Thursday, 6 June 2013

Personal Security - Unsolicited Calls

I just read a Facebook post by a friend about a call she got from someone pretending to be her bank. My friend recognised this at once because the number they reached her on was not a number she had ever supplied to the bank.

Luckily my friend is bright enough to spot a scam quickly and hang up the instant they started asking her security questions, but I get concerned that scams like this keep working. There must be a decent percentage of people out there who dont know enough to spot this kind of scam and end up handing over important security information.

For anyone who does not know this already:
This is rule 1 of personal security, because if they phoned you then you have no way of knowing who they are.

Want an example?

Back in the mid nineties when the internet was still new, I was making a living building websites and setting people up on the "information super highway" as we called it back then (yes, I really am that old...), and one client challenged me to break into his ISP account... :)

The next morning I called my client on one phone and his ISP support line on another.

I told the client:
"We think someone tried access your account last night and we need to reset your password for security reasons."

I told the ISP:
"I've forgotten my password and can't login".

The I just passed questions and answers between the two phones. It took 5 minutes time, 2 phones, a pen and paper. I didn't even have to turn on my computer.

I took the client for coffee later that day and explained how it was done. I also suggested he change his password and security question.

This wasn't computer hacking it was social engineering or just plain scamming.

This thing about a phone call is that without called ID, all you know about the person calling you is that they have access to a phone, and it could be any phone anywhere in the world.

But when you call then you know they have acces to a specific phone, the phone you called. Only a bank representative is going to be able to answer the telephone banking hotline...

Whereas anyone with a phone can call you and say they are from the bank, or the tax department, or the "computer department" and then go on to ask you for your birthdate and account details.

Phishing scams like this work because out fo the huge list of email addresses or phone numbers some scammer managed to get his hands on, only a few have to be silly enough to pass on their information to make it worth their while.

The solution? Never give information out over the phone to someone you did not call or who is not calling you back on a specific issues. Never log into a site via a link in an email you were not expecting (like a message from your bank asking you to log and confirm your details).

If you get a call from a bank and they need to sort something out - even if they are claiming there has been "suspicious activity" on your account -  ask to call them back. They should always be able to give you a number to call and an issue tracking code to quote to sort it out.

Phishing is like the "i love you" email viruses that do the rounds, they rely on faults in people not in the computers.

Be a little more paranoid and lot safer.

No comments:

Post a Comment