The best phishers present themselves as consummate professionals, and their targets usually have no idea that they've been swindled. Before you know it, your account is depleted and you're on the phone with your bank asking what the heck happened.
Which is almost what happened to Pieter Gunst. Thankfully, he's warning others about the scam so they can avoid falling victim to it.
Our friend, @DigitalLawyer, was minding his own business one day when he received a phone call from someone who appeared to be a representative from his bank, claiming that there was some suspicious activity on his account in Miami, Florida. They asked him if he was attempting to make a purchase there and he said that no, he wasn't.
Like any normal person who was at risk of potentially getting hacked, he stayed on the line. I've received legitimate calls from my bank or credit card company before while I was traveling, asking if I was indeed buying $40 worth of sandwiches at Sheetz just outside of Brackenridge, Pennsylvania. Yes that was me, and yes, I love Sheetz, you got a problem with that, American Express? Didn't think so!
But in Pieter's case, he wasn't the one making the supposed transactions. Reading the script the scammer used, everything seemed like it was on the up and up. Just read it yourself and try to find anything wrong of fishy up to this point. And that's because it's nearly identical to what would happen if a major bank called to investigate a suspicious transaction.
Here's where it gets fishy (or phishy). The representative says they've texted him a verification PIN and asks him to read it, and then asks him to review some of the other recent transactions.
Surely they must be the bank, right? How else would they know about recent transactions he's already made? Again, up until this point, it all looks Kosher. Until it becomes very clear to Mr. Gunst that it isn't, but someone a bit less savvy would easily fall prey to it.
Did you catch what the scammer's tell was? Because if Pieter didn't spell it out for me, there was no way I would get it either, and that's through reading it on Twitter. I'd imagine that when they've got you on the phone and have you worrying about your money, you're much more prone to overlook how weird it is that they're asking you for your PIN.
Pieter breaks it all down below:
So they had Pieter give up his member number, which is fairly innocuous — you can't do anything with that information alone. But with that information they were able to pretend they were the account holder and ask to reset their password, which is what triggered the verification number the person on the line asked them to read out. This allowed them to see all recent transactions they made, which they read aloud to seem even more legitimately affiliated with the bank.
They needed that PIN that was automatically texted to Pieter's phone to gain access. So basically the scammers created a convincing narrative to bypass the two-factor authentication. They don't need your device, they just need the real-time information that was sent to it, and they came up with a pretty clever way of manipulating people to fork over that info.
So how do you protect yourself against scammers like this? Well first, never ever EVER give your PIN or passwords out over the phone. Ever. Not the one you use to log into your ATM, your online account, and ESPECIALLY not PINs texted to your phone for a password reset.
The worst part is, not many people know that. If you're still unsure as to whether or not the person calling you is legit, a simple way of combating that is simple: hang up the phone and call the bank back yourself at their official number and have someone you know is a representative look into your issue.
The only way a scammer can get past that is somehow re-routing your call to their evil phishing headquarters.
These scammers are counting on people not being sophisticated enough to spot the warning signs, so if you have older relatives or loved ones who aren't too up on technology and modern banking practices, warn them to guard their PINs and never tell anyone, no matter how legitimate they seem.