Saturday, May 23, 2015

Avoiding The Trap

In my last article, I told the story of how I (barely) avoided a credit card phishing exploit because I became suspicious while I cooperatively gave my card number to an anonymous voicemail system out to scam me. While I managed to avoid significant damage, this is neither the standard I aspire to nor one I recommend for you. This time, in the spirit of continuous improvement,!let's consider how to do better by avoiding the trap.

What Happened?

The short version is that I received a text message appearing to be from my bank claiming that my card had been locked and telling me to call an 800 number. The full story us here:

Scammers depend on greed, fear, and psychology so we feel compelled to act quickly and stupidly. In my credit card example, I fell for the bait and started giving my information in moments, mostly out of fear. I needed to slow down a little and think. By answering a few key questions, I could have done that.

Key Questions

We tend to speed up, not slow down, when we feel threatened. If the threat is real, this is a survival skill. If not , it may be a trap. We control this by asking appropriate questions.

How urgent is this?

In my example, I got a Saturday evening text message that my credit card had been locked. Even if true, I wouldn't use the card for 14 hours at the earliest. If someone had tried to tamper with my account, the bank had parked it into a safe condition. There was nothing urgent in this. It just felt urgent.

Who Sent the Message?

On the surface this looked like a customer service notice from the bank. It could be, and actually was, from a scam artist. Since this wasn't urgent, I should have taken the time to be sure.

How Can I Be Sure?

There are two basic strategies available. First, check everything you can. Second, contact the bank directly, either through a prearranged number or their approved email address. Let's look at both.

In the previous article, I described oddities in the text of the message. There was no indication what account was involved. The language, though grammatically correct, was capitalized oddly.

This was a text message which revealed a real US phone number in my area code. While this is plausible, using Whitepages to do a reverse number lookup identified it as a mobile phone.

Finally, what about the number to call? It is possible to do a reverse lookup on an 800 number but even a legitimate number may say only that it is a U.S. phone. Even so, no harm in trying.

What Am I Being Asked to Do?

For the moment, let's ignore that you're being asked to call an unknown number, by a text message of unknown origin, and focus exclusively on the conversation that would follow.

In my case, an automated voice mail identified itself as the bank's activation service. Since the card was already active, this should have raised an alarm. It no doubt picked up what it could about me from caller ID and asked for my full card number, then the expiration date. When it asked for the PIN I (finally) got suspicious and stopped. This was too much information, not enough confirmation.

So, What Instead?

There are several ways to check with the bank safely. What I did was call the number the bank printed on the card. This led to s human customer service representative who asked for only the last four digits on the card and a prearranged question. Record that phone number so you have it if the card is lost or stolen. I asked them to replace the card.

By contrast, when the new card arrived I went through the real validation process. The system asked for the last four digits of the card and considered that enough since I had called from the phone number it had on file for me.

Other Options

Your second option is to email the abuse group at your bank. If you don't have the address you can search for it online. Include as much information as you can. You'll get an automated confirmation at once and a followup later. This is fine if things aren't really urgent.

If you have a smartphone, odds are they offer a custom app to connect you to your account. You can use this to check the status of your card. It may also offer a secure messaging service to safely inquire in more detail.

Finally, you can go to a bank website from a browser. Just use URLs the bank gave you in advance. Never follow a link from an email or text message.

How Is This Possible?

The message was convincing only because it used the name of my bank. The 800 number I called also identified itself using the name of my bank. Since it came as a text message, they apparently had my bank and my phone number.

Where would that information have been available? I can't be sure. Late in 2013, I made a credit card purchase at Target, which days later discovered and closed a data breach. I replaced the card after that, but not the bank.


My experience with this has led to one simple rule: if you get a message that suggests a problem may exist, find a way to check it out without using numbers or links the measage provided. Beyond that, have multiple ways you can reach a bank quickly if an alarm is raised.

Sent from my IPhone

No comments:

Post a Comment