Identity theft and identity fraud are two ever-evolving fields in the criminal world. These are areas the bad guys are having a lot of success in, which honestly surprises me sometimes. A lot of these "attacks" aren’t well-crafted, but the bad guys still manage to trick people. The most recent phishing trip I encountered is not only a decent tale, but it includes some security best practice reminders for you too.
Ready for the story? Okay, here we go.
It was just another ordinary morning at Hurricane Labs. I was sitting at my desk enjoying the mediocre fall weather, sipping on a latte from our monster coffee machine, dodging a few Nerf darts from coworkers, as I do every morning. This day could not have been any more prosaic. Everything was fine and dandy until my personal phone began to ring. Glancing at the caller ID, I saw it was my bank calling.
Security Reminder #1: Don't ignore your “gut feelings”
When a bank calls it usually isn’t a good thing. So, I was already feeling concerned and promptly answered the phone. On the other end was a well-spoken gentleman saying he was from my financial institution’s fraud department. He wanted to verify a few transactions with me that were deemed suspicious. “Okay, exactly what purchases are you referring to?” I muttered. He responded with, “I’m calling about your Visa Debit Card, starting with the numbers ****.” Right away I felt something wasn’t right (one of those feelings you shouldn’t ignore).
Anyway, this guy (we’ll go ahead and call him Jethro) sounded very convincing on the call. Clearly, Jethro had stepped up his game. He had already called me by my name, told me my address, obviously had my phone number. Could this be legitimate?
Jethro proceeded to ask me if I had been vacationing lately, possibly in or around Florida. I responded smugly, saying that, “I wouldn’t mind being there right now, but I haven’t been cool enough to visit Florida recently.” At this point, I figured either Tim and Tom took my credit card to the Splunk conference (video) with them, or there was actually a breach that had allowed my credit card information to be leaked. I requested the details of these alleged transactions, and Jethro told me there was one for an airline ticket that equaled $346, and another at Toys -R- Us for $283. I told him those definitely weren't coming from me.
Security Reminder #2: Be aware of suspicious activity or "red flags"
Jethro went on and on, rambling about some policies and other things, while ensuring me that no money was taken from my account. He asked if I wanted to cancel the card, or to only allow charges from Cleveland, Ohio. “Is this a new policy/feature?” I thought to myself ("red flag"). It seemed a little insecure to leave a compromised card activated anywhere. The rest of the conversation continued as follows:
Me: “Well, I don’t even know how this card was leaked,” I griped. “I barely use this card for anything, and I especially don’t use it online. I just let my PayPal account do all the work!”
Jethro: “No worries Mr. Nenadal, I can make sure that only transactions from PayPal are accepted, and we will reject all other forms of payment.”
Me: I didn’t like this option, but I reluctantly said, “Alright, I guess we can do that.”
Jethro: “Great, Mr. Nenadal! The first thing I will need to do is change your PIN. You can't use your old PIN, but you can use any other 4-digit combination. So, what would you like your new pin to be?”
Me: “Can’t you just pick one for me?”
Jethro happily responded with a new PIN. At first, his personality over the phone didn’t seem suspicious, but something just wasn't right. I have NEVER updated my PIN over the phone, and I began to suspect that this call was going to end badly.
After proceeding to log in to my bank account and clicking on the “Lost or Stolen Card” button, I suddenly feel better about continuing this conversation with Jethro...
Security Reminder #3: Don't get lured into a false sense of urgency
“So, what else do we need to do here?” I responded, gleefully (knowing he's about to ask me to verify my complete 16-digit credit card number). And he did.
“Um, no. Can you just cancel the card instead? I don’t feel comfortable giving you this information. I can’t even verify that you are really even the bank, Jethro!”
“Oh, it’s fine, I understand Jeremy. If you would rather go to your local branch and resolve this issue, you do have that option too. However, acting now will ensure that nobody fraudulently uses your card to make future transactions.” Many of these scammers will take on some type of urgent tone surrounding your action, or inaction, in order to get you to do what they want. Don't fall for it.
