2026-07-10

Who's calling whom?

Image: Wikipedia

"Hello, you're speaking with Peter Flight from HomeBank*. I'd like to go over a few things with you regarding your new mortgage."

So far, so normal — at least if you actually have taken out a new mortgage with that bank. What the customer did find odd, however, was that the bank employee also wanted to go through some contact details for verification purposes. "They're calling me, so surely they know it's me?"

Did you know that phishing doesn't only happen via email and text message, but also over the phone? In that case it's called vishing (with a v for voice), but the goal is the same: to extract information. Suppose that Peter Flight is a criminal. He probably won't open with a mortgage, because there's a good chance his intended victim hasn't applied for one. So he'll start with something more general — a savings account, say, or a bank card.

Suppose his story sounds plausible. He then asks a series of questions of the kind you hear all the time when you call a company or organisation: your address, date of birth, perhaps even your bank account number or national insurance number. Perfectly logical when you're the one calling — though I'm often surprised by how little information they're satisfied with. But when they call you, the situation is quite different.

Why would they need to verify your identity in that case? They have your file right in front of them, and it includes the phone number they're calling. Yes, someone else could theoretically pick up your phone, but in the age of the mobile that's not very likely (back in the day, dear youngsters, you had one telephone in the house — the kind that could only travel as far as its cord would allow). So if someone calls you on behalf of a company and asks for identifying information, you should be on your guard. Because with that information in hand, a criminal can easily call a company and pretend to be you. With all the consequences that entails.

No, when they call you, you need to turn the tables: ask the questions yourself. What's my date of birth? What's my address? What are the last four digits of my bank account number? If they're unwilling — or unable! — to answer, you're better off hanging up. Not sure whether the call might have been legitimate after all? Call the company back using a number you already know or find on their website or in their letters. They'll be able to tell you whether they called you.

But of course I also heard stories from people who had received good old-fashioned phishing, via email. Take the colleague who received a fantastic offer from Amazon: trainers from a well-known brand for £8 instead of £80. If you've ever attended one of my presentations, you'll probably recognise this piece of wisdom: if something seems too good to be true, it usually is. The colleague initially thought the email looked genuine — he was even addressed by his first name. But because something still felt off, he asked AI for help. Verdict: phishing! The main reason, it turned out, was that the Amazon logo was missing. The fact that this was the clincher is worrying, because any half-decent phishing operation invests precisely in look and feel. What would AI have said if the logo had been there?

How did the criminal behind this email know our colleague's name? Because of data breaches — large-scale incidents at well-known companies where vast amounts of data (including email addresses and names) were stolen. The old rule of thumb that the absence of a personal salutation is a red flag — and implicitly that a personal greeting is a green flag — can safely be thrown out.

Whether they're trying to phish, smish, vish or quish** you: outsmart the criminals. Let people like Peter Flight crash and burn thanks to your alertness.

 

*: These names are fictitious.

**: smishing = phishing via text message, vishing via phone, quishing via QR codes.

 

And in the big bad world...

      the consequences of a cyberattack on the water supply are greater than you might think.

      Meta may in future analyse your mood.

      a young hacker tripped over his own hunger.

      the Dutch government has tightened its cloud policy. [DUTCH]

      cybersecurity isn't about scaring people.

      the Japanese military was hit by infected USB drives.

      cybercriminals love to capitalise on current events.

      you no longer need to share your phone number to message someone.

      thousands of cybercriminals have been arrested worldwide.

      there was a major attack on Microsoft 365 accounts.

      China is interested in the emails of Western academics.

 

 

No comments:

Post a Comment

Who's calling whom?

Image: Wikipedia "Hello, you're speaking with Peter Flight from HomeBank*. I'd like to go over a few things with you regarding ...