Top Customer Service Scams and Data Breaches This Week

Fraudsters have a compendious bag of magic tricks to dupe unsuspecting customers, all while posing as customer service reps from reputable companies. For instance, they’ll build legitimate-looking websites with fake, toll-free numbers for brands like Amazon, Google, AOL and eBay.

For a brief moment, the unsuspecting customer is ecstatic that he’s used his expert sleuthing skills on Google to track down these elusive phone numbers, until he realizes the order inquiry he just made to a supposed Amazon call center agent resulted in his credit card information being harvested by an offshore criminal. Phishing scams, data breaches and fake call centers are just a few other ways cyber thieves prey on customers. Here’s what you need to know about scams and data breaches this week:

1. Amazon leaks user emails

Amazon emailed an undisclosed number of users Wednesday morning to notify them that a “technical error” made their names and emails publicly visible on its website. The email assures customers: “The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.”

The company still has not released an official statement on what actually happened or how many customers have been affected, but Amazon customer service forums are abuzz with users speculating over details of the breach and whether or not the emails were a phishing scam or legitimately sent by Amazon. When contacted for comment by several media outlets, Amazon said that neither its website nor its systems had been breached and that it has “fixed the issue and informed customers who may have been impacted.”

On the Amazon seller’s forum, however, threads from up to three weeks ago show independent sellers remarking that when they send emails to buyers, the “From” field in the contact form is automatically populated with their full name instead of their display name.

2. Tesla owner gains admin rights to company’s customer service forum

One disgruntled Model 3 owner named Daniel Eleff was given the chance to play God - at least on Tesla’s customer forum. After Eleff noticed a glitch in the lamination on the all-glass roof of his new car, Tesla offered him an upgrade to the Model 3 Enhanced Autopilot for a reduced pre-delivery fee of $3,000. After several weeks his car had not been returned, and it transpired that the paint had been damaged during the roof repair, so Tesla would be holding the car for an extra day.

When Eleff signed into the forum to post a complaint, he found that his access had been limited to one post per day. After getting off the phone with a Tesla rep to request his posting privileges be restored, he signed back into the forum only to find that he was now an admin with the full user privileges of a Tesla customer service agent.

Not only was he able to delete and edit all previous posts, but he had access to the profile details of over 1.5 million Tesla account holders, including that of Tesla CEO Elon Musk, who hadn’t signed into the site in 3.5 years. “I could search for people,” Eleff wrote in a blog post. “I found relatives and neighbors with Tesla accounts.” He noted seeing numerous profiles set up by Elon Musk impersonators.

Most concerning of all, he discovered that agents can assign any user role they want to anyone with an account - and Eleff wasn’t the only customer whose account was given admin access. “That’s an incredibly bad security flaw,” Eleff remarked in his blog. Numerous former employees as well as other customers had these access rights, too. When Eleff emailed Tesla about security concerns, they told him no official customer data was shared and it was unlikely that former employees who had retained admin rights had abused the site.

3. Retail fraud expected to rise 14% over Cyber Weekend

Incidents of shoplifting are expected to go up by 14 percent compared to last year, according to benchmark data from online payment provider ACI Worldwide, based on hundreds of millions of merchant transactions. Correspondingly, the value of retail fraud will see a 17 percent hike, with an average value of $243 compared to $236 last year.

Thanks to e-commerce, fraudsters have more methods at their disposal for tricking retailers. A new development is when a fraudster uses a store app to submit an order with stolen personal information and then picks up the order in-store. Some retailers circumvent thieving by asking to see and scan the card used to make the purchase.

“The first step to fighting fraud is knowing what you’re up against,” said Erika Dietrich, global director for payments and risks at ACI Worldwide. “By anticipating the increase in fraud during the holiday shopping season, and being aware of where fraudsters may be lurking, consumers and merchants can get ahead of fraudulent activity and protect themselves.”

But ACI advises retailers to practice “positive profiling” of customers to avoid driving away business from legitimate buyers due to difficult authentication processes. Retailers can’t afford to reject legitimate orders during Cyber Weekend just because a customer has no history with them.

By building comprehensive customer profiles on detailed behavioral data from multiple merchants, retailers can screen the customer rather than just the transaction.

4. Fake call center launches cyber attack on users in US and Canada

Six people were arrested in Noida, India for setting up a fake call center to embezzle money from web surfers in the US and Canada by infecting their computers with a virus and then offering to repair them. The fraudsters would send a pop-up message to the victim and when the victim clicked on the message, his system was automatically infected with the virus.

The virus would slow down or even lock the computer, at which point the fraudsters sent another pop-up message with the phone number of a technician who could help unlock or repair the system, the Times of India reports.

They then asked victims to pay anywhere between $99-600 to restore their computers, with payments that were made through an electronic gateway. A police raid revealed the fraudsters had kept the data of over 500 victims, including their phone number and user ID.

Over the past month, Indian police have discovered several fake call centers in Noida. In fact, the problem was so severe that a team of Canadian police and the FBI visited Noida to meet with the police superintendent to apprise him of the situation. The meeting led to a series of raids.