Skip to main content
 

Some afternoon phishing

I just (almost) got phished! It’s a little embarrassing, but I’m hopeful that sharing this will help others.

I got a pretty call on our landline (yes, we still have one) telling us we were about to have our power disconnected for non-payment. They had our address, PG&E account number, and account name.

To deal with the issue quickly, they had me call a separate 877 billing number. It sounded like PG&E: they had the call system set up and a convincing-sounding address check.

We genuinely had a late payment, because the account was in my mother’s name, and I didn’t get the notification. So I asked to make an emergency payment to prevent the disconnection. Everything up to this point sounded legitimate, except that they hadn’t seen my previous payment in their account system - and I just brushed it off as being a legacy business not having its shit together. Because PG&E is legendarily awful, I was prepared for the information they gave me to not quite add up. Were it a professional, modern organization, it would have been harder to convince me.

It was only when they tried to get me to Zelle a payment to an individual that I became suspicious, asked some verification questions, and disconnected the call. Even then, I didn’t consider it beyond the bounds of possibility that PG&E had a super-janky payment system for emergency payments, so I was worried. But yes, to date, the power has not been disconnected.

I didn’t give them any payment or personal information. But they clearly had some of mine already, so I’m going to be checking my accounts and resetting some details.

I’ve been involved in a few projects that involve sensitive information and vulnerable communities (and a few others that involve potentially large sums of money). My own security stance directly affects the people I’m involved with. These attackers just wanted some money, but there are others who could easily want to harm others by getting through me. This was a wake-up call that wherever I think I’m at with my security mindset and practices, I need to do more.

Obviously, I feel like an idiot. It also made me realize how much PG&E’s shoddiness added to my vulnerability. If I felt that it was a company I could trust to do the right thing, I would have cottoned on far earlier in the process. But when a company already feels like a scam when it’s operating its day-to-day business, it’s really hard to distinguish an imposter. It’s another reason for every company to operate at a very high quality, and to only pick very high quality suppliers (and to not allow undemocratic monopolies in California’s energy markets).

· Posts · Share this post