Google Maps scammers put their own phone numbers onto bank listings

Google Maps lets users edit and update listings: crowd-sourcing that’s helped Google to fill in the details of its maps, such as adding new roads or parks: a helpful feature, particularly in areas where governments restrict distribution of such data or in what are often less-developed regions.

Some of the results have been giggle-worthy, even though they involve deceptive practices that we don’t endorse, such as sock puppetry that lets the pranksters create fake accounts that they then use to approve their own pranks.

For example, we’ve seen Google Maps depict the Android mascot robot peeing onto the Apple logo, and a giant cat that sprawled over Auckland’s Hobson Bay Walkway.

Besides graphic hijinks, we’ve also seen user-generated content that’s involved changing the details of an address: for example, Google Maps at one point was induced to display a snowboarding shop called Edwards Snow Den, located at 1600 Pennsylvania Avenue: an address otherwise known as the White House.

Unfortunately, the same mechanisms by which Google enables users to make useful or amusing edits to Google Maps is now being used by crooks. On Sunday, Business Insider reported that scammers are tweaking Google Maps to trick people into giving up their bank details.

Google used to enable people to submit changes to Google Maps via Map Maker: a service the company introduced in 2008 that let users worldwide upload new data to the company’s online mapping service. The company closed Map Maker as of 31 March 2017 and absorbed many of its features into Google Maps.

As Tech Crunch reported at the time, following the peeing Android robot vandalism and a few other spam attacks, Google temporarily shut down Map Maker to tighten its security. Eventually, the company shut it down completely, since it was overlapping with Google’s Local Guides: a program that rewards power users for contributing updates to Google Maps and which is mainly geared to improving business listings.

But while Map Maker went away, the ability to edit maps did not. Using Local Guides, users can still add and edit places, share additional details about a place, moderate edits, view the status of their edits, and edit road segments.

According to police in Maharashtra, India, there have been multiple cases of Google Maps vandalism targeting bank details in the past month. The Hindu reported last week that a group of con artists based in Thane – a city just outside of Mumbai – have edited Maps listings to show their own contact numbers, then swindled sensitive account details out of the marks who called.

The news outlet quoted Balsing Rajput, superintendent of police in the state cyber policing department:

We have received at least three complaints from the Bank of India [BoI] over the last one month. In all three instances, we immediately notified the authorities at Google.

Rajput said that the crooks have talked people out of details such as their Personal Identification Numbers (PINs) or the CVV numbers of their debit and credit cards, enabling them to suck money out of victims’ accounts.

A BoI spokesperson said that the bank is asking people to skip Google Maps and instead go directly to its site in order to find contact details:

After these incidents came to our notice, we modified the contact details on these branch listings on Google Maps. We asked users to use only Bank of India’s official website to search for branch contact details.

We’re trying to deal with these things as soon as possible, a Google spokesperson told The Hindu:

Overall, allowing users to suggest edits provides comprehensive and up-to-date info, but we recognise there may be occasional inaccuracies or bad edits suggested by them. When this happens, we do our best to address the issue as quickly as possible. The Google Safety Center outlines tips to help consumers stay safe online.

No surprise here: Google’s Safety Center doesn’t exactly tell visitors to not trust the information they get from Google Maps, but it does offer at least one relevant tip for avoiding these fraudsters: be wary of requests for personal information.

Don’t reply to suspicious emails, instant messages, or pop-up windows that ask for personal information, like passwords, bank account or credit card numbers, or even your birthday. Even if the message comes from a site you trust, like your bank, never click on the link or send a reply message. It is better to go directly to their website or app to log in to your account.

Remember, legitimate sites and services will not send messages requesting that you send passwords or financial information over email.

…and legitimate phone operators at legitimate banks shouldn’t ask for your PINs or CVVs, either.

But not all people are going to realize that when they’re on the phone with a smooth-talking rip-off artist.

I can’t imagine that Google would ever pull the plug on users’ ability to edit Google Maps: its advertising income feeds off of knowing where we go and what we think. But shouldn’t the company at least lock down details about places heavily targeted by financial scammers, such as banks?