The Growing Threat of 2FA Spoofing Calls: A Melbourne Dad's Close Call
The phone rang yesterday afternoon while I was debugging some deployment issues. Another unknown number, but this time something felt different about the interaction that followed. What started as a routine scam call turned into a masterclass in how sophisticated these operations have become, and frankly, it’s got me worried about how many people are falling for these increasingly clever cons.
The caller claimed to be from Optus, offering a 50% discount on services. Now, given Optus’s recent data breach debacle, I immediately went on the offensive, telling them I wasn’t a customer and questioning their legitimacy after their company’s appalling handling of customer data. This seemed to throw the caller off script entirely.
What happened next was fascinating in the worst possible way. The woman insisted she could remove me from their billing accounts, but needed me to confirm a six-digit PIN they’d send to my phone first. This is where things got really concerning - they weren’t just trying to get my existing information, they were attempting to intercept legitimate 2FA codes in real-time.
When I demanded to speak to her manager, she literally handed the phone over to someone else who then claimed to be calling from Telstra. You could hear the confusion in the background before they abruptly hung up. The whole thing was amateur hour in execution, but the underlying technique was genuinely sophisticated.
Reading through discussions online later, the picture became clearer and more frightening. These scammers aren’t just making stuff up - they’re actively triggering real 2FA SMS messages from legitimate services while they have you on the phone. They’ll claim the code they’ve just caused to be sent to your phone is from them, when it’s actually from your bank, Qantas, or whatever service they’re trying to hack.
Someone mentioned they’re likely targeting frequent flyers, which makes sense given my old Platinum One status with Qantas. The financial implications of a compromised frequent flyer account are substantial - we’re talking potentially tens of thousands of dollars worth of points and the ability to book flights using someone else’s miles.
What really gets under my skin is how this preys on people’s trust in familiar company names and established security practices. We’ve all been trained to expect and provide 2FA codes when dealing with legitimate services. The scammers are weaponising this learned behaviour against us.
The responses from others who’ve encountered similar calls reveal just how widespread this has become. People are getting calls supposedly from the ATO, Telstra, banks - basically any organisation that might legitimately use 2FA. The common thread in successful defence strategies seems to be one simple rule: never trust a cold call, regardless of how legitimate it sounds.
One user made an excellent point about the fundamental flaw in companies calling customers and then asking them to prove their identity. It’s backwards and dangerous. If a company calls you, they should already know who they’re calling and why. You shouldn’t need to authenticate yourself to them - they should be authenticating themselves to you.
The technical reality is that SMS-based 2FA, while better than nothing, is increasingly vulnerable to these social engineering attacks. Banking apps are moving towards push notifications and in-app authentication for good reason. When CBA sends a notification asking “Are you currently on a call with us?” that’s infinitely more secure than asking someone to read out a code.
But here’s what really bothers me: this isn’t just a technology problem, it’s a human problem. These scammers understand psychology better than most legitimate companies understand their customers. They know how to create urgency, confusion, and compliance. They’re essentially running a real-time social engineering operation that would make Kevin Mitnick proud.
The solution isn’t just better technology (though that helps), it’s better education and clearer protocols. Every legitimate company should adopt the policy that if they call you, they don’t need you to prove anything to them. If there’s genuinely something urgent that requires your input, they should be able to provide you with a reference number and direct you to call them back through official channels.
For now, my approach is simple: I don’t authenticate myself to anyone who calls me. If it’s legitimate, they can send me a letter or I can call them back. It might seem paranoid, but given the sophistication of these operations, I’d rather be safe than sorry. The alternative - having my accounts compromised because I was too polite to hang up on a scammer - doesn’t bear thinking about.
The silver lining in all this is that awareness is growing. People are sharing their experiences and warning others. But we need companies to step up too. If you’re still using SMS for 2FA in 2024, you’re part of the problem. And if you’re calling customers and asking them to authenticate themselves to you, you’re training them to be victims.
Stay vigilant out there, folks. The scammers are getting smarter, but so are we.