CHOICE membership

Identity Theft - Scammer Asked For Vodafone Pin & Ordered $6000 Worth Of iPhones

This incident happened 3 days ago on 29/01/2020 in Melbourne, Victoria

I rang up Vodafone on 20/01/2020, around a week prior to this incident and i was talking about paying off my current handset which is on a plan and adding a new handset (iPhone 11 Pro Max 64GB). All my queries were answered, they said they can do it online and ship the device to me instantly and would require the account holders permission etc but i said no thanks we’ll go into the store and sort it out. This conversation happened with the legit Vodafone call centers on 1555.

After a week later, on 29/01/2020 my dad received a call from 0390054915 , The scammer pretended he was calling from Vodafone, he started telling him that Vodafone will give him 30% discount if he adds another handset on his account and was telling him about all kinds of “special” deals and discounts he can get. The scammer then sent an “One Time Password” (OTP) to my Dad’s phone to “verify” his identity, my dad gave the OTP which came as a text message from vodafone, then the scammer also asked for the 4 digit pin on his account, he also gave him that. (This is the point where the scammer got all the information he needed to place the phone orders) After several minutes of talking i guess the conversation was over and my dad would ring back if he wanted the deal. Unfortunately i wasn’t there when the scammers rang him because if i heard someone ask about any information such as PIN’s or OTP’s i would easily suspect that they’re a scammer, i’d also Google the number and find out who the f*ck it is beforehand. This conversation took place around 12:30PM.

I’m 99% sure someone from the Vodafone call centers passed this information ONTO the scammer that we needed a new handset, since a week before the incident I contacted the legit vodafone centers on 20/01/2020, the scammer rang my dad on his phone number on 29/01/2020 pretending to be from Vodafone, how would the scammer know that we talked about needing a new handset? Either Vodafone call center’s are hacked and info is being leaked OR the Call Center employees are working with scammers or are scammers themselves.

Anyways my dad called me at 3:00 PM on the same day of the incident (29/01/2020), he said that "Did you tell vodafone to ship a mobile to us?"

I was like "Hell no, i haven’t even talked to them since a week ago when i rang them, how dare they ship the phone without our permission?"

He said "Well i talked to someone from Vodafone this morning, they were talking about a handset deal, Vodafone might have shipped it by accident. I received an email from vodafone saying “your order is being shipped” I was on my way home from a photoshoot so i said "Don’t worry i’ll call them and talk to u when i’m home and we’ll sort it out"

It was 5:00PM when i got home and i rang my dad because he wasn’t home at that time, i said "So which handset did they ship is it the same one that i was talking to them about? (iPhone 11 Pro Max 64GB)?"

He said “No they shipped an “iPhone 11 Pro Max 256GB” Also they shipped it to the wrong address” At this moment i was like WTF, i hung up to call vodafone.

My dad texted me he said “Don’t worry, i just talked to the Vodafone guy he said it’s a technical issue which will be fixed” I said “Who did u talk to? Give me the number” He replied with “0390054915” I google’d this number and it was a reverse phone number in Melbourne which basically telemarketers and scammers use. I texted him "No way that’s not even Vodafone."

I logged onto his email and checked the emails and there were around 6 - 7 notifications from Vodafone.

1 was an “Vodafone Account Upgrade” Notification
3 were “Thanks for your order, we’re preparing your order to ship”
3 were “Your Vodafone order has been shipped from our warehouse”

We live in the Western Suburbs of Melbourne and the address the devices were shipped to was in Elsternwick, Melbourne which we have never seen or visited before, i was shocked and at this point i knew that my dad was a victim of identity theft.

So this is what the $6000+ orders the scammer placed were:
1x iPhone 11 Pro Max 256GB (Space Gray)
1x iPhone 11 Pro Max 64GB (GOLD)
1x iPhone 11 Pro Max 64GB (Silver)
1x Black Sim Tray Slot

The scammer also added a new mobile number on our Vodafone account with a $40 RED Plan to get multiple items. The messed up part was that all these items were shipped to that Melbourne address. The packages were shipped using MYToll IPEC Priority, all the 3 devices were under 1 tracking number.

I talked to Vodafone customer service around 4 times.

