Voice numbers to use in criminal activity. Victim complaints and investigations will initially point to the original victim’s authenticated phone number. It takes further investigation to find the Gmail account established by the criminal.
Once Rissman understood the scam, she unlinked her phone number. Google offers a help page that walks users through claiming the number in use with another account.
The scam’s not new, but it’s hot
The Google Voice authentication scam isn’t new, says Eva Velasquez, president and CEO of the Identity Theft Resource Center. But it accounted for nearly half (49%) of the calls the center got in August, more than nine times the volume received in July. As of early October, the pace had not slowed, and there have been more than 2,000 calls to the ITRC about it since midsummer.
Commerce sites like eBay, Facebook Marketplace, and Craigslist aren’t the only ones where criminals fish for verification codes. It’s been done on dating sites and even in response to notices about lost pets. The common thread: Someone wants you to prove you are a real person by receiving and sending back a code.
The volume of complaints indicates criminals have a new cache of Google Voice numbers and it’s likely some will be used in online ads in coming weeks. Extra caution is warranted.
How to keep safe
If you’re a seller, check whether the platform you’re on has a feature to verify its users, advises Amy Nofziger, director of victim support for the AARP Fraud Watch Network. If a would-be customer asks to verify your identity, insist they use that feature. If the seller insists on moving off the selling platform to texting or calls, that’s a danger sign.
Do not accept and text back a code. “It says right on it, do not share this code with anyone,” Velasquez says. “We really want to hit that home for people. These are codes that you get to verify yourself. These are the second layer of authentication, and they’re only for you. … And if someone asks you to share it with them, that should be a big red flag.”
Buyers should also proceed with caution, Velasquez says. A listing could be using a purloined Google Voice number.
- Verify as much information as possible about the seller. If the selling platform has a verification feature, use it.
- Don’t deal with anyone who wants payment in gift cards — that’s a sure sign of a scam.
- If possible, use a credit card; they have protections that peer-to-peer payments and debit cards do not.
- Meet in a safe place to exchange payment and merchandise.
People who lose money to fraudsters using Google Voice numbers are unlikely to know that their theft was put in motion when someone was tricked into revealing a verification code. “I really think that there are more victims (of the scam) than are even aware they are victims,” Rissman says.
Nusenda Credit Union cares about your financial safety and security. If you suspect anything unusual or that you are a victim of identity theft, call us immediately at 505-889-7755 (800-347-2838 outside the Albuquerque area).
If you get a call, email, or text claiming to be from Nusenda Credit Union seeking account information or login credentials, it is not from Nusenda and is fraudulent. Do not provide any personal or account information — please contact us immediately.
Also, ensure that Nusenda can alert you immediately regarding your Mobile and Internet Banking accounts by logging in, selecting My Profile, the selecting Alerts from the drop-down. Click on Security Alerts, then Edit Delivery to confirm that your account alert information is up-to-date or edit as needed, then Save. This is one way you can be alerted if someone has attempted to access your Mobile or Internet Banking accounts by claiming forgot password or forgot login ID.
You can also visit our Account Security page for important security tips and additional information on how Nusenda Credit Union protects its members from fraud and identity theft.
The article Scam Alert: ‘Prove to Me You Are a Human and Not a Bot’ originally appeared on NerdWallet.