In October 2019, the CEO of technology company Legal.io, Pieter Gunst, was on the target list for an extremely convincing phishing scam. We explain – using his tweets of the incident – how it worked.
In a series of tweets that he described as the “most credible phishing attempt” he has experienced to date, Gunst explains that the scam started with a phone call.
To confirm, below is a summarised version of events with specific information and irrelevant factors redacted.
1) Crook: “Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?”
Me: no.
2) Crook: “Ok. We’ve blocked the transaction. To verify that I am speaking to Pieter, what is your member number?”
Me: (that number, by itself, is useless).
A member number is akin to a customer number, a unique number that a bank uses to identify a customer. While we don’t recommend giving it out to strangers, it cannot be used by itself to commit identity fraud.
3) Crook “We’ve sent a verification pin to your phone.”
~ Gets verification pin text from bank’s regular number ~
Me: -reads out the pin-
Here, Gunst notes that a verification PIN was sent to this phone from the bank’s usual contact number, which he reads out over the phone.
4) Crook “Ok. I am going to read some other transactions, tell me if these are yours. ~ Reads transactions ~”
Me: Yes. These are all legitimate transactions I made
Here, the crook is actually reading out legitimate transactions made by Gunst.
5) “Thank you! We now want to block the pin on your account, so you get a fraud alert when it is used again. What is your pin?”
Me: Are you effing kidding me, no way.
Here Gunst stops complying with the requests made by the crook as he suspects a scam. And just in time as we discuss a little later on.
6) Ok! But then we can’t block your card
Me: that is bs. ~
hangs up
This scam may be extremely convincing, especially since quite early on the crook was able to read out a list of legitimate transactions made by Gunst, adding legitimacy to the scam. They also appeared to be able to send Gunst a verification PIN code from the actual number belonging to Gunst’s bank.
So how did this scam work?
Firstly, the crook asks Gunst for his member “customer” number for his bank. While this information itself cannot be used to access an account, with Gunst’s particular bank, it’s enough to initiate a password reset process, so customers who forget their password can regain access to their account. This is done by sending a verification PIN to the phone registered to the account holder
Sponsored Content. Continued below...
So when Gunst gave his member “customer” number over, the crook was able to input it into the bank’s “forgot password” webpage, and this initiated the verification PIN to be sent to Gunst’s phone. Alas, the texted verification PIN number really was from Gunst’s bank.
However, the crook then requests the verification PIN from Gunst, which Gunst provides, and this allows the crook to access Gunst’s bank account using the forgot password reset process. It should be noted here that this may not work for certain banks with a higher level of security that would need more information than just a verification PIN sent through a text message.
The crook then uses their access to the bank account to relay a list of transactions made by Gunst, which adds more believability to their scam. The crook is setting themselves up for the most daring part of the scam; getting Gunst to hand over his card PIN number. With the card’s PIN number, the crooks can then direct money away from his account. (Again this can vary between banks – some banks use a card reader device in the customer’s possession.)
Sponsored Content. Continued below...
However it’s at this stage where Gunst stops playing ball and refuses to hand over his card PIN number, and just in time. Had he given it out, the crooks could have emptied his bank account in seconds. It was a close call, and while the crooks did gain access to his bank account, without additional information, they couldn’t steal any money. So all Gunst needed to do was change his login details to boot the crooks back out.
It is a difficult scam to spot, and the fact the crooks could seem to send a verification PIN as well as read out actual transactions made by the would-be victim makes the scam extremely convincing.
Whilst Gunst did spot the scam, he did make some security mistakes. Namely, if you’re cold called by someone claiming to be from your bank, never give them any information. This includes your customer number, personal details, verification PINs and definitely not a card’s PIN (there are no circumstances where you should be required to give out your card’s PIN.)
If you need to speak to your bank, you can always contact them using the phone number listed on your paperwork. That way, when you’re asked to give out information to identify yourself, you’ll know you’re actually speaking to your bank.