They said that they have marked this issue and reported it blah blah, they wrote everything in their notes.
Told us to fill this form: https://vha.secure.force.com/identityfraud

They also asked for all the IEMI numbers of the handsets so they can block it and the scammers won’t be able to use it, i doubt that even works however they would still be able to sell the parts for good money even if the phones did get blocked.

We had to file a police report for the vodafone identity fraud form so we went to the police station, they said that we have to do it online, we filed a cyber report online. Had to go to the JP to get the https://www.vodafone.com.au/doc/vhastatutorydec.pdf STAT dec signed.

Got my Dad to change the PIN and passwords for his account, reported the other random number which the scammer added onto our account. The Vodafone guy said that we won’t be charged for any of this, even if the next bill has a charge for that new number it will be re-imbursed and the fraud team are investigating further into this.

I still wanted to prevent the scammer from getting the phones. I contacted MYToll IPEC on 29/01/2020 at night around 9:00PM and talked to staff there, they acknowledged the issue and said that we have made a ticket that this order is fraudulent and should be sent back to Vodafone. The guy which we spoke to “Romeo” said that i have made a high priority ticket and he said that this order will not reach the scammers house. The MyToll Customer service is based in Philippines not Australia so i didn’t really take his word, he gave me a reference number for the call. They also took my details to call me once they have any updates regarding this.

The next morning 30/01/2020 around 8:00AM i called MYTOLL again regarding the issue to see what’s happening and i gave them the reference number so they know what’s happening. I could see from the tracking number that the package was in NSW. They said the same thing and told me that the package is being shipped from NSW and will NOT go to Melbourne and will be shipped back to Vodafone’s warehouse which is in NSW. I was relieved and said alright sounds good. I checked the tracking number around 12:40PM and saw that the package has reached in MELBOURNE! i was pissed off because after alerting them a night before and then early in the morning they still couldn’t manage to get that package stopped from being shipped to the scammer. I called MYTOLL again and told them that the package is in Melbourne i need you guys to locate the delivery guy and not deliver it. They said they don’t have the ability to do that but they will create a “high priority” ticket and i said “Which won’t do shit” i told them how i warned them about this issue ages ago and they still couldn’t do shit. They said if it gets delivered we will still investigate and try to retrieve the package and call you back once we have an update. They even knew there were $6000 worth of fraudulent goods in there.

ALSO the funny thing is the vodafone email said “You must have the ID matching to my Dads Name to receive the package otherwise they will take it to their nearest collection post office and you will have to get it from there” There is no way the scammer would have the ID so i have no idea how MYTOLL just gives packages to some random. No wonder they have 1.2 stars from 3,506 reviews on productreview .com.au/listings/toll-priority

I kept tracking the order to see if it would say delivered or the driver would have been informed by someone, so instead of waiting i called the nearest police station to Elsternwick, Melbourne which was “Caulfield Police Station” and they connected my to the “Police Hotline” I didn’t ring 000 because it wasn’t an emergency although i should’ve because the Police hotline was hopeless. I told the lady on the police hotline that my dad’s identity got stolen and $6000 Worth of Stolen goods are about to be delivered to an address in Elsternwick which is minutes away from your station. The lady said that my dad should go to his nearest police station and file a report with all the evidence etc, i said can you guys go to that address and find out who this scammer is? She said i’m not a police officer and i’m not in a police station right now and told me that we should file a report, i said no worries, thanks and goodbye. That was hopeless, i kept tracking the tracking number hoping it would be cancelled or be re-routed to Vodafone’s Sydney Warehouse but instead the order was delivered to the scammer. I still have his address tho.

I probably should’ve drove the the guy’s street and waited until the delivery van came and caught him red handed, that;s the only time police would do their job i reckon lol.

I’m happy that my dad doesn’t have to pay for that shit, but i’m pissed off that the scammer got $6000 worth of iPhone’s.

Moral of the story is:
Don’t trust ANYONE asking you any information over the phone
Research THE Number on Google thoroughly before you give out information.
Delivery Companies are hopeless at suspending fraudulent orders.
Police doesn’t do sh*t in online fraud cases.
It’s better to deal with companies in store.

