A few years ago, I myself was vished, or ‘phished,’ over the phone. The caller was someone, likely offshore in a call center, who had done a little bit of research online to find my name, my phone number, my wireless phone carrier and a few other details that they used to build rapport with me on the phone. Spoofing the customer service phone number of my wireless service provider, they called me and claimed that a credit was being added to my bill. All I had to do was confirm the PIN on my account, they told me. Pleasantly surprised by the prospect of a bill credit, I happily gave them the four-digit code for my account to ‘confirm the account,’ and was told I would see the credit on my next bill.
It was early, the coffee in my mug was still piping hot, but quickly it was like the fog lifted, and almost as soon as I hung up, I realized that I had probably made a bad decision. I had allowed my emotions to control my decision making and bypass the logical thinking that would have enabled me to avoid compromising myself and my account security. I immediately dialed my wireless phone provider and changed the code on my account.
The bad actor or scammer who had called me managed to appear legitimate with very little effort. How did they do this?
This person called me spoofing the phone number of the wireless carrier’s customer service center. The caller ID on the phone showed this number when it rang, and I trusted that the call was coming from that number. That was my first mistake.
Simple PII Verification
The caller also verified my name and wireless number, which were easily found (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Tripwire Guest Authors. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/protecting-organizations-customized-phishing-attacks/