I know it's easy to second-guess someone after they've explained that they're describing a scam, but:
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.
I don't even know where the idea that those are the best practices came from.
The phone number best practice has always been constructed as "call them back at a known good number, preferably one written on paper or on your card". You certainly don't ask them to show you where on the company website the phone number is listed.
And asking the person on the phone with you to send you an email from a specific domain is likewise not something I've ever seen recommended: that's one of several things you check to see if an email is phishing (And only one of several! A good domain isn't enough to clear an email!) But if you're already on the phone with someone suspicious, the best practice has always been to get off the phone with them immediately and call a known number, not to ask the caller to prove themselves.
None of this is to blame OP for misunderstanding, it's just very clear that we need to do better at communicating these rules out to the world.
They can't. And they haven't been for a while. Spoofing phone calls is simply too easy, and nothing is being done to fix that, despite the fact that it puts so many of us at risk. It's not an insurmountable problem, technologically. It is literally a lack of will and outcry from ordinary people, despite how often this fact is used to abuse so many.
Credit Card companies have known this for a long time. My credit card company will call and say "do not call back to this number, call the number on the back of your card and use this reference number".
Telecoms know if a number is spoofed or not. All I want is for them to wholesale steal the original Twitter "verified" check, and use it to confirm that a call is not spoofed.
The originating provider knows, but do providers downstream know? If AT&T receives a call from $MadagascarPhoneCorp who indicates the call is officially from $IndiaPhoneCorp, can AT&T trust that?
>The STIR system aims to add information to the SIP headers that allow the endpoints along the system to positively identify the origin of the data. This does not directly prevent the ability for a robocaller to spoof a caller ID, but it does allow upstream points to decide whether or not to trust that ID
I'd argue the second one was not followed either. Maybe I'm misunderstanding the article, but I would not take a random "your password has changed" as proof. I would need the caller to send me an actual email from their personal work email address (or ticket system?) with some actual, human communications in it.
> The thing that's crazy is that if I followed the 2 "best practices" of verifying the phone number + getting them to send an email to you from a legit domain, I would have been compromised.
He didn't follow the first of those best practices. He just looked up a phone number that the caller also read out to him, and didn't call it. And "Solomon" also explicitly told him he couldn't call.
I honestly think that at this point, no incoming phone call can ever be trusted.