If you guys have any questions let me know.

13 Likes

This has also happened in 2013 : https://www.avforums.com/threads/someone-ordered-3-new-lines-on-my-vodafone-account-yesterday-unbelievable-really.1753008/

4 Likes

Welcome to the forum @MakingMyselfHeard. Yours is a bad scenario that highlights how unsuspecting people can be lured in.

FWIW a few years ago we caught an identity thief opening a new account in our name, but was onto it within minutes (checking our card account online and seeing an unexpected authorisation-what are the odds) and was able to stop it before it went live albeit with more ‘footwork’ than expected since we could have either been the victim or the scammer, as companies saw it as we reported in.

Since you have the delivery address and so on, one would expect some action, but I’ll reinforce the police had no interest and the most they would do was log a report in case we, the victim, suffered a loss and somehow got the perpetrator in court in a civil suit. It might have been different if we suffered loss, but such are the disadvantages of being atop fraud like we were. No loss, no crime as they saw it. I wonder if anyone has a better result of reporting identity theft in recent times?

If you have not, you should make a formal statement, not just a customer service contact, about your experience to Vodfone via their complaints, stating it is to help them in case others are similarly scammed; with reports such as yours they might be able to identify the culprit if it is an employee passing information rather than a random scammer who serendipitously rang at ‘the right time’.

Please update on whether Vodafone did waive all the charges or went through the motions on the phone but not in fact, and you have more ‘work’ to do straightening it out, and whether there is anything further to add as time passes.

Thanks for the details that should be very instructive and a warning on how it can go, to forum readers.

9 Likes

Sorry to hear that you were a victim of identity theft as well.

Yeah the law sucks particularly in online and identity theft cases, we need stricter or a dedicated team focused on Australian Cyber Crime. People see their stolen stuff posted on Gumtree and when people report it the police doesn’t do a thing unless the victim themselves catches the scammer red handed with the goods.

I’m sure they’re already aware of this, since the exact same issue happened in 2013 and there’s no way this only happened in the 100s could be 1000+ cases by then. So if they were serious they’d take more strict actions. Like who can randomly just change addresses and ship phone to, that’s not very tight security by Vodafone.

For sure, i’ll update the thread to tell you guys IF all the charges were actually waived and if we take further actions regarding this issue.

8 Likes

Welcome @MakingMyselfHeard, what a terrible situation. I imagine one would feel violated as a result. Thanks also for taking the time to share with the forum.

As there were 9 days between the Vodafone and scammer contact, there could be a number of possible breaches that resulted in information coming into the wrong hands. It could be…

  • Vodafone as you think…or if they use a contracted out call centre, the call centre staff.
  • email account, especially if confirmation emails were sent by Vodafone
  • company despatching the phones. It is possible that Vodafone uses another party for such purposes and that someone in this company ‘stole the information’; and
  • courier company delivering the phones. Often phone numbers and specific delivery information is provided on shipping dockets.

I also wonder if the Vodafone account has been subject of a phishing attack in the past, where this online account has been compromised unknowingly. It is possible that the scammers, or maybe better term criminals, could see that a new phone had been ordered when accessing the compromised account and used this to their advantage.

I would suggest that as there is a possibility that the online Vodafone or email accounts have been comprmosed, the passwords for these accounts are changed immediately and one uses secondary security verification, if it exists for these accounts. Also check set up email filters as a scammer/criminal could create automatic onward email forwarding using key words.

4 Likes

No problem.

Yes it could be many reasons to HOW the scammer contacted us and found out the info of us wanting to get a new handset. There’s a very little chance of that being a coincidence.

I know for a fact it wasn’t a phishing attempt because i’m an IT expert myself and all of our computers are heavily secured with the best anti-virus and firewalls. All our emails have 2FA authentication, i checked the email’s login history as well and there were no unknown logins from any other IP other than ours.

But you’re right the scammer did get access to the online vodafone account but that was due to:

  • The scammer acquiring the OTP which he used to reset the vodafone password online and gain access
  • The 4 digit PIN which he would need to make any major changes like add another plan and order phones.

Thank you for the suggestions.

