“I would never fall for a scam! I’m smarter than that, it could never happen to me!”
As a professional who specializes in cybersecurity and privacy law, I have extensive training on the techniques that threat actors use to obtain sensitive information. I know what the threats are and how to spot them. I’ve learned exactly what to look out for, to never click a link in a suspicious email, to not take candy from strangers… I’m supposed to be the predator, not the prey. Right? Well, let me tell you about my Tuesday:
I spent the day at the office. I went home, spent some time with my kid, fed him some dinner, and sent him off to bed for the night. Then, the phone rang. I picked up, assuming it was the Chinese food place I had just ordered from, calling me back to clarify the extent of my shrimp allergy. Incorrect.
The caller identified himself as a representative from the fraud department of the bank where my husband and I have our day-to-day accounts. He informed me that there were several suspicious charges on my credit card and that he wanted to review them with me. I said OK. He confirmed who he was speaking to (he knew my name), he confirmed my home address (which he also knew) and then began asking me some questions about my recent whereabouts. Apparently, the bank had flagged transactions on my card from a gas station in Toronto and additional suspicious transactions were starting to come in from all over Toronto.
And so, the caller and I began the “authentication process”. Before providing my details, I asked him to confirm the number of the credit card in question. He provided me with the four first digits of my card, that is, the digits which identify all Visa cards issued by our bank. I then asked him to provide me with the last four digits of the credit card, whereupon he told me that this information could not provided until my identity had been authenticated by the bank, via their security questions. This is when my “Spidey senses” started tingling: I did not recognize the number from which this man was calling, nor did I have any actual confirmation that he was, in fact, a representative of the bank’s fraud department.
I expressed my concerns about his identity and explained to him that, as a precaution, I would end this phone call and call back the bank’s fraud department, thus allowing me to ensure that I was speaking to a representative of the bank. He quickly reassured me, explaining that he understood my concern, congratulating me on my vigilance, while reiterating the importance of promptly verifying the suspicious transactions, then cancelling and reissuing a new (safe) credit card. Once again, I insisted that I would end the call and phone the bank back, without delay. His tone began to change. Instead of a professional, customer service veneer, his tone became more insistent: the call was being recorded. My failure to comply with addressing this urgent matter would mean that the suspicious charges would be allowed to go through, and worse, that I would be responsible for paying them if I ended the call, as the bank would have fulfilled their duty to advise me of possibly fraudulent activity and there would be recorded evidence of this. We wouldn’t want that, would we? I needed to provide my information, at once.
I suggested that if he felt, as a representative of the bank, that my card was compromised, he had my permission, on recording, to cancel my credit card without delay. I would call back the fraud department and sort… The line went dead. He had ended the call, realizing that I would not be complying with his requests, despite his skilled attempts to dupe me.
I immediately went into my online banking account and locked all my credit and debit card. I used the number provided on the back of my credit card to call my bank and verify whether there had, in fact, been fraudulent transactions on my account. As it happens, my credit card was clean. No suspicious charges. No cancellation. No record of the fraud department reaching out to me.
I had almost been a victim of what is commonly referred to as a “social engineering” attack, a strategy by which threat actors use psychological manipulation to obtain access to sensitive or private information. He already had my name and phone number as well as my physical and email addresses, information easily obtained from a simple data breach suffered by any of the places I shop online. He also correctly assumed that I was in possession of a credit card, but clearly did not have the information he would require to use it himself, which was most likely the reason for the call. The threat actor used “pretexting”, a common social engineering technique, to try and obtain my compliance, identifying himself as a fraud department representative, to gain my trust and lead me to divulge valuable information. He also used the oldest technique in the book: “fear”, threatening me with monetary loss if I did not comply with his request, quickly.
Had I been just a bit more tired, distracted or otherwise inattentive, I might not have picked up on the cues. But my “muscle memory” kicked in and I remembered to:
- Check the source – I didn’t rely on the threat actor’s assertion that he was from the bank and insisted on communicating with them only through a reliable source.
- Break the loop and slow down – creating a false sense of urgency means targets are less likely to critically assess the information with which they are being presented. Sometimes taking an extra second to think about the issue (why can’t I just call back in less than a minute? If he has already stopped the charges, why is this so urgent?) allows you to see the attack for what it really is.
- Ask for ID – make sure the person is who they say they are. Check the phone number online. Ask what their extension number is, so that you can call back if the call is disconnected. If they hesitate to identify themselves, disconnect.
Even though this attempt failed, I took steps to safeguard my credit and bank accounts, since clearly my personal information is out in the ether. In addition to contacting the fraud department of my bank, I filled a report online with the Canadian Anti Fraud Centre Reporting System (found here: https://www.services.rcmp-grc.gc.ca/CAFCFRS/). I also signed up for credit monitoring services with Equifax Canada (https://www.consumer.equifax.ca/personal) TransUnion (https://www.transunion.ca/sites/ca/home_en).
