Don’t fall for this complaint scam, sex in email, and watch out for this sophisticated banking telephone fraud.
Welcome to Cyber Security Today. It’s Monday April 27th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In the two years or so doing this podcast I’ve detailed a number of email scams, but just came across a new one: The “Customer Complaint” con. This is being aimed at employees. A victim gets an email from someone in authority — perhaps a lawyer — saying your account will be debited because of a customer complaint. Click on the link to see the complaint. Many people wouldn’t think about whether they really have an account with that organization, they’ll be worried about that word “complaint.” So they’ll be tempted to investigate. However, the link leads to an infected document for stealing data and attacking other company computers. The news site Bleeping Computer came across this, part of an email campaign with a variety of messages including COVID-19-related scams like payroll reports and employee termination lists. All of the documents offered in these fake messages are hosted on Google Docs. One sign this is a fake: The email address of the sender. Once again, be suspicious of messages with attachments.
Here’s another recent email campaign that uses an old trick — sex — as a lure. Security vendor Proofpoint reports detecting emails earlier this month that went out to thousands of U.S. university students and faculty with two pictures of attractive women. Recipients are asked to click on the image of the one they like. That triggers a process that downloads malware. This email scam also went out to employees in a number of industries. Hopefully, no one fell for it.
Most of my podcasts deal with online scams but there are telephone frauds worth reporting on as well. Last week security reporter Brian Krebs came across this one. It takes a bit of telling, so please be patient. A man called “Mitch” nearly lost close to $10,000 in an elaborate banking ruse. A caller pretended to be from his financial institution, warning that fraud had been detected on his account. One of the things that was persuasive was that the caller ID on “Mitch’s” phone was the same as the number on the back of his bank card. While on the phone with the supposed bank employee, “Mitch” went online to check his account, and sure enough there were unauthorized transactions. The supposed bank employee didn’t ask for personal information, which also made the call seem legit. She promised a new debit card would be sent to the victim. Then the next day the victim received another call about suspected fraud on his account. This time “Mitch” phoned the bank on a separate line to ask what was going on. He wanted confirmation that the person he was talking to on the other line was really from the bank. This bank employee checked and found that, yes, another staffer was on the line with him.
Here’s how deep the scam went. It turns out that the fake bank employee was indeed on the phone at the same time with the bank — except he was pretending to be “Mitch” the victim. In other words, the crook anticipated that the victim would call the bank while he was on the line, and made his own phone call. Because two bank employees were separately on the phone, both thought they were speaking to “Mitch.” Actually, only one of them was. “Mitch” was convinced the first call was legit, so hung up. The bank, concerned about fraud, followed its procedures and texted “Mitch” a one-time code to verify his identity. He read that code to the crook. That helped the crook transfer over $9,000 from his account. You see the crook had already broken into the victim’s account, probably by getting hold of his debit card and PIN number, and made small unapproved transactions. What the crook needed was the bank’s special ID code so he could transfer a large amount of money. It’s quite a complex scam. Fortunately, the bank reversed the transfer.
A couple of lessons here: First, caller ID numbers on phones are untrustworthy. They can be forged. That won’t stop in Canada until this September, and in the U.S. until June 2021. That’s when phone companies are scheduled to implement technology known as Caller ID Authentication. This prevents phone numbers from being spoofed. Second, be careful where you use bank access cards. Avoid non-bank ATMs. They can be compromised. When you enter your PIN number on any machine, put one hand over the other to prevent your PIN from been seen or photographed. And third, if a bank calls and says you have a problem, hang up. Phone the bank using the number on the back of your card. Better yet, get in your car and go to the bank.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.