Held every October, National Cybersecurity Awareness Month (NCSAM) is a collaborative effort between government and industry to raise awareness about the importance of cybersecurity and to ensure that all Americans have the resources they need to be safer and more secure online. Week one was all about recognizing the online threats and taking responsibility for your security, Own IT. Week two gave you simple steps to make your online presence safe and secure, Secure IT. Week three covered the threats that are out there and how to protect yourself, Protect IT.
Welcome to week four where we will share some stories that demonstrate the sophistication of the threats out there and how a little awareness and simple steps can protect you.
Phishing Attempt by Phone
PeterGunst@DigitalLawer reported on Twitter that he, “Was just subjected to the most credible phishing attempt I've experienced to date.”
Here were the steps:
1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?" Me: no.
2) "Ok. We've blocked the transaction. To verify that I am speaking to Peter, what is your account number?" Me: <gives account number>
3) "We've sent a verification pin to your phone." ~ Gets verification pin text from bank's regular number ~ Me: <reads out the pin>
4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~" Me: Yes. These are all legitimate transactions I made
5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?" Me: Are you kidding me, no way.
6) Ok! But then we can't block your card Me: that is bs. ~ hangs up, calls the fraud department of bank ~
Details of what was really going on:
Once I gave my account number, the attacker used the password reset flow of the bank's online web site to trigger a text message from the bank.
They used this to gain access to the account. Then read some of my transactions to give the call more credibility
They needed the pin to send money. They failed at that step. Everything before the "what is your pin" seemed totally legitimate.
Their English was perfect. The bank verification code, sent by the expected number, tricked me. The asking for my pin over the phone... not so much.
Stay safe out there people. And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place. Never a dull moment!
A Close Call
Here is a story from a guy who is now a Cyber Security Expert.
"When I was the target of a social engineer. I used to work at a bank and would come in early to open the branch, and review accounts and the previous day’s work. Looking back, it seems likely that someone was watching me.
One morning, someone called claiming to be a private banker from the Midwest. The person was desperately trying to help a high-profile bank customer.
His tone of voice was deliberate and excited, but he held off being pushy and desperate (a good balance for a social engineer). He said that he was trying to complete some new account paperwork on behalf of the client (not uncommon) and he just needed two pieces of information. He claimed he could see that the customer opened an account at my branch and had used a federal government-issued ID to do so. Initially, I was happy to help, and as I had the social engineer on the phone, I brought the customer information up on my system.
I asked him again for the information he wanted, and I found what he was asking for on my system. At that point, though, I hesitated. I was about to reveal confidential customer information over the phone, to an unknown individual. Instantly, my attitude changed and alarm bells started ringing in my head. I immediately hung up the phone.
I sat there for a minute, thinking about the conversation and what just happened, and got angry. The social engineer had almost fooled me. After I cooled off, I called bank security to report the incident. I thought about just how close I had come to being part of a social engineering con. I thought about where that social engineer might have used the data. It could have been used to open a fraudulent account at another bank, or for a fake identity to sell on the dark web."
Davin received a private message on Facebook from the ‘Facebook Freedom Lottery’ claiming he and others had won amounts up to $150 000. At first, he didn’t believe it. Businesses don’t give money away out of the blue and to win in a lottery you need to buy a ticket.
However, moments later his cousin who he hadn’t spoken to in some time sent him a Facebook message about the winnings. His cousin claimed that he had also won and noticed Davin’s name on the list of winners. He claimed he had already received his winnings after going through a relatively easy process.
Trusting his cousin, Davin began the process for accepting the prize money which required him to first pay a small upfront fee of $250. Once this was paid, he was to receive the money into his nominated bank account for which he provided details. The next day he was informed that since the prize money was sitting in a bank in America, he would have to pay an ‘international transfer fee’ which could not be subtracted from the winnings for some complex legal reason.
Davin reasoned that since his cousin had managed to receive the money, then he must have gone through the same process and so he would also pay this additional fee.
Over the next two weeks, Davin paid five more fees, each time believing it would be the last. Eventually, in desperation, he spoke to his cousin and asked how many fees he paid before he received his winnings. Davin’s cousin had no idea what he was talking about and told him that he had only just regained control of his Facebook account after it had been hacked.
It then became clear to Davin that he had been scammed. There never was any prize money and the Facebook message was part of the scam. By this time, Davin had already sent $1500 and handed over a wealth of personal information to scammers.