frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

SMS phishers pivot to points, taxes, fake retailers

https://krebsonsecurity.com/2025/12/sms-phishers-pivot-to-points-taxes-fake-retailers/
51•todsacerdoti•2mo ago

Comments

s_kierkegaard•2mo ago
This type of stuff is diabolical for old folks who just weren't inoculated to these scams. I feel terrible for them. Get calls often asking me to help interpret.
SoftTalker•2mo ago
Keep it very simple: never give an SMS authentication code to anyone on a phone call, in response to a text message or email, or as part of any checkout or purchase. They are only to be used when logging in to an online account. Anything else is a scam.

Even that may be too complicated, now that I read it back.

asnyder•2mo ago
Unfortunately there are many companies that actually rely on SMS confirmation codes in real-time, which include reading it back to them.

A legitimate and generally well liked company, and its real helpful service representative used this method to verify my identify before they could finish their support effort.

rolph•2mo ago
yeah someone that gets paid a lot needs to talk to someone whos pay depends on implementing that IT consultants directives.

relaying security codes by voice is how the bad guys do it, dont train your users to think its normal.

its probably not a bright idea to have your phones camera pointed at your screen while 2FA-ing or password resetting, or else someone will watch you login, and will see your codes, and use automation to authenticate with your digits faster than you can move a cursor and click.

SoftTalker•2mo ago
Probably safe if you call them at a well-published number. If they call you, absolutely not.
bobbiechen•2mo ago
I got this interesting pair of messages from Schwab recently - not sure if any other companies do this

On login:

Schwab Watch out for scams. DON'T share this security code with anyone, EVEN IF THEY CLAIM to be from Schwab. Your code for online login is XXXXXX

And then on a later phone call with an agent:

Schwab: XXXXXX is your Schwab security code to confirm your identity with the agent.

This is a nice touch, though I'm not sure how much it would help in a real scam situation for say, my grandma.

toast0•2mo ago
> or as part of any checkout or purchase.

Hope you don't have to do 3D-Secure for a purchase, I guess.

SoftTalker•2mo ago
Never had to do more than CC# and 3-digit security code on the back for an online purchase.
Terr_•2mo ago
A few weeks ago I told them: "I will never be offended or hurt if you ask suspicious questions to check my identify if I suddenly need sketchy wire-transfers or a pile of Amazon gift cards."

Sometimes the best way to defang scams is to attack the social-factors and artificial-urgency they try to exploit.

In a similar vein, no legitimate institution should ever act punitively if you tell them that you're going to call them back through their official number/e-mail/site only.

adriand•2mo ago
I’m super cautious with these messages like I’m sure we all are but on Monday I ordered a printer from Amazon. They said it would arrive on Wednesday. On Wednesday I was working from home and I got a text from “Purolator” saying they’d tried to deliver my package and failed. Shit! I’d been listening to beats too loud to hear the knock on the door! I ran outside to see if the delivery guy was still on my street. No one was around…and then I realized, damn, they got me (to dash outside, anyway).

These things can fail 99.99% of the time but when they land on someone at just the right moment, it’s so easy to just go on autopilot and do the dumb thing.

SoftTalker•2mo ago
Yep when a scam randomly aligns with something you’re expecting it’s much easier to fall into the trap.
anitil•2mo ago
I had an issue on the toll payment device on my car, so I was expecting some 'pay now or you get a fine' message. I got one on my phone, but when I logged in directly to the toll company website my account was in the green. I was _so_ close to following the link I just got lucky that I prefer using my laptop for admin rather than my phone.
donmcronald•2mo ago
Anecdotally, I swear I see an increase in those messages when I have a package on the way. It seems like too much to be a coincidence.
zzyzxd•2mo ago
Exactly. Once I was connecting to my VPN in AWS and was totally prepared for 90% of the websites to throw human verification at me. Then a faked cloudflare one almost got me. It was 3AM and my brain was barely functioning. (it didn't work, only because it instructed me to run a PowerShell command and I was on macOS).
charcircuit•2mo ago
Why don't Google and Apple adopt passcodes to avoid this scam from working? Their operating systems already support passcodes.
ianburrell•2mo ago
What do you mean? How would passcodes help phishing?

The solution is passkeys, which prevent phishing and more secure than passwords. I like how they replace SMS codes. But they are a pain to use and not that many sites support them. Every site that does 2FA should support them.

charcircuit•2mo ago
Yes, I meant passkeys.
nharada•2mo ago
I think we're at the point where both phone and SMS are such insecure and easily spoofed channels that we should basically not be using them for anything related to business or money. Maybe even for communication, given how easily scammers can fake a loved ones voice and phone number.
toast0•2mo ago
The screenshots don't show spoofed SMS. Who is going to spoof a +212 or a +27 phone number when sending to the US. It's not that easy to get spoofed SMS to the US anymore. But it doesn't matter if sending from an international number works just fine. Same thing with email, but often worse ... DMARC makes it hard to spoof email, but most email clients only show sender name and not sender address, so it doesn't matter.

