Phishing and Financial Institutions

Would you willingly give your password or other private information to a stranger? Of course not. Let’s say that you receive a ‘Suspicious Account Activity’ email from a financial institution, asking you to log in to your online account and verify a transaction. Would you log in using the provided button or link in the email? If so, you’ve more than likely become victim to a phishing attack.

Phishing is the attempt to obtain sensitive information such as usernames, passwords and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Why would someone target you in a phishing attempt? Because consumers trust their financial institutions and criminals know this. Somehow, these criminals got your email address and are using your institution’s brand to increase your level of trust in the information they send you. This is also known as social engineering. Criminals use deception to manipulate you into providing them with valuable login credentials or other Personally Identifiable Information (PII). Cybercriminals know where the money is. That’s why they commonly use financial institutions when targeting individuals.

Phishing Scams aren’t Limited to Email

A quick phone call is an easy way for a criminal to build trust and catch people off guard. New internet phone technologies make it easier than ever for cybercriminals to hide their actions from law enforcement. Have you ever been to a restaurant and left a copy of your receipt on the table? Or left that gas receipt in the gas pump? Believe it or not, that receipt has a lot of usable information on it. This information can be used against you to make you believe that a threat is real. These criminals are professionals at what they do and the quicker they gain your trust, the more dangerous they become.

For example, I just pulled a receipt out of my wallet and found this information on the receipt: full name, last 4 digits of my credit card number, time of visit, place of transaction, and what was purchased. Let me explain how this type of cyber criminal thinks:

Let’s say a criminal was sitting at the table across from you and saw the name of the bank on your payment card. As you’re walking away he quickly gets up and grabs a copy of the receipt off of the table and walks toward the bathroom. He pulls out his phone and do a quick search on social media (Facebook, LinkedIn, Twitter) using the name on the receipt. He’s able to find where you work, your contact information, and cell phone number within minutes. The criminal returns to his table, pays for his meal in cash and immediately starts putting together a targeted phishing attack. The following morning you and your family are on your way to church and the phone rings. Here’s an example of how this conversation could go, in favor of the phisher:

You: Hello.
Phisher: Good Morning, this is Christian calling from Your Local Bank Anti-Fraud Department. Am I speaking with Lucas Freeze?
You: Yes, this is Lucas.
Phisher: Mr. Freeze, I’m calling you today because our fraud protection system alerted us about some fraudulent activity on account ending in 1234. Is that your card?
You: Yes, it is.
Phisher: Mr. Freeze, I’m going to ask you a few questions to confirm your identity and verify these transactions. Can you please confirm your home address?
You: 12345 Memory Lane, Secure Town, IA 55555
Phisher: Thank you. Are you currently employed at ABC Company?
You: Yes.
Phisher: Mr. Freeze, did you recently complete a transaction at Fake Event Tickets for $494.89?
You: NO!
Phisher: Okay, Mr. Freeze, how about a transaction for $49.89 at Fresh Seafood – Nothing Better?
You: Yes, that was me.
Phisher: Mr. Freeze, I think your card has been compromised. I would like to suggest that we cancel your card immediately. Would you like to go ahead and process the cancellation?
You: Yes, please.
Phisher: Mr. Freeze, Can you please confirm the remaining digits on the card so I can be sure we’re cancelling the correct card? The name on the card is Lucas M Freeze, correct?
You: Yes.
Phisher: Okay, Mr. Freeze, please go ahead and provide me with the complete card number.
You: 1234 5678 9123 4567
Phisher: Thank you, Mr. Freeze that matches the card we have on file. Can you please confirm the expiration date and three-digit code on the back of the card?
You: 01/20 and 123.
Phisher: Thank you, Mr. Freeze. I have processed the cancellation and ordered a new card for you. Please allow 7-10 business days for your new card to arrive. I also put the transaction for Fake Event Tickets, in the amount of $494.89, into dispute which will remove the transaction from your account immediately. Do you have any questions?
You: No, thank you for catching this so soon.

That is just one example of how professional cyber criminals can get your information over the phone. You should NEVER provide personal information, credit card numbers, Social Security numbers, or any other non-public personal information to anyone if you did not initiate the communication.