Phishing: A Story
Not too long ago, I received a very convincing text message from what I thought was my bank. It said I had a pending transaction of $3,000 that would come out of my account and to type ‘Y’ to confirm the transaction, or ‘N’ to dispute it. I hadn’t made any transactions to that effect, so I responded with ‘N’. I immediately received a phone call from what looked like my bank’s phone number. The man on the phone gave a short ‘bank disclaimer’ speech and proceeded to ask if I had made that transaction.
At first, he sounded very convincing. But then he became insistent. He told me the transaction was going to occur at 3:00pm (it was 2:50pm) and that I needed to give him my information (bank account and social security number) immediately so he could cancel it. I had a very weird feeling about this, and there were two things that made me pause.
First, they called me. I didn’t call them. Have you ever had a bank call you that quickly? Normally, if I call my bank, I have to undergo roughly 5 minutes of verification tasks before I’m placed on hold to then speak with someone. And secondly, my bank has never pressured me to make a decision and give them my information that fast. The thing that stunned me? I Googled the phone number, and it was in fact a phone number from my bank.
Despite the man’s insistence, I told him I was going to hang up and call back. He became agitated, and I hung up anyway. I called the phone number on the back of my debit card (which appeared to be the same number he called me from) but was greeted by my bank’s verification system instead of him. I proceeded through the verification process and told an associate what happened. Thankfully they were able to help me and mentioned it had become quite common for scammers to redirect their phone numbers to appear as the bank’s number. They confirmed that there were no such transactions and that my account looked to be in good standing, so I avoided any type of intrusion.
What happened to me is called ‘Spear Phishing’, which is when an attacker targets you and tries to convince you to perform an action that seems legitimate but is not. In my case, the attacker pretended to be an associate from my bank. Other coworkers have experienced this type of phishing in the form of emails and text messages, which appeared to be from our CEO, requesting their help ASAP. Spear phishing is designed to gather your personal information to either gain access to something (like your bank account, or social media accounts), or infect your computer with malware or a virus.
Unfortunately, in today’s hostile world, this is a very common experience. And the more it happens, the more sophisticated the bad actors become, and the harder they are to identify. Scams like this happen daily. Hourly. By the minute.
To help yourself not fall victim to these types of scams, here are ‘The Do’s and Don’ts of Phishing’:
DO be skeptical! If something feels off, it most likely is. It is always better to take a moment to check than to become a victim.
DON’T click on any links from senders you do not trust. Even if it looks legitimate, take a moment to verify the sender’s address and check the link’s URL (right-click and copy into a Word document or notepad app).
DON’T send personal or financial information by email.
DON’T download any attachments from an email you don’t know. It could be a virus or a way for someone to gain access to your computer.
DO call your bank (or any business or official entity) that is requesting information, by dialing a known correct phone number. Do not contact the phone number included in the email; instead, visit the organization’s official website and call the number listed there.
DO notify the business that the ‘phisher’ is impersonating them. Send the phishers’ info to the business so that their cybersecurity team can respond accordingly and prevent future attacks.
DO stay vigilant and be cautious. Always remember that just because it looks like a legitimate message doesn’t mean it is.
For more on phishing and other scamming topics, check out some of our other blogs: