This is the 128th article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, DNS, MSPs or printers for the series PM Eric to get started.
I thought a seasoned preacher of security could never fall for a simple scam, but recently I was proved wrong. It was a classic scam — one that has been fooling IT pros since before I first got in the business more than 10 years ago — that suckered me in. Whether you consider it a scam, a con or social engineering, it has probably been going on since companies started using copiers. Like many social engineering attacks, it just borders on breaking the law, making it that much harder to avoid and to get justice after the fact.
The toner scam fits into the model of legitimate business practices hiding shady ones. The scammer does sell you a product and you in return pay for this product. This product is delivered to you. Sounds like a normal business transaction, right? But the problem is you didn’t order this product. You are conned into buying the toner at the seller’s whim and price. This seller operates outside the normal practices and makes it nearly impossible to return the order or get support.
It started with a phone call
My nightmares with this scam began with a simple call transferred to my desk. I should have hung up from the start. The front desk was vague about who it was on the line, but as I was trying to juggle five different tasks at once (as usual), I got sucked in.
Either the person on the other end of the call said the business name too quickly for me to understand or not at all — I cannot recall. I do remember that she was very friendly, didn’t really give me much of a chance to say anything, and only asked very generic questions. As such, I just kept on multitasking with the phone to my ear trying to be friendly and figure out the point of this call.
At some point, we came to questions about printers, and from this point on it became a sales call. I was quickly handed off to a salesman. I don’t have anything to do with the toner at my office but somehow I kept going on this call, revealing the model of printer we had and my name. The sales pitch was confusing, based around them sending me a free trial of the best toner in world that I wouldn’t have to pay for.
I said I was just fine with my current toner vendor and wouldn’t change no matter how super this toner was, but the sales pitch continued. Again, I should have hung up the phone, but I didn’t out of a mix of curiosity and apathy.
When the call was over, I was a little confused as to what was said exactly, but I do remember two things clearly:
- I said I didn’t want toner.
- Someone was going to follow up to see about shipping me something at a later date.
Mail call
When I got a box of toner in the mail addressed to me, I knew exactly where it came from and that I needed to send it back. It was only a few days after this that my billing person received a bill. This put the pressure on to get this toner out of here — along with the bill.
My first step was the logical approach. I called up the billing phone number to see if I could get a return order started; this didn’t even get me to a phone tree or voicemail box. Next, I started trying to find out who I dealing with. Since the bill and box only had a name, phone number, and an address, I really didn’t have much. Based on this information it didn’t seem to suggest that this company had a history or even existed. Google Street View of the address seemed to show it was someone’s house — definitely not the HQ of a toner company.
I was able to find their website and e-mail domain through simple web searches and WHOIS record look ups. The DNS record for their domain pointed me to a parent company that owned their domain name. This large generic parent company owned several other toner companies and many of them had less than stellar reviews on the Better Business Bureau’s site. I found even more negative feedback online, including on their home state’s attorney general’s website. It was from reading all these people’s misfortunes that I began to see just how bad this scam could get. This also offered a wealth of knowledge on these scams and how to deal them.
After a few more days of trying, I was eventually able to get an answer on he phone. I suffered my way through a lot of headaches over the course of a few weeks. I spoke to at least five different people. Each time I had to wait for a call back, meaning I had to call back a few times only to find out that they had no power to authorize an RMA number or a return shipping label. I knew from reading others’ experiences online that by simply shipping the box back I would likely still be billed with them claiming I had their product.
I finally got to talk to someone at the top. Only after he claimed to have personally confirmed my order on a week that I was on vacation and I made reference to his bad reputation did I get a return shipping label.
The key points I learned from all this experience I think are lesson that apply to all social engineer hacks today.
- Only have one point of contact for all calls about IT-related things or for anyone asking too many questions. This means teaching the person who picks up "0" operator calls to be better at screening calls.
- Never give up any information. Even a simple thing like your name can be used against you.
- Hide your DNS record information. This information usually has a lot more than what is on your website itself.
- Don’t be a “nice” guy — just refuse anything and hang up. You’re wasting their time as much as yours by letting them try to pitch something you never intend to order.
Perhaps the best advice to avoid being scammed come from two things your mother likely told you as a child: Don’t talk to strangers, and if sounds too good to be true then it is.
Have you ever fallen for any IT-related scams or dealt with scammers? What did you learn from the experience and how do you ensure it doesn’t happen again?