NEW ORLEANS — Evidence is mounting that suggests phone scammers may have gained access to Entergy New Orleans customers’ billing data and tried to use it to fraudulently collect their money.
Entergy has been warning customers for years about a scam where someone calls claiming to be collecting delinquent electric bills and threatens to cut off service if they don’t pay immediately over the phone.
This scam was identified in Better Business Bureau reports and news stories across Entergy’s service regions last year, from Arkansas to Mississippi. But a WWL-TV report Monday showed the scam appeared to have grown more sophisticated in late 2020, with one customer saying the scammers were able to cite real account balances to appear legitimate.
That customer, Terrell Perry, said the original callers knew the rental property she owns in the Gentilly neighborhood had a balance of $85 and a deposit of $200. She said she only started doubting if they were really from Entergy because the representatives grew belligerent.
Scam sounds convincing
That story sounded very familiar to Drew Ward, a resident of the Riverbend neighborhood. He got an automated call threatening to shut off power to his house the day before Thanksgiving. It sounded like a real Entergy collections call, which was particularly plausible because he had been having actual billing problems all summer. He wasn’t able to pay his bills for several months because of problems with his online access. Some of his online payments went through and then inexplicably got wiped away, with late fees tacked on as if payment was never made.
Most disconcerting for Ward, when he called the number left on the phone message, the representative who answered was able to cite all of Ward’s previous payments and corresponding credits in real-time, faster than he could look them up on his online Entergy account.
“He read off all of my payments going back into the summer and said, ‘I see in September you paid a thousand-whatever. And that was returned. And I see they credited you back this fee for that. But … that actually wasn't applied to your account either. You're going to need to pay this and pay that,’” Ward recalled.
One thing stopped Ward from paying on the spot. He knew the New Orleans City Council, which regulates Entergy’s New Orleans subsidiary, had issued a moratorium on all water and power shutoffs during the coronavirus pandemic. That emboldened him to dare the caller to defy the city’s order and shut off his power.
He said the phone representative cursed him out and told him he had 43 minutes to pay. Ward then texted City Councilman Joe Giarrusso, who quickly got an Entergy official to call Ward and assure him Entergy was not going to shut off his electricity on Thanksgiving.
Ward worked in IT security, including a stint setting up networks at field hospitals for the U.S. Army. He spoke with a verified Entergy official the day after Thanksgiving and told her he was concerned about the security of Entergy’s billing data. He asked her if the utility could have suffered a data breach. He said she responded that she didn’t think so but promised to investigate.
Entergy spokeswoman Lee Sabatini said the utility reviewed the data of anyone who reported a scam and found no signs of any such data breach.
“Entergy has investigated recently reported potential customer information breaches related with scams and there is no known impact to Entergy’s systems at this time,” Sabatini said. “No evidence exists that customer information has been compromised. Further, there is no impact on operations, grid reliability, or employee or public safety. Entergy has security measures in place to safeguard its systems and its people.”
Sabatini said Entergy helped resolve Ward’s customer login issues. She also said the amount Ward owed was less than what the scammers claimed.
The utility did report breach on its internal corporate network in 2018 but assured the public that no customer data or sensitive power systems had been affected.
Just this week, Ward received a message from Apple when he tried to login to his Entergy account on his iPad.
“This password has appeared in a data leak, which puts this account at high risk of compromise,” the message warned Wednesday, a day after WWL-TV asked Entergy about Ward’s concerns. “You should change your password immediately.”
Ward said any data breach at any level could have compromised Entergy’s customer data. He said once hackers get into a system that’s connected to Entergy’s data in any way, they can sell passwords and other sensitive information to phone scammers so they will be able access the customers’ current billing data. He thinks Entergy has to look beyond their internal customer data and include a review of their vendors’ systems, too.
“The first thing they need to do would be to do a full audit of their own systems, not just their internal systems, but also every single contractor they use, their payment services and all that stuff,” Ward said. “Anything they currently are doing outsourced, they should try to bring in-house if it's viable.”
Entergy uses outside vendors for billing software, payment processing and collections. For example, Entergy uses BillMatrix, a subsidiary of the financial tech giant Fiserv Corp., for customers to pay online by credit card.
When Ward was having trouble with paying his bill online, he said he paid one Entergy bill by entering his credit card into the BillMatrix service.
Wisconsin-based Fiserv is being sued in federal court in Pennsylvania for what a federal credit union called “baffling and amateurish security lapses.”
Ann Cave, Fiserv’s vice president for communications, said the credit union’s allegations are unfounded and had nothing to do with BillMatrix services.
“We continually monitor, test and enhance our cybersecurity systems, and have found no indication of a compromise affecting Entergy or any other BillMatrix clients,” Cave said. “We urge anyone who believes they are a victim of fraud to contact their service provider and notify the proper authorities.”
Likewise, Sabatini said it’s critical for anyone who thinks they were victimized or even approached by scammers to notify Entergy by calling 1-800-ENTERGY.
The New Orleans City Council regulates Entergy and has the authority to order outside investigations and demand audits. Ward said the council should go a step further and order Entergy to stop all online billing until it can be sure there is no data breach. He said that may sound extreme, but it’s no more than homeowners must do to determine if there are hidden water leaks under their house.
“If we do that for any person who has an 800-square-foot house, we can do it for Entergy, who has the data of 500,000 people in their files,” he said.