Whose number?

These days I get lots of text messages that are verification codes, commonly for 2FA. Mostly I get them when I expect them: I’m actively signing up or logging in somewhere, making a purchase or some other transaction. But a recent one was totally out of the blue: Your Pret A Manger verification code is 624864. This was not expected: though it was indeed lunchtime I had no transaction whatsoever with that purveyor of lunch.

I know just about enough about PAM to know they’re a bona-fide business, though they have no presence whatsoever in my part of the country. I find it plausible they might operate an ordering system involving an app and verification codes. So presumably just a “wrong number”.

But I was mildly intrigued: could it possibly be a scam designed to worry the victim into reacting and getting into something? I fire up the hypothetical app to check I haven’t been erroneously billed, and it turns out that’s the latest vector for installing Pegasus on my phone? Or just tries to confuse me into paying for a scammer’s lunch.

One check I can make is the originating number, shown as “62884”. I googled “62884 Pret a manger”, and drew a complete blank: if they use that number, they don’t acknowledge it anywhere online. But just googling “62884” I see PAM is a red herring. Numerous reports tell of bogus verification codes “from” different businesses. Either a complete scam, or lots of businesses outsourcing to a poorly-designed service.

But if a scam, how is it supposed to work? Just that you reply and it turns out to be a premium rate? It’s not even obvious spam that might elicit a naïve STOP, a trap hinted at by the page linked above. Besides, what prospective victim expects a number sending a “verification code” to be replyable? I’m none the wiser.

OK, this doesn’t matter. Ordinarily I’d ignore it, and I’m not sure why I didn’t. But there are occasions when one wants to verify a business’s number for much more important reasons: for example here and here. Which leads to the suggestion: should businesses be required to list all their phone and SMS numbers used for business (including outsourced ones such as a call centre they might use) on their websites? The only obvious exception to such a rule would be direct numbers for individual employees, with a quid pro quo that their outgoing calls then go through a (public) switchboard number.

If there were such a law, then my first googling could have been considered conclusive when it failed to find 62884 on Pret a Manger’s site. Much more importantly it would have enabled me to verify the Capita number and put a small chink in Virgin’s Kafkaesque anti-customer wall in the anecdotes I linked. And many other cases!