| Image: Wikipedia |
"Hello, you're speaking with Peter Flight from HomeBank*. I'd like to go over a few things with you regarding your new mortgage."
So far,
so normal — at least if you actually have taken out a new mortgage with that
bank. What the customer did find odd, however, was that the bank employee also
wanted to go through some contact details for verification purposes.
"They're calling me, so surely they know it's me?"
Did you
know that phishing doesn't only happen via email and text message, but also
over the phone? In that case it's called vishing (with a v for voice), but the
goal is the same: to extract information. Suppose that Peter Flight is a
criminal. He probably won't open with a mortgage, because there's a good chance
his intended victim hasn't applied for one. So he'll start with something more
general — a savings account, say, or a bank card.
Suppose
his story sounds plausible. He then asks a series of questions of the kind you
hear all the time when you call a company or organisation: your address, date
of birth, perhaps even your bank account number or national insurance number.
Perfectly logical when you're the one calling — though I'm often surprised by
how little information they're satisfied with. But when they call you, the
situation is quite different.
Why
would they need to verify your identity in that case? They have your file right
in front of them, and it includes the phone number they're calling. Yes,
someone else could theoretically pick up your phone, but in the age of the
mobile that's not very likely (back in the day, dear youngsters, you had one
telephone in the house — the kind that could only travel as far as its cord
would allow). So if someone calls you on behalf of a company and asks for
identifying information, you should be on your guard. Because with that
information in hand, a criminal can easily call a company and pretend to be
you. With all the consequences that entails.
No, when
they call you, you need to turn the tables: ask the questions yourself. What's
my date of birth? What's my address? What are the last four digits of my bank account
number? If they're unwilling — or unable! — to answer, you're better off
hanging up. Not sure whether the call might have been legitimate after all?
Call the company back using a number you already know or find on their website
or in their letters. They'll be able to tell you whether they called you.
But of
course I also heard stories from people who had received good old-fashioned
phishing, via email. Take the colleague who received a fantastic offer from
Amazon: trainers from a well-known brand for £8 instead of £80. If you've ever
attended one of my presentations, you'll probably recognise this piece of
wisdom: if something seems too good to be true, it usually is. The colleague
initially thought the email looked genuine — he was even addressed by his first
name. But because something still felt off, he asked AI for help. Verdict:
phishing! The main reason, it turned out, was that the Amazon logo was missing.
The fact that this was the clincher is worrying, because any half-decent
phishing operation invests precisely in look and feel. What would AI have said
if the logo had been there?
How did
the criminal behind this email know our colleague's name? Because of data
breaches — large-scale incidents at well-known companies where vast amounts of
data (including email addresses and names) were stolen. The old rule of thumb
that the absence of a personal salutation is a red flag — and implicitly that a
personal greeting is a green flag — can safely be thrown out.
Whether
they're trying to phish, smish, vish or quish** you: outsmart the criminals.
Let people like Peter Flight crash and burn thanks to your alertness.
*:
These names are fictitious.
**:
smishing = phishing via text message, vishing via phone, quishing via QR codes.
And in the big bad world...
●
the consequences of a cyberattack on
the water supply are greater than you might think.
●
Meta may in future analyse your
mood.
●
a young hacker tripped over his own
hunger.
●
the Dutch government has tightened
its cloud policy. [DUTCH]
●
cybersecurity isn't about scaring
people.
●
the Japanese military was hit by
infected USB drives.
●
cybercriminals love to capitalise on
current events.
●
you no longer need to share your phone number
to message someone.
●
thousands of cybercriminals have
been arrested worldwide.
●
there was a major attack on
Microsoft 365 accounts.
●
China is interested in the emails of
Western academics.
No comments:
Post a Comment