While this isn’t a strictly computer-related security story, with the Coronavirus and it’s related work reductions, even scammers have had to up their game over the past month.
Late last month the excellent KrebsOnSecurity website had a great writeup of a very elaborate scam that almost lost one former tech employee (and security professional!) over $10,000.
If you have a bank account, you need to read the whole article, but here are a few snippets:
On Friday, April 17, Mitch received a call from what he thought was his financial institution, warning him that fraud had been detected on his account. Mitch said the caller ID for that incoming call displayed the same phone number that was printed on the back of his debit card…The following day, Mitch received another call about suspected fraud on his bank account. Something about that conversation didn’t seem right, and so Mitch decided to use another phone to place a call to his bank’s customer service department — while keeping the first caller on hold.
“When the representative finally answered my call, I asked them to confirm that I was on the phone with them on the other line in the call they initiated toward me, and so the rep somehow checked and saw that there was another active call with Mitch,” he said. “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
Mitch said his financial institution has in the past verified his identity over the phone by sending him a one-time code to the cell phone number on file for his account, and then asking him to read back that code. After he hung up with the customer service rep he’d phoned, the person on the original call said the bank would be sending him a one-time code to validate his identity.
I think you may be able to see where this is going. Even when “Mitch” (not his real name) tried to do the right think by calling his bank himself, he made a small mistake by not hanging up on the original incoming call from his bank.
It appears the initial call on Friday was to make him think his bank was aware of and responding to active fraud against his account, when in actuality the bank was not at that time. Also, the Friday call helped to set up the bigger heist the following day.
Much like the played out Nigerian Prince email scam (which still happen and are apparently still successful), it’s easy to see this scam from the outside, but difficult to notice if you’re actively in the middle of it. In this time when almost everything is online, it’s also very easy to be overly-trusting (or dismissive) of phone-based scams.
Like “Mitch” noted: “What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online”.
The bottom line – if you get a call from your bank that asks for any sort of information (especially something as secure as a one-time identity verification) always hang up and initiate the call yourself.