10/14/2015

Phishing by Phone. What Are They Thinking?!


Phone

By a bit of serendipity, Josh and I each got phishing attempts in the past few days.

Granted, we get a lot of phishing and malware emails. After all, we have secret email addresses we use to intentionally collect malware and phishing attempts the bad guys are sending.

It lets us see what the latest attacks are and lets us accurately test the antivirus software against the latest threats.

What made these particular phishing attacks different was they happened by phone.

Since it was, I got to have a bit of fun with the phisher.

And, even though you might get a good laugh, hopefully, it'll help you to remember to be as wary of phone calls as you are now of clicking links in emails.

Here's what happened...

I answered the phone at my office as I usually do, "Hello, this is Kevin."

"Hi, Kevin. This is 'Ron' I'm with the Wells Fargo fraud team. We've detected unusual activity on your account.

"Have you travelled to London recently?"

Since I don't have a Wells Fargo account, the gig was up right there for him, but I decided to have a little fun.

"Oh, gosh, I'd love to go to London!" I said.

Thrown by my reply, the best he could muster was, "Yessir. And have you been there in the past two weeks?"

Fish & Chips (with a Texas Accent)

At this point, I decided to give him the best Texas accent I could muster.

"Well, let's see. I guess you might say. I have done a fair bit of travelin'. First I was—sorry, we were—in Leicester. Had a wonderful fish-and-chips at a pub richt thar.

"My wife, girlfriend, and our thirteen kids, well technically I'm not sure if four of the rugrats are mine, but after five or

 

six, what's another?

"Love 'em all just the same.

"So we were in Leicester, the wife, girlfriend, kids and me, when one of the kids decides to wander out of the pub. Shooooot, it musta been two in the mornin'.

"Don't know what the little bugger was thinking, so he wanders out into the street. No idea how long he was gone.

"I guess the coppers must've scared him because he wandered back in. Knees looked a bit skinned, but the girlfriend tended him, so it was no concern of mine.

"After Leicester, we made our way to Brisbane for the night. Wonderful city."

"Pert near a fortnight there and we were off to Timbuktu, which if you've never been, is a real city. Sure as shootin.'

"Good luck trading your money there though, let me tell you."

How 'bout an American Express?

"So glad I had my American Express card. Don't leave home without it, I always say. So you're with American Express you say?"

"Uh. Yessir. I am. Your travel to, uh, these places. It. Uh. It has set off fraud warnings in our system."

"I need to confirm your card is in your possession. Do you have it?"

"Oh sure. Let me dig around for it. One of the kids must've just used it for some Minecraft thing or another."

At this point I put the phone down, found some sounds online of kids playing and put the phone next to the speakers, while pretending to rustle papers around.

Those Doggone Kids

Every couple of minutes, I'd shout some obscenities with a random kids name.

Every few minutes I'd go back to the phone, apologize, and tell him to hold on just another minute.

I could tell from the exasperation in his voice, my gig was almost up, but I wasn't done with him yet.

Time for a Boston Accent & a Discover Card

Switching now to a Boston accent, I went on,

"Gosh, I'm sorry. The wife and girlfriend left a while ago for some a little shaawpping. They took one of the Ferraris and left me with awl these kids.

"I just don't know where my Discover khad is."

"Oh, that's no problem. We'll just look it up with your social security number."

Darn... Maxed out the Social Security Card, too??

"My social security number? Oh, heck, I stopped using that credit caaad years ago! Maxed that thing right out. Can we use something else?"

"Sir, your social security number isn't a credit card."

"Oh right. That thing. Haven't used it in years either. I don't think I can find it."

"You don't know your social security number??"

"Well, not since little Frankie ran over the neighbah's pet alligata back in '86. Had to get the heck out of Dawdle afta that. Moved to Canada for a couple a years.

"Let me tell you, getting fifteen kids, the wife, the girlfriend, AND the Ferraris across the border took some doing.

"Oh wait, we had the Porsches then. Air-cooled engines. Great sound.

"So, no, I guess I don't really know my social security number anymore. Isn't there anything else??"

At this point, 'Ron' was nearly in tears. It was bliss.

"Well, we could use your checking account, full name, and address. The one you use to make payments with."

"Oh, right, sure thing. Easy. Peasy."

Those Pesky Kids Are Back / The Surfer - Valley Girl Arrives...

