CONFESSIONS OF A CYBERSECURITY LAWYER ON A SCAM DODGE

“I would never fall for a scam! I’m smarter than that, it could never happen to me!”

 

As a professional specializing in cybersecurity law cybersecurity and privacy law, I have extensive training in the techniques used by threat actors to obtain sensitive information. I know what the threats are and how to spot them. I’ve learned exactly what to watch out for, never click on a link in a suspicious e-mail, never accept candy from strangers…. I’m supposed to be the predator, not the prey, right? Well, let me tell you about my Tuesday!

 

I spent the day at the office. I arrived home, spent time with my child, made him dinner and sent him to bed for the night. Then the phone rang. I answered, assuming it was the Chinese restaurant I’d just ordered from calling me back to clarify the extent of my shrimp allergy. Wrong!

 

The caller identified himself as a representative of the fraud department of the bank that manages my husband’s and my accounts. He informed me that there were several suspicious transactions on my credit card and that he wanted to review them with me. I said okay. He confirmed who he was talking to (he knew my name), confirmed my home address (which he also knew) and then started asking me a few questions about my recent whereabouts. Apparently, the bank had reported transactions on my card from a gas station in Toronto and other suspicious transactions were starting to appear from all over Toronto.

 

And so, the caller and I began the “authentication process”. Before providing my personal information, I asked him to confirm the credit card number in question. He provided me with the first four digits of my card, which correspond to the numbers that identify all Visa cards issued by our bank. I then asked him to provide me with the last four digits of the credit card, after which he replied that this information could not be provided until my identity had been authenticated by the bank, via their security questions. It was at this point that my radar started to go off: I hadn’t recognized the number this man was calling from, nor had I received any real confirmation that he was indeed a representative of the bank’s fraud department.

 

hooded fraudster against cybersecurity

 

I expressed my concern about his identity and explained that, as a precautionary measure, I would terminate the phone call and call the bank’s fraud department back, thus ensuring that I was speaking to a bank representative. He quickly reassured me, explaining that he understood my concern, congratulating me on my vigilance, while reiterating the importance of quickly checking suspicious transactions, then cancelling and reissuing a new (secure) credit card. Once again, I insisted that I would end the call and call the bank back, without delay. His tone began to change. Instead of the professional mask of customer service, his tone became more insistent: the call was being recorded. My failure to comply with the resolution of this urgent matter would mean that the suspicious transactions would be allowed, and worse, that I would be responsible for paying them if I terminated the call, as the bank would have fulfilled its duty to inform me of potentially fraudulent activity and there would be recorded evidence of this. We wouldn’t want that, would we? I had to provide my information, right away.

 

I then suggested that if he felt, as a representative of the bank, that my card was compromised, he had my permission, duly recorded, to cancel my credit card without delay. I would call the fraud department back and settle…. The line went dead. He had ended the call, realizing that I would not comply with his requests, despite his clever attempts to dupe me.

 

I immediately went online to check my bank account and locked all my credit and debit cards. I used the number on the back of my credit card to call my bank and check if there had been any fraudulent transactions on my account. My credit card happened to be clean. No suspicious charges. No cancellations. No indication that the fraud department had contacted me.

 

I had almost fallen victim to what is commonly referred to as a “social engineering” attack, a strategy whereby threat authors use psychological manipulation to gain access to sensitive or private information. He was already in possession of my name and phone number as well as my physical and e-mail addresses, information easily accessible thanks to a simple data breach suffered by one of the places where I store online. He also correctly assumed that I was in possession of a credit card, but clearly didn’t have the information he needed to use it himself, which was most likely the reason for the call. The threat monger used “pretexting”, a common social engineering technique, to try to gain my cooperation by identifying himself as a representative of the fraud department to gain my trust and get me to divulge sensitive information. He also used the oldest technique in the book: “fear”, threatening me with monetary loss if I didn’t comply with his request, quickly.

 

Had I been a little more tired, distracted or otherwise inattentive, I might not have picked up the clues. But my “muscle memory” kicked in and I remembered :

  1. Check the source – I didn’t rely on the threat-maker’s claim that he was from the bank and insisted on only communicating with them through a reliable source.
  2. Break the loop and slow down – Creating a false sense of urgency means targets are less likely to critically evaluate the information presented to them. Sometimes, taking an extra second to think about the question (why can’t I just call back in less than a minute? If it has already interrupted transactions, why is it so urgent?) allows you to see the attack for what it really is.
  3. Ask for ID – make sure the person is who they say they are. Check the phone number online. Ask what their extension number is so you can call back if the call is disconnected. If they’re reluctant to identify themselves, end the call.

 

Although this attempt was unsuccessful, I took steps to protect my credit and bank accounts, as it’s clear that my personal information is available on the Internet. In addition to contacting my bank’s fraud department, I filed an online report with the Canadian Anti-Fraud Centre’s Reporting System (which can be found here : https://www.services.rcmp-grc.gc.ca/CAFCFRS/). Je me suis également inscrite à des services de surveillance du crédit avec Equifax Canada ( https://www.consumer.equifax.ca/personal) TransUnion (https://www.transunion.ca/sites/ca/home_en).

 

By Alexandra Kallos

 

Share this publication