8 Likes

@MakingMyselfHeard Welcome to the forum . A real case of the cyber world out stripping the real world . It seems to me that once systems are put in place it is generally taken for granted that they will work and perform the task they were developed for .

Once something goes wrong the system seems to have no fail safes to counter the ultimate out come . In your case the delivery of the parcel to Elsternwick . Back in the day if you had a " hot " item on board to be delivered the police notified your company , they radioed you , you returned it to base . All good . In the "good ol’ " 21 Century we have progressed to be coming " slaves " to the keyboard and submitting tickets, requests, yet , as in your case , no affirmative action was taken .

What happened to you @MakingMyselfHeard to label "not good enough " would be a gross understatement .

Again welcome to the forum from another Westie .

7 Likes

Sorry to hear that you went through identity theft @MakingMyselfHeard.

I’m also a victim of identity theft, and in case you have further need, may I suggest a free and anonymous Au national identity and cyber support service: idcare (contact 1300 432 273, www.idcare.org). I found the person talking to me very supportive and helpful. Offered a lot of information on what to do to regain control. A comprehensive email followed, and I had access to that same person whenever something new happened.

May I suggest, also, that you have a look at your credit file by contacting the major credit companies, (Equifax, Experian, Dun&Bradstreet) it is a free service once a year. In case it’s been compromised, you can apply for a Ban on your credit file to prevent someone else applying for credit in your name.

I understand your frustration, I got no support from the Police either, and I did the Acorn report too. But the reference numbers from these were useful when applying for new ID numbers and for a ban on the credit file.

All the best!

Ps my neighbor, after leaving his phone on the tram, was able to trace it with ‘Find my phone’ to a block of flats nearby and just opposite a Police station, but when he told the Police what was happening, they said there was nothing they could do.

10 Likes

Thanks for the tips :slight_smile:

1 Like

UPDATE: Vodafone said that we are not liable for any of the charges made by the scammer. The scammer added a new number on our account, Vodafone removed that number and moved our account to another ID making our account more secure.

So far everything’s all good, also if you guys wanna make your account more secure you can actually change the 4 digit PIN for every number under your account instead of just having 1 pin for all the numbers.

9 Likes

You’re welcome @MakingMyselfHeard

Unfortunately in this day and age we cannot be as trusting as we once were, and need to be aware that we could be scammed at anytime.

FWIW this is what I do with phone calls from ‘unknown callers’ (on the off chance that I do pick up), I find an excuse to call them back, but never on the number they are calling from, but on the listed company number they are claiming to be from. I then explain what’s happening and if it’s genuine they’ll put you on the right person. I did this a few times when arranging for the nbn at my place and was getting calls from Telstra about reminders and confirmation of dates.

So glad things have worked out well for you, and, please don’t be a stranger, your input in any topic of your interest will be appreciated :slightly_smiling_face:

4 Likes

Vodafone have never cared about privacy or security. When I was with them, they did their customer service via vodafone.custhelp.com unsecured (plain text), hosted by a third party with which customers had no legal relationship, hosted in the USA (outside Australian jurisdiction) and in order to get any replies to any queries, customers were required to enter private, personal information onto that site! (Incredibly useful data for identity thieves.)

Vodafone also refused requests to remove personal data entered onto that US-based customer support site.

Even now, I see you had to enter the most important data onto force.com, another overseas web site not controlled by Vodafone.

Apparently losing $6k of phones at a time is cheaper to them than setting up systems competently.

3 Likes

That equation is fairly common in modern business from merchants through the banking systems, is it not? Doing security is nether easy nor cheap and there will usually be some breaches with costs anyway. Establishing a fund is a predictable business cost +/-, and it obviates the need to find capable security literate staff that are in Very Short supply globally.

3 Likes

They have always been technically insolvent as a company. This means that often money to spend on good security can be in short supply and then they often rely on commercial insurance to cover costs such as for damaged phones, loss of security etc.

The Federal Court has approved the merger of Voda and TPG and this extra capital that comes from bringing these two together could mean decent changes with what they currently do. The merger is expected to finalise within 6 months. TPG may help by applying their ISP/RSP background to the development of better processes. Of course this is only an “if” and we will have to wait and see what changes do manifest.

3 Likes