A look at some of the biggest scams I reported on in 2020.
Welcome to Cyber Security Today. It’s Wednesday December 30th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Cyber Security Today is brought to you by the new Cisco Security Outcomes Study, where we surveyed 4,800 cybersecurity and IT professionals.Visit https://cisco.com/go/SecurityOutcomes to read the results.
Cisco Secure Insights Summit on January 21, 2021, at 10 a.m. Pacific Time.
With the year about to end I’ve been looking back at my previous podcasts for highlights. On Monday I talked about posts related to ransomware. Today I’ll look at scams aimed at individuals.
Attackers use all sorts of tricks in the subject line of emails to get the attention of employees. Using the words “COVID,” “pandemic,” and “vaccine” were common in 2020, and will be in the new year as well. So are the use of words like “payroll,” ‘vacation pay,” “holiday schedule” and “bonus.”
Another is the word “Complaint.” This preys on worries the complaint is about you. So you’ll open the attachment to make sure you deal with an allegation quickly and fairly. Depending on the scam, clicking on the link may automatically download malware, or it may lead to an infected document or it may go to a portal where you are asked to enter your login credentials.
Any topic involving sex attracts foolish people. One scam this year was an email that showed two photos of attractive women and asked the recipient to click on the one they liked. Looked like an innocent game. Nope. Whichever photo victims clicked on resulted in malware being downloaded.
So a reminder: Check the email address of the sender before clicking on a link or attachment. Even then, the sender may be someone you know but an innocent victim who’s email has been hacked. As always, read email slowly. Think before you click.
Most of my podcasts deal with online scams but there are telephone frauds worth reporting on as well. Security reporter Brian Krebs described one that topped anything I’ve ever written about. It takes a bit of telling, so please be patient. A man called “Mitch” nearly lost close to $10,000 in an elaborate banking ruse. A caller pretended to be from his financial institution, warning that fraud had been detected on his account. One of the things that was persuasive was that the caller ID that showed on “Mitch’s” phone was the same as the phone number on the back of his bank card. While on the phone with the supposed bank employee, “Mitch” went online to check his account, and sure enough there were unauthorized transactions. The supposed bank employee talking to “Mitch” didn’t ask for personal information, which also made the call seem legit. She said the charges would be reversed, and promised a new debit card would be sent to him. Then the next day “Mitch” received another call about suspected fraud on his account. This time “Mitch” phoned the bank on a separate line to ask what was going on. He wanted confirmation that the person he was talking to on the other line was really from the bank. This bank employee, who was real, checked and found that, yes, another staffer was on the line with “Mitch.”
Here’s how deep the scam went. It turns out that the crook who was pretending to be from the bank and had called “Mitch” the second time was on the phone at the same time with the bank — except they was pretending to be “Mitch,” the victim. In other words, the crook anticipated that “Mitch” would call the bank while he was on the line, and made his own phone call to the bank. Because two bank employees were separately on the phone, both thought they were speaking to “Mitch.” Actually, only one of them was. The other was speaking to the crook.
“Mitch” was convinced the call was legit, so hung up with the real bank. The bank, concerned about fraud, followed its procedures and texted “Mitch” a one-time code to verify his identity. He read that code to the crook. The crook used that verification code to later phone the bank to transfer almost $10,000 from “Mitch’s” account. You see the crook had already broken into the victim’s account and had made the initial small unapproved transactions. What the crook needed was the bank special verification code so he could transfer a large amount of money. It’s quite a complex and targeted scam. Fortunately the bank reversed the transfer.
A couple of lessons: First, caller ID numbers on your phone are untrustworthy. They can be forged. That won’t stop until phone companies implement technology known as Caller ID Authentication, hopefully in Canada and the U.S. in 2021. This prevents phone numbers from being spoofed. Second, be careful where you use bank access cards. Avoid non-bank ATMs. They can be compromised. When you enter your PIN number on any machine, put one hand over the other to prevent your PIN from been seen or photographed. And third, if a bank calls and says you have a problem, hang up. Phone the bank using the number on the back of your card to verify the problem. Better yet, get in your car and go to the bank.
That’s it for today. There won’t be podcasts on New Year’s Day, so the next time you hear me will be Monday, January 4th. Meanwhile, have a great, and safe, holiday
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon