Phishing

Phone scam demonstrates how convincing targeted phishing scams can be

We spoke to James, a would-be victim of a targeted phishing scam that attempted to steal his money. We describe how the scammers attempted to scam James, and how they managed to make their scam incredibly convincing. We also detail how to avoid these scams.

The scam

It was a regular afternoon when James – not his real name – received a telephone call from someone identifying themselves as Martin who claimed to be representing the Halifax Anti-Fraud Team (Halifax is a bank operating in the UK, where James lives.)

Over the phone, Martin explained to James that James’s bank account was at risk since someone from Russia had managed to login to it over the Internet using Halifax’s online banking service. Once in the account, Martin told James that whoever it was setup a standing order to debit money from his account.

Martin explained that the Halifax Anti-Fraud team had identified the potential scam, and explained to James that he needed to take action to avoid having his money stolen, since his bank account was now compromised.

At this point, becoming suspicious, James requested that Martin provide evidence that he really was calling from the Halifax bank. Martin agreed and was able to confirm James’s email address, date of birth and full name.

Assuming that Martin must really have been from his bank (after all, who else would have that information and know that James did indeed have a Halifax bank account?) he let Martin continue.


Sponsored Content. Continued below...




Martin went on to claim that Halifax had set up a new bank account for James, and that James needed to transfer his money to this new account straight away to keep his finances safe. Martin offered to provide the details on the new account and instructions on how to transfer the money over to it.

At this point, James hangs up the phone and contacts his bank directly from this website. His bank claims explains that it was fake and Martin is a scammer. A scammer who was, incidentally, very close to pocketing James’s life savings had James opted to take the other route.

What is the scam?

It’s a phishing scam, because the scammers are claiming to represent someone they’re not; someone who the recipient of the scam is likely to trust (i.e. their bank.)

In this case, because the scammer was in possession of the recipient’s personal information, this is a targeted phishing scam. These are also known as spear-phishing scams. Such scams can be extremely successful because the crook can leverage the personal information of the would-be victim to make the scam appear more convincing.

In this case the scammer wanted to get the victim to transfer money to a bank account (that would be operated by the scammer.) However such phishing scams can also be used to lure victim’s to spoof websites, giving up personal information to the scammer or even tricking a victim into installing malware onto their device.


Sponsored Content. Continued below...




How did the scam work?

The pertinent question here is how did the scammer know the personal information of James, and as such nearly make James fall for the scam.

After the attempted scam, James entered his details into a website that lets you know if any of your information has leaked online. He found that some of his personal information had been leaked in 5 separate data breaches. That’s not an unusually high amount. Sites like HaveIBeenPwned.com detail countless data breaches involving [at the time of writing] well over 11 billion accounts.

Each breach can involve the leaking of different information.

It is likely that the scammer managed to get their hands on leaked information from one of these breaches, and used it to launch a series of targeted phishing scams against people affected by that breach, which would have included James.

The advantage of this is self-evident. Scammers can be more convincing when armed with a would-be victim’s personal information. In the case of the phishing scam outlined above, the scammer was able to use this information to make them appear to be a genuine bank employee.


Sponsored Content. Continued below...




Avoiding targeted phishing scams

Targeted phishing scams can be difficult to avoid, because the scammer can appear to convincing. However there are things you can do.

If you get an unexpected call, never
– Hand out sensitive or personal information to the caller
– Give the caller access to your computer or let them instruct you to download files from the Internet
– Transfer money from one back account to another (no legitimate organisation, including your bank, will ever ask you to do this.)

If you’re not sure the call may be genuine, you can call the organisation or entity back using the contact information on their website or official paperwork.

Similarly, if you get an unexpected email – even if the email contains personal information about you – you should never
– Click a link in the email (or if you do, closely check the web address)
– Open an email attachment
– Reply with personal information or sensitive information

Remember, any unexpected call, text or email could be a scam. If you’re ever unsure, hang up the phone or ignore the email or text. You can always contact the relevant entity after-the-fact to ensure you’re not being scammed.

Additionally you can read our main article on general phishing scams for more red flags and clues that could indicate you’re being scammed here.

Share
Published by
Craig Haley