I found out a hacker's phone number. Now what?

Question

Hi guys,I run a SaaS business in Canada, and I had an individual attempting to gain access to one of our customer's account illegally via social engineering (pretending that she's an employee of the customer) I asked for her phone number as a part of verification process (completely made up), and I was able to speak with her briefly. During our phone call, she blatantly lied about being my customer's wife when I know for fact that he's single.I checked out the government's website about reporting a cybercrime, but it seems to have very little resources available. Their office's closed right now, so I'll give them a call tomorrow.Has anyone experienced a situation like this?

jhanschoo · Accepted Answer

I wouldn't follow the comments suggesting vigilante retaliation against the hacker via the phone number. For all you know it belongs to a second victim (e.g. hacked Skype number).

cbanek · Answer

While the crime is done using computers, it seems like it could be fraud, if they are trying to use the access to spend money or steal information to do something with?
Given the nature of the attack being aimed directly for one customer, if I were you, I would possibly alert that customer that something funny is up. That way they might be able to prevent the same thing happening at other companies they use that might not be as careful.
As far as dealing with the police, if they didn't manage to get anything, I wouldn't bother. Keep the info around just in case.

tlb · Answer

Make a note for the support people to ignore fraud attempts matching the details.Then move on.

geocrasher · Answer

Give her access to an empty account, then log everything she does. Block her and report as necessary.

badrabbit · Answer

Let the actual victim(the customer) know and leave it at that. They can file a criminal complaint or take further action as they see it fit.Don't go about acting like a vigilante. What if she does get arrested but she is the guy's gf/ex? What if she is a legit business partner? This things can will often go south in differeny ways. You were not target,a victim or a criminal detective.

bobosha · Answer

I think you should just report it to the RCMP and leave it be. Vigilante action can have unforeseen consequences and since you are a business owner, it's best avoided.p.s. incorporate stronger authentication mechanisms (2FA) for your offering, if not already.

MrWiffles · Answer

Definitely report it to the RCMP, but you can also report it to the US FBI via https://www.ic3.gov/default.aspx. I'd suggest not mentioning that you're a Canadian citizen; just let them assume you're American so they don't use your citizenship as an excuse to just shut down the case and ignore it. I'm not suggesting you lie of course, but let them draw their own conclusions.

_nalply · Answer

It's most surely not the hacker's phone number.

ntnlabs · Answer

I would randomly send her made up verification codes :D

dorkwood · Answer

One thing that might ruffle their feathers a bit is if you figure out what time zone they're in, and then give them a call in the middle of the night.

HegzOverflow · Answer

he might try doing it again, that's often called spear phishing in a more nerdy manner, just let people around you know this happened and move on.

villgax · Answer

FCC has a page for this

withinboredom · Answer

List the phone number on Craigslist for a free tv in several large cities. (I&rsquo;ve done this as pranks to friends, they&rsquo;ll get several hundred texts and phone calls)

RickJWagner · Answer

Give it to the 'Your auto warranty is about to expire' people. Can there be a worse punishment?