At this point, I repeated the kids shouting / playing sounds routine and pretended to rustle through belongings and occasionally shouted random kids names again.

Upon returning, I'd gone part California surfer, part Valley Girl.

"Like. I can't find the doggone check book either. Don't that like just take the cake, dude.

"I bet those two are really going to do some damage. Last time they went out together with the Visa and my checkbook, they said they were just going for a manicure but came home with a new Ferrari.

"Love those two.

" Heck, with all the kids' puke stains on the back seat, I guess it was time, man. Thing probably had 4,000 miles on it anyway.

"You know, now that I think about it, OMG! I'm not sure if they even got manicures that day."

"Well, let's confirm the account details we do have here on file, and I can call later to get the rest of the information."

"Oh. Right. Sure."

"...your full name as it appears on your account, sir?"

"Kevin Hfuhruhurr Armani Dior Steve Stifler de la Cruz IV."

Hfuhruhurr can be a real bugger to spell apparently.

Exasperation level: 10/10.

"Street address"

"Well, we don't really have a 'permanent address', air quotes!! ...you might say...Not with like the, you know, like, alligator incident in '91 and all."

Are You Telling Me the Truth?

"Sir. Are you telling me the truth? Or are you just making things up now?" he pleaded.

"I'm telling as much truth as you are."

"OK, I guess the gig is up for both of us."

"What's a 'gig', sir?"

"In this case, it means 'scam." I said. "Let's drop the bullshit. You called me trying to steal from me. You're not my bank. You're a scammer. Where are you, someplace in India?"

The Long Silence: Part I

After considering his options, 'Ron' decided to come clean.

"Yes. I'm in India."

I pressed on, "And this call, it's a total scam, isn't it?"

"Well. I wouldn't call it that."

"Oh, right. You're from my bank. Wells Fargo, you said. Here's the funny thing: I don't even have an account there."

'Ron' went on to confess he'd been doing it for about three months, and that the money wasn't great, but it was enough to feed his family.

I asked him how he'd feel if someone stole money from his family, and they couldn't eat.

"I never thought of it that way..." he began, "The banks pay everyone back. No one gets hurt."

"Hate to burst your bubble, 'Ron,' but that's not how it works. When you take money from someone's bank account, it's a looooong process for the victim. It takes weeks to even try to get the money back.

Sometimes, the banks say, "No," and the victim loses the money.

"There's really no difference between what you're doing and a mugger on the street: YOU are a thief telling money from people."

The Long Silence: Part II

After another long silence, I added, "You can try to justify it to yourself anyway you want, but you're a thief, 'Ron,' plain and simple. Does your wife even know what you're doing."

"No. She thinks I'm in tech support."

"Huh. That makes you a thief and a liar. A liar to your own wife. If you're earning enough to make a living stealing from people, you must be pretty convincing. You must be a pretty good salesman."

"I guess I am?" he said, almost asking me if I thought he was.

The Long Silence: Part III

"I guess... I just... I don't know..." he whispered, "I don't know what to do, sir."

"Maybe you should quit this shit, stop stealing from people, and go get an honest job, perhaps in sales." I offered, "Then whether or not you come clean to your wife is up to you, but at least come clean with yourself. Get out of there, brother."

"Thank you for your time, sir."

The Takeaway

The scams are out there. They take many forms.

Sometimes phishing scams come by email; sometimes they come by fax; sometimes they come by phone or even text message.

Even if it's a phone call, fax, or text, there's no reason to trust it. Call 'em back.

And, if you think you can trust your Caller ID: don't. It's a fools errand.

"Spoofing" Caller ID so that it looks like the call is coming from a different number is trivial. Typically, scammers like 'Ron' really just need a T1 phone line.

After that, they can make the caller ID say anything they want.

In fact, in a lot of ways it's actually easier to fake a phone number than it is to setup a whole fake website to do phishing.

On top of that, nearly all email providers are actively working to thwart the bad guys and prevent their emails from getting through. When was the last time your phone company even lifted a finger to prevent a fake or harassing phone call from getting through?

Add to that, the challenge of getting by the anti-phishing filters built into most Internet Security Suites, and setting up a T1 line is downright easy.

Consider this, too: if you get a call from your bank, and there's a legitimate issue, they'll understand your concern for security, and your wish to call them back.

On the other hand, if the caller gets agitated at this suggestion, it's all the more reason to be suspicious.