The human race has developed an unfathomable affinity towards technology and consequently is convinced that we have become smart enough to no longer be susceptible to the scams and highly innovative cyber attacks; however what escapes our notice is that unfortunately, overindulgence in anything has its own repercussions. When you fall prey to an obsolete telephone-based phishing scam, inferences that get drawn are – we are becoming smart slaves to the digital wizardry. Scam artists are paving unprecedented ways for technological complications.
Matt Haughey, the creator of ‘Weblog MetaFilter’ and a writer at Slack has given an account of how he received a call from an 800-number which bore a resemblance to the number his credit union uses. Bearing in mind the rarity of the calls he receives from his credit union, he picked up the last one of three successive calls he got. On the other end of the call, a female was explaining to him that the credit union had blocked two phony-looking charges in Ohio that was made to his ATM card. She continued the conversation as she read him the last four digits of the card that belonged to him and needless to say, it checked out.
Haughey returned that he is going to need a replacement card urgently as he has a travel planned to California. Instantly, the voice on the other end said that he could keep his card and any future charges that weren’t made in either Oregon or California would simply be blocked by the credit union.
The piece of information- that bank just called to inform him about the freezing of his card and then spontaneously launched into another accent and said that he could keep it open for his upcoming trip, wasn’t bought by Haughey and he happened to sense something that was off. He pacified his concern by assuring himself that it was a favor that the caller subjected him to.
Battling the voices of suspicion, Matt hesitatingly co-operated as the caller verified his home address and mother’s maiden name, intention projected here was to send a new card once the California trip is over.
Once the details were provided and cross-checked, the caller asked Matt to verify the 3 digit security code and as he had given out this code earlier while paying for things using his card, he let his guard of caution down.
She proceeded and asked for the PIN of his current card, she backed the act up in the name of applying the same PIN to the new card. The question got Haughey alarmed and he asked her to repeat what she just said. With the question being repeated, the PIN, though skeptically, was provided.
After hanging up, Haughey was entirely convinced with the legitimacy of the transaction. However, the part where the PIN was asked for kept him at unease.
Referencing an interview Matt had with KrebsOnSecurity, he said “I balked at challenging her because everything lined up,” He added, “But when I hung up the phone and told a friend about it, he was like, ‘Oh man, you just got scammed, there’s no way that’s real.’”
With amplified concerns and a forehead bearing the lines of distress, Haughey approached his credit union to ensure his travel arrangements were aligned. He narrated the terrific incident to a bank employee who, just by the look on his face subscribed to the views of his friend.
His account was reviewed and two fraudulent charges totaling $3,400 stared right into his face, but Ohio was not in this cyber-crime scene. Over $2,900 was spent at a Kroger near Atlanta and $500 was withdrawn from an ATM located in the same area using a counterfeit debit card.
Putting into perspective the fake professionalism and the realism of it all, Haughey said, “People I’ve talked to about this say there’s no way they’d fall for that, but when someone from a trustworthy number calls, says they’re from your small town bank, and sounds incredibly professional, you’d fall for it, too,”
Founder of Panic Inc., Cabel Sasser gave a recent account of how he nearly fall prey to a telephonic scam which was attempted from a number similar to the one at the back of his Wells Fargo card.
“I answered, and a Fraud Department agent said my ATM card has just been used at a Target in Minnesota, was I on vacation?” a traumatized Sasser tweeted.
Sasser’s tweet didn’t carry any record of his corporate debit card being subjected to two fraudulent instances. On disputing the charge he was mailed a replacement card by his bank.
Recalling in an interview with KrebsOnSecurity, Sasser said “I used the new card at maybe four places and immediately another fraud charge popped up for like $20,000 in custom bathtubs,” He added, “The morning this scam call came in I was spending time trying to figure out who might have lost our card data and was already in that frame of mind when I got the call about fraud on my card.”
And the card-replacement drama was set into momentum, the caller asked, “Is the card in your possession?” It was. The caller then enquired about the CVV, a three-digit code printed on the back side of his card.
Once the CVV was verified, the agent offered to expedite a replacement. Sasser recalled. “First he had to read some disclosures. Then he asked me to key in a new PIN. I picked a random PIN and entered it. Verified it again. Then he asked me to key in my current PIN.”
Following this, what dawned on Sasser was that wouldn’t an actual representative from Wells Fargo’s fraud division already have access to his current PIN?
The caller feigned authenticity by ensuring him that it’s just to confirm the change and he can’t see what he is entering.
Sasser’s counter had the fact that they are the bank, they have his PIN, and they can see what he enters. To which caller retorted, “Only the IVR [interactive voice response] system can see it,” Reaching the climax, the caller reiterated Sasser’s Social Security number and attempted for a re-confirmation.
Though the number was correct, authenticity was still struggling to be felt. Sasser decided to hang up and call back and he told the same to the agent. When he dialed the number printed on the back of his ATM card which was the source of the call he got, the person on the other end said there had been no such fraud detected on his account.
“I was just four key presses away from having all my cash drained by someone at an ATM,” Sasser told the interviewer. On visiting the local branch of his bank, his fears were confirmed, “The Wells person was super surprised that I bailed out when I did and said most people are 100 percent taken by this scam,” Sasser said.
Mortal, computer or a fusion?
“Vishing”- is a method which uses a combination of human and automated voice. Although, the scammer was an actual person in the aforementioned case, vishing attempts are also equally prevalent. The August case of “Curt” as reported by KrebsOnSecurity is a defining example of “vishing”.
Referenced from Curt’s writings, “I’m both a TD customer and Rogers’s phone subscriber and just experienced what I consider a very convincing and/or elaborate social engineering/vishing attempt,”
“At 7:46pm I received a call from (647-475-1636) purporting to be from Credit Alert (alertservice.ca) on behalf of TD Canada Trust offering me a free 30-day trial for a credit monitoring service.”
Reportedly, the caller introduced herself by the name of ‘Jen Hansen’, and proceeded with what Curt labeled as “over-the-top courtesy.”
“It sounded like a very well-scripted Customer Service call, where they seem to be trying so hard to please that it seems disingenuous,” Curt recollected. “But honestly it still sounded very much like a real person, not like a text to speech voice which sounds robotic. This sounded VERY natural.”
The caller then brought it to Curt’s notice that TD Bank was offering a free credit monitoring service for a month, and that he is allowed to cancel at any time. He was told that all he has to do is t0 confirm his home mailing address in order to apply.
The women on the line went on explaining the package and as she was glorifying the parts of the package that included free antivirus and anti-keylogging software, Curt interrupted and enquired about the weather at her place, a off-beat question that got her (robot) baffled and after a couple of apologies she transferred the call to another line, the question was outright ignored on this new line as well and the person kept on explaining the offered service.
After completely throwing the robots off-script using his technical reasoning, Curt hung up and immediately contacted TD Bank and was assured that he dodged a bullet as no one had called him from the Bank.
To guard themselves against phone phishing, users are advised to not disclose any sensitive information pertaining to their identity and banks to an unsolicited phone call. Similar to email scams, phone phishing also has an element of haste and urgency play a crucial part as the haste blocks our potential cognitive thought process and keeps us from adding the things up which works as a perfect catalyst for users to go slow on defense.
If any such call gets you troubled and you find yourself in a zone of financial worry, do not reach for help via the number offered by the caller that got you worried in the first place, rather contact the bank via the number given at the backside of your card. Don’t hesitate while hanging up calls that turn into an inquisition in a matter of seconds; deliberate attempts to probe into your personal space are to be sensed by being a bit more alert in these times than you ever have been.