October is Cybersecurity Awareness Month. What better way to raise awareness than to share my own close call with a cyberattack…
09/20/2022 – I ALMOST got scammed today! Let that sink in. I am a seasoned cybersecurity practitioner, and they ALMOST got me. They didn’t, but it was a close one! Here is the scenario:
I was at work and saw an incoming call on my cell phone. The phone number was familiar – it was one of the numbers I normally see when my financial institution calls. I usually answer these since they are typically confirming recent charges and ensuring it was actually you (I’m not going to list the institution since the scammers can target ANY institution’s members with this type of scam).
I answered, and a very personable guy who said his name was Jason Brooks, employee ID number 74865, was on the other end of the call. He said he was from the fraud department. This was my first “inkling” of a red flag since I didn’t recall the institution offering badge numbers or employee ID numbers in the past. Still – so far, so good…to this point, it still seemed legit.
He said there were questionable out-of-area transactions on my account, and he needed me to verify or dispute the activity. He said there were two Walmart transactions in Jacksonville, Florida that day. I let him know that wasn’t me, and he said he would reverse those charges and immediately cancel my debit card. Additionally, a replacement would arrive at my address on file in 7 to 10 days. However, he said if it was more convenient, I could stop by any branch and get a replacement issued on the spot. Still very normal activity. Still pretty legit.
Then, he asked if I recently set up a bill pay recipient for a payee I didn’t recognize. Of course, we had not. He said that meant my online account was likely compromised, as well. He said he would fix that and submit a password reset to the email account associated with my account. Still mostly legit – although I had not seen instances where both debit/credit card AND online accounts get compromised at the same time. My security spidey senses began to slightly tingle, but the guy was good! Very legit-sounding, and obviously someone who had been on the receiving end of fraud alert calls enough to know the script.
THEN (and this is where I cannot believe I did this), he wanted to confirm my online account ID. I rattled it off since he wasn’t asking for the password, but immediately felt something was up. Note to self: immediately change my login name (which I already have). That said, everything was still not too unheard of or out of the norm.
He said, “Okay, let’s walk through your password change, so I can reset things on our end and ensure you’re good to go.”
While on the phone, he said to go to my settings, click security, and choose “change password.” This would take me to the point where you enter your old password and then enter your new password. I wouldn’t have thought much if I had entered a password of my choosing, BUT…He said, “Once you’ve entered your old password, I’ll provide you with a temporary password so we can get everything reset. For your new temporary password, you’ll need to enter Summer2022$$.”
He even made it a point to let me know the S was uppercase.
RED FLAG RED FLAG RED FLAG…
Had I entered the password he provided, he would have immediately logged in, changed it, and locked me out. Pretty creative…of course, I didn’t change it.
At this point, the red flags were flying. I stopped cooperating. I told him to hold for a minute because I had a work interruption.
“Let me call you back at the call center, and we can continue this later,” I said.
He said that we could do that, but we were on a recorded line, and our current activity would be interrupted and would have to be started over. He indicated when I call back in, it wouldn’t be on a recorded line, blah blah… More red flags…I told him to hold for a minute, and I’d be right back. After about a minute of having him hold on, the call dropped. Immediately, I got two more calls from the spoofed telephone number, but I didn’t answer.
At this point, I am confident I’ve thwarted the scammer, but I also know those unfamiliar with scammers would fall for this guy hook, line, and sinker. He was that good.
I called my actual financial institution and spoke with an agent. First, I asked if any suspicious activity was occurring on my account. All is good…no random Florida transactions, no new online bill pay recipients…
I then asked if Jason Brooks was an employee. She looked and confirmed there was no Jason Brooks. I filled her in on the scam attempt, and we both agreed that I was good to go, but others would definitely fall for it.
She reported it to the fraud department, so they are aware someone is:
- Targeting locals with a list of phone numbers and names
- Spoofing the financial institution’s actual number
- Pretending to be their fraud alert department
- Attempting to steal credentials (login/passwords) to online accounts
My last step was to change my login ID and ensure that multi-factor authentication (MFA) was enabled on my account. Everything has been secured.
Cybercriminals are stepping it up. Our team is making sure that our clients are doing the same. Reach out to our Security Solutions team to partner with our professionals to ensure your data stays secure.
Keep an eye out and be safe out there…
“Cybercriminals are stepping it up. Our team is making sure that our clients are doing the same.”
Written By:
Brad Mathis
Senior Information Security Consultant
Infrastructure Solutions Group
If you need any assistance with understanding the details within the advisory, understanding your current cybersecurity posture, your preparedness for a breach, or any other cybersecurity topic, we would love to have a discussion with you. Contact us today, and let’s chat about your environment and ways to lower your chances of becoming a victim of cybercrime.
