Home » Computers » A Phish Story

A Phish Story

I recently walked in on a friend talking on the phone. At first I ignored it, but eventually I tuned in to his end of the conversation. He was being sent from one internet location to another, in an almost comic portrayal of the not-so-sneaky hacker trying to keep him engaged long enough to score the data he’d been seeking

After signaling for him to get the heck off the phone, I asked how he’d taken the call to begin with. He had dialed out to a number on a text message!

It was a classic phishing scenario. He’d been notified of a charge made to an account, with a friendly “If this was not you, call us immediately at…” Concerned, his better judgement was overcome with worry and he called.

Next clue: the “customer service rep” at the other end had a thick accent, barely comprehensible at some points.

And final giveaway: rather than accepting the basic information that the charge was bogus, the “rep” started sending the victim from one site to another, asking for information, and insisting that his not landing on the page or location he was supposed to see was his mistyping or mistaking what had been told to him.

Unfortunately, the phisher had gotten what he wanted by the time I stepped in: access to the victim’s cell phone account. Not long after that, strange messages started appearing on the victim’s email, and finally, when he was on the phone with a bank, his phone went dead. Alarmed, he went to his mobile provider, and learned that his account had been part of an “unauthorized port request.” That is, his phone number was being moved to another carrier without his knowledge or permission. The number would then be in the possession of another person, and anything that required verification using that number would now be easy picking for the hacker.

The story, believe it or not, gets worse. In order to remediate the situation, the next step was to file a fraud report with the police! As it turns out, such reports can’t be filed with the assistance of the police, but had to be filed online. (A little aside, and a user experience nit to pick – the report required some phone numbers to be entered, and the interface assured that the dashes in phone numbers would be supplied by the system, the person entering the information had only to enter the number. After several attempts, it was clear that the dashes were required. So why tell the user otherwise? A report filed, and a copy of the report obtained, the fraud remediation and clearance of the number could continue.

Meanwhile, all actual at-risk information had to be secured. For example, because online banking was conducted using the phone, the bank account had to be notified, information changed, and a watch put on the account. Paypal and Venmo type services needed to be adjusted. Credit cards and other vulnerable data secured. In other words, it was a long, arduous slog back to safe territory. And during the process, various notifications were popping up – including a newly opened line of credit – that someone was, indeed, attempting to use the identity of the scamming victim.

None of this is new, of course. And IT security professionals have been warning us for a long time now about scams, phishing, and “identity theft.” What is often overlooked, or unexpected, is that at any given moment, any of us can be more, or less, vulnerable. As it happens, in this person’s case, a couple of notices of charges made to a credit card had come in. They were bogus, and he didn’t worry too much. But when a $500 Paypal transaction was questioned in a text, he was primed and caught in a vulnerable state. So he called the number.

Phishers use a combination of social engineering and brute force against their victims. The social engineering part is simple: scare them or offer them something that’s hard to resist. The brute force is, send the bots out so often you’ll score sooner or later. In this case, the victim had been primed to be on the alert, and the $500 was a threshold for him.

In general, if you’re concerned about a text or email message that suggests a charge has been made to an account by someone other than you, check that account or call the phone number on your physical credit card to find out if it’s real. If so, you can deal with it. If not, be alert, and delete the message.

If you do make a mistake and call a number you have not confirmed, if you’re told to access URLs or provide information a legitimate enterprise would never request (full SSN for example – note PayPal will ask for that info!), hang up.

Never provide passwords, or change a password with the “help” of a call center you dialed out to from a text. Don’t download anything if you’re told to do so if you do make the mistake of calling out to a number provided on a text or phone message. And of course remember never to open attachments on unsolicited emails or click on URLs embedded in texts.

And as soon as you become suspicious, hang up.

Nancy Roberts