Voice Phishing Scams Are Getting Better

Former WaPo columnist turned security sleuth (after the Washington Post eliminated his position because cyber security was not important) reported on several recent vishing (voice phishing) scams, two of which involved large sums of money.

These are a word to the wise, both personally and for businesses.

In the first case, Matt Haughey, creator of the community blog MetaFilter and a writer at Slack received 3 calls in a row from his credit union.  After ignoring two of them, he answered the third and it was a phishing attack.

The scammer claimed that they had blocked two phony looking charges made in Ohio on his debit card.  She knew and was able to tell him the last four digits on his credit card.

He asked for a replacement card because he was about to travel and the caller said he could keep using his card until he got back, but they would block suspect charges.  The scammer read him his entire home address and then asked for his PIN (so that the caller could empty his bank account).  Also she asked for the CVV2 code on the back of his card (so that she could make phony cards and phony charges).

This information was all she needed to clone the card at an ATM.

When he visited his Credit Union in person, he discovered that he had been had and that his bank account was $2,900 lighter from a charge in Atlanta and $500 more lighter from an ATM withdrawal.  The very nice scammer left him with $300 in the bank.

The second attack was on Cabel Sasser, founder of a Mac and iOS software company called Panic.

Again he received a call, this time claiming to be from the Wells fraud department.    His corporate card had been charged for a $10,000 charge for metal air ducts (how, exactly, do you convert that to cash?).

After he disputed the charge the bank sent him a new card.  That card was hit for a $20,000 bogus charge for custom bathtubs.

He was trying to figure out how this was happening (I have an idea, but if you are curious, you will have to contact me) when he got the bogus fraud department call.

Do you have the card?  What is the CVV2 number?  Key in a new PIN.  Key in your current PIN.  The caller told him the last four of his social to calm his fears.

After $30,000 in fraud, his antennae were up so he told the fraudster he would call the bank back using the number on the card.  Surprise – no new fraud and they didn’t call.

The article goes on to give two more examples.  I regularly get these calls and love to have fun with the scamsters, but I am a little strange.

So what should you do?

#1 – Be aware that these scams are rampant.  The reason they are rampant is that they work very well.

#2  – DO NOT TRUST callerid.  There is no security whatsoever in the callerid system.  I could call you and have it appear that the call was from President Trump.  

#3 – Understand that with all of the breaches, there is virtually no information that is not in the wild.  One thing that I do is lie on security questions.  That definitely makes things harder, but you have to (a) not repeat the lies from company to company and (b) remember what your lie was.  I use my password manager for that.  If it asks what my favorite color is (I don’t have one), I might answer orange one time, blue the next and green the third time.  As long as I record my answers, I am good.  I do understand that this involves a lot of work, so most people are not up for that.

#4 – last, but most important, if you RECEIVE a call from <your bank> , DO NOT ASSUME that it is your bank.  I know that is a stretch, but $30,000 later, Cabel learned that lesson.  

Call back.  Visit your bank in person.  Call the local branch.  If you have a person at the bank that you have a relationship with (a personal banker), call that person.  

This whole scam model works because people are too quick to trust.

I know that is a terrible thing to say, but it is also terrible to get your bank account cleaned out.

All I can say is beware  —- Its out there on a massive scale.  BECAUSE IT WORKS!

Information for this post came from Brian Krebs.


Leave a Reply

Your email address will not be published.