After his last response, I knew without a doubt that something was not right with this conversation. Then, to add insult to injury, Jethro’s mouth spewed out more lies. “Well, in order to cancel this card, I will need you to verify the 16-digit number on the front.” His persistent requisition for my credit card information was beginning to annoy me. I was 95% convinced this was not the bank at this time. Although this guy had verified everything so far, he didn’t seem to be following proper security protocol for any financial institution that I was aware of. No bank will ask for your full credit card number before canceling your card for fraud, they'll just go ahead and do it.
Security Reminder #4: Use separate emails for various groups of tasks
“After you provide me with the number, I can process this card as cancelled and send a confirmation email to you at <blahblah>gmail.com.” This guy was pretty crafty, but he just screwed up (again). The email address he gave me isn't the one my bank has. It's the one I use on GoDaddy for website registration. “You know, I think I’m just going to resolve this at my local branch,” I irascibly snarled. This was followed by a loud beep and the call abruptly ending.
So many poor unsuspecting souls Jethro is going to rob, but I won’t be one. Good reminder though, that having separate email accounts can be a good idea in order to protect yourself. (Here's another article with more on "burner" email accounts as well). Oh, yeah, and don't share/reuse PINs and passwords too.
I called the number on the back of my card, which just happened to be the same one that showed up on my caller ID. I spoke with the US Bank fraud department, for real this time, and asked them about suspicious transactions in Florida. The gentleman on the phone responded in a lax tone, “I don’t see anything here from Florida, but we did block a twenty-six cent transaction from Anchorage, Alaska. What number called you? Who was it that called? It wasn’t us.” After letting him know the call contained a spoofed caller ID, I told the agent that I didn’t feel comfortable using this card anymore and would like a replacement. “Sure, I guess I can do that. It’s going to be like, 3 business days until you get the new one in the mail. If that’s okay with you, I can go ahead and do that.” “Sure!” I responded. Now I knew I could continue my day without my bank account unknowingly being drained.
Security Reminder #5: Give out as few details about yourself as possible
This was an exciting little phishing trip to say the least. Though it did leave me with some unanswered questions. Where did Jethro get all this info on me? How did he get my number? Who does he know in Alaska? I don’t use this card for anything on the Internet. Does this mean that I used it at a merchant with a compromised machine? Regardless of what happened, what did I do wrong and how would I have handled it differently?
The first mistake I made was talking to Jethro as long as I did. All that did was confirm the info he had about me already was accurate. Thanks to that little mistake, this may not be the last time I hear from him -- especially since I was stupid enough to mention my PayPal account. Fortunately, I was smart enough to log in to my bank online while on the phone and disable that card right away. Again, since I have separate email accounts, I will make even more sure to avoid using the email Jethro has with anything financial. This one only gets used for complaints and people like Jethro.
Ultimately, as soon as you get a hint of something wrong -- that "gut feeling" as previously mentioned -- you should probably get off the phone with the person. The longer you talk the more information you're giving out about yourself. There are details the average person wouldn't equate to being important that the hackers find very useful in their attacks.
Security Reminder #6: Trust, but verify
I’m going to say this again. VERIFY. It’s a lot easier to call your establishment than it is to deal with an entire ordeal surrounding YOUR identity being stolen.
It’s important to know that if your card is compromised, most financial institutions these days provide text and email alerts if you sign up for them. This could potentially alert you to suspicious activity. Also, if you were to receive a call from your bank about something strange, it's never a bad idea to end the call and call them back. That's about the only smart thing I did during this attack.
Quick Side Tangent: Trolling the troll...
While hanging up is smart, there are some other crafty things you can do. I am a firm believer in trolling the troll (as long as you make sure you’re not giving out useful information about yourself in the process).
If you tell these guys to hold on while you find your card, they’re usually pretty patient. Put them on hold and conference them in with your bank’s fraud department. They would love to talk to them just as much as they want to talk to you. This is the best way to verify the validity of the call and scare the hell out of a malicious attacker. I would’ve done this if I would have thought to use my 3-way calling.
The bottom line is this...
Securing your credentials to anything can be challenging these days due to the advances of malicious users, but putting a little thought into your actions can go a long way. When this situation happened to me the other day, it was a great reminder to be careful in what I do and what I share.
Fortunately, although ensuring the bad guys don't get any personal information is an everlasting battle, being proactive and cautious can help you protect yourself from people like Jethro.