#48: Tax-text scam, Salesloft Drift OAuth breach, AT&T & Nokia working with banks on phone verification

Scams are showing up where people least expect them and pulling in entire ecosystems when they do. A simple tax-text scam can be the start of synthetic identity fraud. A single OAuth breach can ripple through every connected system. Even a mobile phone becomes a vulnerability point when the wrong signal gets through. Here’s what fraud fighters need to know.

Let’s get into it.

NATE'S TAKE - SEPTEMBER 9, 2025

Top Three This Week

1. Tax scams are back… and they’re texting.
2. The Salesloft Drift OAuth breach goes deeper than expected
3. Telecom signals are becoming fraud’s next frontline

1. Tax scams are back… and they’re texting.

California’s Franchise Tax Board is warning residents about a rise in phishing texts that impersonate the agency and link to fake websites designed to steal personal and financial data. These scams mimic official government pages and ask users to input Social Security numbers, bank details, and other sensitive info, often under the guise of a tax refund or penalty notice.

While tax-season scams are nothing new, the use of SMS pushes them closer to users and gives them a sense of legitimacy. That matters for fraud teams watching identity theft, account takeover, and refund fraud. A compromised taxpayer today could show up as a synthetic identity next quarter.

Fraud fighters should watch for a rise in victims showing inconsistent or mismatched data patterns, especially if their mobile numbers, SSNs, or PII have been reused recently across multiple accounts. Encourage customers to avoid clicking links in tax-related texts and confirm legitimacy through official government portals.

2. The Salesloft Drift OAuth breach goes deeper than expected

The OAuth breach first flagged as a Salesforce-related incident has expanded significantly. Google and Mandiant now warn that all integrations connected to Salesloft Drift could be compromised, not just Salesforce. OAuth tokens were used to access Google Workspace emails and infiltrate CRM platforms across companies like Zscaler, Cloudflare, Palo Alto Networks, and others.

UNC6395, the group behind the campaign, isn’t just stealing contact info. They’re moving laterally through connected systems, exfiltrating support content, API tokens, and customer data – and in some cases, scanning for credentials to deepen access.

This is supply chain fraud through the SaaS stack, and it’s forcing companies to reevaluate how they manage third-party access. For fraud and trust teams, it’s a signal to audit every integration, not just for what’s connected today, but for what permissions were granted months ago. Revoke unused OAuth tokens, rotate all shared credentials, and monitor for unusual access patterns tied to support or sales tools. Assume compromise, not containment.

3. Telecom signals are becoming fraud’s next frontline

AT&T and Nokia are working with banks and payments providers to enable background phone verification using real-time network APIs. The goal: detect SIM swaps, impersonation, and mobile malware faster and stop relying on phishing-prone SMS passcodes.

The shift is subtle but powerful. Unlike OTPs or email PINs, network API signals verify the device and user in the background without asking them to take action. That reduces friction, but also helps spot fraud when a device suddenly changes hands or is spoofed by malware.

Fraud fighters should evaluate where in the customer journey they’re relying on weak device authentication. Silent verification through telecom APIs can’t solve every problem, but it offers a strong new signal to layer into account protection, particularly for high-risk flows like money movement or credential resets.

===

That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.

‍