A devious new technique is being used by cyber thieves that involve something called phone phishing. Most of us are on the defense when we receive an unsolicited call from someone posing as a representative of Microsoft’s Technical Support Department, wanting you to log on to a “special” website, or posing as an IRS auditor demanding immediate payment, or posing as a bank representative trying to confirm your account information for security purposes. What if the cyber thief convinced you to call them and give your information willingly? If you think this is not going happen to you, keep reading.
A week doesn’t go by without a company acknowledging that a security breach has potentially exposed their customer information. For example, Vera Bradley Stores, Wendy’s Restaurants, the University of Central Florida, and Yahoo have been mentioned in the news for a breach of payment information, customer records, or personal information.
How might a nefarious individual capitalize, literally and figuratively, on these breaches and still convince me to call them?
As a savvy cyber thief, you have readily available access to a list of email addresses or the ability to easily buy some like the 65 million Tumblr email addresses that were offered for sale for $150 recently. You might send out emails stating that a given recipient’s credit card may have been included in the recently discovered breach at well-known companies like Target, Home Depot, TJ Maxx, Wendy’s, Vera Bradley or the even the IRS.
Don’t forget to put the company logo on the email and a “secure phone number” for the recipient to call (or double your chances with a malicious link to your fraudulent website). The recipient is instructed to call the secure phone number—set up by the thief— then prompted to provide their full name and phone number so a representative can call them back. You can guess what happens when the user is called back by a representative . . . the script goes something like this:
“Good Evening - I am returning your call because we received your message."
"We need to confirm your card information to make sure it wasn't one of the records stolen."
"I have your full name as (previously given on the message)."
"Can you confirm the card number you used to make your last payment?"
"And the expiration date on the card?”
But how many people really fall for scams like this?
There are statistics on cybercrime that start with estimates in the hundreds of billions and project out into the trillions based on stolen credit card purchases, fraudulent bank transactions, and identify theft. Here are some global figures to give you some perspective, as provided by Statistics Canada: an estimated 165 million phishing emails are sent out globally every day, factoring how many are stopped by spam filters (~90%), never opened (50% of those), and just not clicked or acted upon (90% of what is left), and you have a very conservative estimate of 80,000 successful hits a day! A couple of confused individuals later and you are selling the credit cards to other cyber criminals.
In the end, you can take steps to lessen the chances, or your families’ chances, of falling victim.
- Monitor your credit and bank statements frequently for unusual activity (you can freeze your credit through Experian, Equifax, and TransUnion if needed)
- Change your passwords regularly and avoid using the same password across multiple sites (make passwords complex or use a password generator to incorporate letters, numbers, and symbols)
- Check for system updates regularly for your PC and install on a trusted network, such as a trusted home or office network (not hotel or airport wifi)
- Always check the phone number provided with a trusted online source or the company’s official website. If you are still not sure, contact a State or Federal Consumer Protection Agency
- Educate your family members about online safety through reputable sources such as https://www.usa.gov/online-safety
Want more information on recent breaches?
- Learn more about Tech Data’s Security Division by following us on Twitter @techdataSecInf
- See more blogs like this one on Security topics at http://blog.techdata.com/topic/security
- Was your personal information comprised? Read CRN’s recent article: Top 10 Biggest Data Breaches of 2016 . . So Far!
About the Author
Tim Ayer is currently a Product Marketing Manager with the Security and Data Protection division at Tech Data. As a 20+ year veteran in the IT channel, he has worked closely with some of today’s leading software publishers and hardware manufacturers to connect with VARs, MSPs and System Integrators.