This is Why Cybersecurity Training is Critical

Those of you in the mortgage industry know the name of Rob Chrisman well. He runs a well known blogger and speaker and he even features me occasionally. He wrote about a phishing attack reported by a mortgage lender in Colorado. How many red flags do you see in this story? Would your employees or customers fall this? My thoughts are in red.

1.    12/1 – My wife received got a $50 Amazon Gift Card from her girlfriend and opened up an Amazon Account – a first for us as we never had an account at Amazon. The card was in her name and not mine. My cell and name were not on the account.

It is possible this is related to the rest of the story, but equally possible that it is not related.

2.    12/2 – I received an email to my personal email, addressed to me and requesting that I contact Amazon. I did as it said and contacted the Amazon Support team at 786-706-3157 on my cell. I told them they have the wrong person as I live in. He requested the Invoice number (135-0322-22XX).

I assume this number was in the email. Never trust that; look up the number yourself independently. If it is a number for your bank, look on the back or your credit or debit card for the bank’s phone number.

3.    The person I spoke to asked where I banked, and I replied, “BOA.” He said, “Do not turn off your laptop.”

Two red flags. That would the time to hang up the phone. Obviously this person was hooked and was going to do whatever they asked for.

4.    In order to proceed, he said, I had to give him my BOA Account numbers (checking, savings, VISA). If anyone questioned me as to what I was doing with the money, he said to tell them that it was for a car.

Good, then we should not proceed. If someone you don’t know asks you to lie for them, that doesn’t peak your curiosity, at the least?

5.    Somehow, he put a hold on all 3 accounts and said that I must go to my local BOA branch as they made a computer error and deposited $20,000 into my checking. Sure enough, when I viewed on my BOA account that there was a deposit from Amazon in the amount of $20,000. BOA has no limit for me and the branch manager never questioned me as to what I was doing. He had me leave my cell on while I did what I was just requested.

Clearly at this point, this guy is in over his head. Who do you trust – your bank branch manager whom you know or someone who says that they are from Amazon? By the way, the deposit was probably from Amazon, just not the Amazon that you know. It was probably from Amazon Scams Inc.

6.    The person said that it was a mistake, and I had to get the money back to them. He told me to take out $20,000 in $100 bills and use a bitcoin ATM and get it back to them. If I did not comply, I could be charged with money laundering

So Amazon is in the Bitcoin business? This didn’t seem odd to the person, apparently. If they made an error, couldn’t they just get their bank to fix it?

7.    Bitcoin has a limit of $15,000, so I had to go to a second bitcoin machine and deposit the balance in another ATM. He would assist me with the bitcoin company.

Maybe the Bitcoin limit should have been a thousand dollars. Going to 20 ATMs would make anyone suspicious.

8.    Red flags started to appear when he warned me, “Do not tell the bank teller, or my wife, or anyone” about what I was instructed and do, and not tell anyone what I was doing.

I’m glad that red flags finally started to appear, but a bit too late.

9.    At 3:30 PM I visited another BOA and the branch manager went into my BOA accounts and saw what he was doing. This BOA branch manager said she had 3 of these the prior week.

He would not be in the boat he was in if he told the first branch manager, whom he knew, what was going on. Clearly, if someone on the other end of the phone, whom you don’t know and have never met tells you to lie and keep secrets, that is what you should do.

10. I filed a report with my local police department, and sent to the real Amazon the attached scam. The police department will be contacting me with a detective soon. My next step will be to contact my credit card companies.

Clearly this guy got scammed, but he did what he did voluntarily. It is possible that even in this case, federal law might be on his side. We do not know what his bank did for him.

All of my BOA accounts, User Ids, and passwords have been scrubbed, my personal computer hard drive has been scrubbed. And going forward I will only use an IPAD and IPHONE as the scammer cannot access those type of accounts!

Really, he thinks that scammers can’t access iPhone or iPad? I guess he didn’t learn his lesson.

I am not sure, but I think the way this scam works is that the $20,000 that got transferred into his account was stolen from another hacked bank account and now he took it out and washed it to Bitcoin for them, making it impossible for the first victim to reverse the transaction. It is also possible that the scammer transferred it from one of the victim’s other accounts that he gave to the scammer. However, it is important to know that the second victim may be acting as a money mule and that is a crime. While most district attorneys won’t prosecute in this case, the second victim has to hope that the DA sees it his way.

Maybe to you this seems like an obvious scam. Maybe. But how many of your employees would fall for a similar scam. This has all of the hallmarks of a classic scam.

If you are not doing multiple phishing email tests with your employees every month, with different emails for different departments, you are ask for trouble.

If you need a better phishing training platform, let us know.

Credit: Rob Chrisman

Leave a Reply

Your email address will not be published.