Phone call caller ID is getting harder to spoof, with stir/shaken, but I'm not sure that's fully rolled out either... and calls from a 'random' number still get answered, so spoofing isn't needed for normal scams.

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
460•klaussilveira•6h ago•112 comments

The Waymo World Model

https://waymo.com/blog/2026/02/the-waymo-world-model-a-new-frontier-for-autonomous-driving-simula...
800•xnx•12h ago•484 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
154•isitcontent•7h ago•15 comments

Monty: A minimal, secure Python interpreter written in Rust for use by AI

https://github.com/pydantic/monty
149•dmpetrov•7h ago•65 comments

How we made geo joins 400× faster with H3 indexes

https://floedb.ai/blog/how-we-made-geo-joins-400-faster-with-h3-indexes
24•matheusalmeida•1d ago•0 comments

Dark Alley Mathematics

https://blog.szczepan.org/blog/three-points/
48•quibono•4d ago•5 comments

A century of hair samples proves leaded gas ban worked

https://arstechnica.com/science/2026/02/a-century-of-hair-samples-proves-leaded-gas-ban-worked/
88•jnord•3d ago•10 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
259•vecti•9h ago•122 comments

Microsoft open-sources LiteBox, a security-focused library OS

https://github.com/microsoft/litebox
326•aktau•13h ago•157 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
199•eljojo•9h ago•128 comments

Sheldon Brown's Bicycle Technical Info

https://www.sheldonbrown.com/
322•ostacke•12h ago•85 comments

Hackers (1995) Animated Experience

https://hackers-1995.vercel.app/
405•todsacerdoti•14h ago•218 comments

An Update on Heroku

https://www.heroku.com/blog/an-update-on-heroku/
331•lstoll•13h ago•240 comments

PC Floppy Copy Protection: Vault Prolok

https://martypc.blogspot.com/2024/09/pc-floppy-copy-protection-vault-prolok.html
20•kmm•4d ago•1 comments

Show HN: R3forth, a ColorForth-inspired language with a tiny VM

https://github.com/phreda4/r3
51•phreda4•6h ago•8 comments

I spent 5 years in DevOps – Solutions engineering gave me what I was missing

https://infisical.com/blog/devops-to-solutions-engineering
113•vmatsiiako•11h ago•36 comments

How to effectively write quality code with AI

https://heidenstedt.org/posts/2026/how-to-effectively-write-quality-code-with-ai/
192•i5heu•9h ago•141 comments

Learning from context is harder than we thought

https://hy.tencent.com/research/100025?langVersion=en
150•limoce•3d ago•79 comments

Understanding Neural Network, Visually

https://visualrambling.space/neural-network/
240•surprisetalk•3d ago•31 comments

Delimited Continuations vs. Lwt for Threads

https://mirageos.org/blog/delimcc-vs-lwt
3•romes•4d ago•0 comments

I now assume that all ads on Apple news are scams

https://kirkville.com/i-now-assume-that-all-ads-on-apple-news-are-scams/
990•cdrnsf•16h ago•417 comments

Introducing the Developer Knowledge API and MCP Server

https://developers.googleblog.com/introducing-the-developer-knowledge-api-and-mcp-server/
23•gfortaine•4h ago•2 comments

Make Trust Irrelevant: A Gamer's Take on Agentic AI Safety

https://github.com/Deso-PK/make-trust-irrelevant
7•DesoPK•1h ago•4 comments

FORTH? Really!?

https://rescrv.net/w/2026/02/06/associative
45•rescrv•14h ago•17 comments

I'm going to cure my girlfriend's brain tumor

https://andrewjrod.substack.com/p/im-going-to-cure-my-girlfriends-brain
61•ray__•3h ago•18 comments

Evaluating and mitigating the growing risk of LLM-discovered 0-days

https://red.anthropic.com/2026/zero-days/
36•lebovic•1d ago•11 comments

Show HN: Smooth CLI – Token-efficient browser for AI agents

https://docs.smooth.sh/cli/overview
78•antves•1d ago•57 comments

Female Asian Elephant Calf Born at the Smithsonian National Zoo

https://www.si.edu/newsdesk/releases/female-asian-elephant-calf-born-smithsonians-national-zoo-an...
5•gmays•2h ago•1 comments

Show HN: Slack CLI for Agents

https://github.com/stablyai/agent-slack
40•nwparker•1d ago•10 comments

The Oklahoma Architect Who Turned Kitsch into Art

https://www.bloomberg.com/news/features/2026-01-31/oklahoma-architect-bruce-goff-s-wild-home-desi...
21•MarlonPro•3d ago•4 comments