?

Log in

No account? Create an account

New kind of phishing - Journal of Omnifarious

Dec. 7th, 2008

04:15 pm - New kind of phishing

Previous Entry Share Next Entry

I just fell for a new kind of phishing scheme. They sent me a message which looked exactly like messages from my bank usually do and asked me to call an 800 number regarding restrictions places on my check card. The 800 number then put me through an automated process asking for my card # and my PIN. I didn't give them then PIN because I've forgotten it for that card.

Since I didn't know the PIN I hung up on the call and tried calling a different # for my bank to ask them what the heck was up. I'm glad I did that. I had the card cancelled immediately. :-(

I feel a little stupid. But I'd never seen a phisher actually set up an 800 # before. In retrospect it's obvious. They have money. It's not hard.

If the mail had had a link to a website I would've noticed that it was a phishing scheme immediately. It had a link to an email address @ my bank, but that was secretly a link to a website. I didn't mouse over it to find out though until after I realized it was a phishing scheme.

It also happened to hit me at just the right time. I'd happened to be using that card about the same amount in the past month as I'd been using it in the past 4-5 (I don't use that card often at all), so it was plausible they'd see that as a fraud issue.

Anyway, I'm posting this as a warning that phone #s in email messages are an even worse problem than links because there's nothing that really identifies who owns a phone # at all.

Current Mood: [mood icon] annoyed

Comments:

[User Picture]
From:gamerchick
Date:December 8th, 2008 12:27 am (UTC)
(Link)
Wow. Thanks for the warning on that - I can easily see how anyone could easily by caught by that scam. No calling unfamiliar 800 numbers for me...
(Reply) (Thread)
[User Picture]
From:phaedra_lari
Date:December 8th, 2008 12:33 am (UTC)
(Link)
Yes, it's always best to call in to the number on the card, or the website (that you typed in yourself into the browser). Glad you caught this in time!
(Reply) (Thread)
[User Picture]
From:eqe
Date:December 8th, 2008 01:25 am (UTC)
(Link)
Yeah, that's nasty.

Two countermeasures I use (although alas they're not terribly scalable to non-powerusers):
1. every website that asks for email gets a brand new address of the form [foo][rnd()]@ (cnn583@ for example) which forwards to my inbox. If a commercial mail comes in addressed to adi@ I know immediately it's wrong.
2. most scam phone numbers show up in google searches. whocalledme.com for example is a goldmine of scammer reports.
(Reply) (Thread)
[User Picture]
From:omnifarious
Date:December 8th, 2008 07:58 am (UTC)
(Link)

I do the email thing, and I should've checked the from address as it's wrong. I originally started doing the email thing to keep track of who was giving my address to who so I didn't think to use it to check for phishing.

IMHO, the bank should be cryptographically signing their messages with a key I get from their website. :-(



Edited at 2008-12-08 08:00 am (UTC)
(Reply) (Parent) (Thread)
[User Picture]
From:mystic_savage
Date:December 8th, 2008 07:56 am (UTC)
(Link)
Thanks for the warning. I have trouble keeping track of all that stuff.
(Reply) (Thread)
[User Picture]
From:mabelmundane
Date:December 8th, 2008 01:17 pm (UTC)
(Link)
Ouch....thanks for the warning. It's scary how these scams are starting to look more and more realistic. I worry about someone who is less computer savvy. I recently got a similar message from Wells Fargo. It looked totally legit until it mentioned my checking account which I no longer have through them. Then I moused over the link and saw it didn't point to Wells Fargo. :/
(Reply) (Thread)
[User Picture]
From:somewoman
Date:December 8th, 2008 06:16 pm (UTC)
(Link)
That's scary.
(Reply) (Thread)