Ep. #4: Anatomy of a Phishing Scam

How To Call The Foolers in Their Own Act

July 26th, 2018

Today's newsletter is based on something that happened to me earlier today. Around 5:30pm, I got this text on my phone:

I occasionally get contacted by the bank or the credit agency asking me to contact them when there's a security flag on any of my credit or debit cards. So, at first blush, this text wasn't unusual. So I didn't hesitate to call the number. When I did and heard the message, I hung up knowing that I'd just been the victim of what's known as a "Phishing" attack.

A phishing attack is when one or more hackers attempt to make their communications with you look official in the hopes that you'll reveal important or private information to them. I hadn't been paying attention so I almost got caught. I went back and took another look at the text and noticed three obvious giveaways that, in my rush, I hadn't noticed:

  1. There was no specific identification from any bank, agency or card provider. 

  2. The phone number I was asked to call wasn't a toll-free number.

  3. Most embarrassingly, I don't have any credit cards that start with the digits 5077!

This was very well played. And, if you're used to getting legit alerts from your bank or credit card companies, then you might - as I did earlier - not take a second, careful look at the text you receive. But you should. Here's the actual phone call so you can hear it for yourself. Then let's discuss how to protect against crap like this. 

How Phishing Works:
Phishing scams work by looking or sounding as official as possible. However, these same scams also work by casting as large a net as possible. Since it's virtually free to send emails and text messages, phishing scams can and do send the same messages to hundreds of thousands or millions of people. That way, even a 1% success rate will yield potentially massive results.

People see a bogus text or email, think it's real and then willingly give away their credit card numbers (as I was asked to do), their email address and password, their Amazon account credentials or worse.

How to Notice a Phishing Scam:
Real banks and credit cards always use a professional protocol when contacting you about fraud. As a result of knowing what that protocol is, you can use it to help identify a phishing scam. When in doubt, assume it's a fraudulent call. If it's not, the burden of proof is on your bank or lender and they'll rise to the occasion by providing some of what you see listed here:

  1. Real banks and credit card companies will usually call you on the phone to alert you to potential fraud.

  2. When a bank or credit card calls you, the name of that bank or card is always provided up front. For example, "This is Frank calling from the Fraud alert team with American Express". 

  3. Sometimes, fraud alert calls might be automated. But, even then, an automated message will ask you to confirm if a specific charge on your card was, in fact, made by you. 

  4. Banks and credit cards usually call from a toll-free number and ALWAYS already have your personal information. So they'll never ask you for your card number, your password or your security codes.

If you call an automated number and realize, as I did, that it's a phishing scam, hang up and don't provide any further information. Block the number from ever contacting you again and then report the scam to your bank or credit card. 

How to Report a Phishing Scam:
Here are a few phishing guides from some of the country's most popular banks and institutions:

If you liked what you read today, please: feel free to forward this email to friends and family. This email & post is a part of my free-to-all series. Only paying members have access to my deeper, paid newsletter and archives.