Oooof. Was just subjected to the most credible phishing attempt I've experienced to date. Here were the steps:
1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?"
Me: no.
1) "Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?"
Me: no.
2) "Ok. We've blocked the transaction. To verify that I am speaking to Pieter, what is your member number?"
Me: <gives member number> (that number, by itself, is useless).
Me: <gives member number> (that number, by itself, is useless).
3) "We've sent a verification pin to your phone."
~ Gets verification pin text from bank's regular number ~
Me: <reads out the pin>
~ Gets verification pin text from bank's regular number ~
Me: <reads out the pin>
4) "Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~"
Me: Yes. These are all legitimate transactions I made
Me: Yes. These are all legitimate transactions I made
5) "Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?"
Me: Are you effing kidding me, no way.
Me: Are you effing kidding me, no way.
6) Ok! But than we can't block your card
Me: that is bs.
~ hangs up, calls the fraud department of bank ~
Me: that is bs.
~ hangs up, calls the fraud department of bank ~
--> Once I gave my member number, the attacker used the password reset flow to trigger a text message from the bank.
--> They used this to gain access to the account.
--> Then read some of my transactions to give the call more credibility
--> They used this to gain access to the account.
--> Then read some of my transactions to give the call more credibility
--> Needed the pin to send money, failed at that step.
--> Everything before the "what is your pin" seemed totally legitimate. English was perfect. The bank verification code, sent by the expected number, tricked me.
--> The asking for my pin over the phone... not so much.
--> Everything before the "what is your pin" seemed totally legitimate. English was perfect. The bank verification code, sent by the expected number, tricked me.
--> The asking for my pin over the phone... not so much.
Stay safe out there people.
And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place.
Never a dull moment!
And now... joyfully resetting all my passwords, filing a police report, getting additional fraud detection in place.
Never a dull moment!