This attempted scam is a scary read and a lesson for us all
We’re grateful to legal type Pieter Gunst for sharing this phishing attempt he was subjected to (and ultimately rejected) which is a scary read and a salutary lesson for us all.
Oooof. Was just subjected to the most credible phishing attempt I've experienced to date. Here were the steps:
1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?"
Me: no.
— Pieter Gunst (@DigitalLawyer) October 7, 2019
2) "Ok. We've blocked the transaction. To verify that I am speaking to Pieter, what is your member number?"
Me: <gives member number> (that number, by itself, is useless).
— Pieter Gunst (@DigitalLawyer) October 7, 2019
3) "We've sent a verification pin to your phone."
~ Gets verification pin text from bank's regular number ~
Me: <reads out the pin>
— Pieter Gunst (@DigitalLawyer) October 7, 2019
4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~"
Me: Yes. These are all legitimate transactions I made
— Pieter Gunst (@DigitalLawyer) October 7, 2019
5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?"
Me: Are you effing kidding me, no way.
— Pieter Gunst (@DigitalLawyer) October 7, 2019
6) Ok! But than we can't block your card
Me: that is bs.
~ hangs up, calls the fraud department of bank ~
— Pieter Gunst (@DigitalLawyer) October 7, 2019
–> Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.
–> They used this to gain access to the account.
–> Then read some of my transactions to give the call more credibility— Pieter Gunst (@DigitalLawyer) October 7, 2019
–> Needed the pin to send money, failed at that step.
–> Everything before the "what is your pin" seemed totally legitimate. English was perfect. The bank verification code, sent by the expected number, tricked me.
–> The asking for my pin over the phone… not so much.— Pieter Gunst (@DigitalLawyer) October 7, 2019
Stay safe out there people.
And now… joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place.
Never a dull moment!
— Pieter Gunst (@DigitalLawyer) October 7, 2019
Blimey.
Not following. To access my account you need the username (member number in this case) and a password. How did they access your account with only the username? That would not get them anywhere close to seeing recent transactions.
— Bravos iñ 5! (@factoryjones) October 8, 2019
1) say you are the bank
2) trick victim into disclosing username.
3) use password reset workflow that triggers text with code
4) get victim to read pin
5) reset password, account access achieved.
6) sometimes need additional credentials to get $$$ (card pin)— Pieter Gunst (@DigitalLawyer) October 8, 2019
Damn!! Got it. Overlooked the part where you read password reset code to them. Ok. Ok. Now that is scary.
— Bravos iñ 5! (@factoryjones) October 8, 2019
As a millennial, I don't answer any phone call that isn't in my contacts. Someone could be communicating to me in writing that they will be calling on or around a certain time and date … still don't answer the call half the time.
Probably saves me from a lot of scams.
— Graveyard Dog 💀💀💀 (@NitsuaSetab) October 8, 2019
Brilliant hack, on the original call though, did it show as coming from the bank?
— Vikram Visweswaraiah (@vikram_vi) October 8, 2019
It just showed the number, and the 3-digit area code for my bank branch was correct.
That being said, I do not have my bank in my contacts list. Not sure if they are consistent in using a single phone number, but if they do, adding it to my contacts would have helped here.
— Pieter Gunst (@DigitalLawyer) October 8, 2019
We’re with this person.
Fuck, this is one step beyond the phone phishing I fell for last year, shit is getting scary out there.
ALWAYS call back a bank that claims to call you. Never trust any incoming call is who it says it is. ALWAYS call them back instead. https://t.co/Qpv7GgDUYy
— Matt Haughey (@mathowie) October 8, 2019
READ MORE
Source @DigitalLawyer