Brad Mathis at our partner Keller Schroeder sent me the following real-life story from Matt, a KnowBe4 Security Awareness Training client...
"I just wanted to share a story with you. Yesterday I sent a text message to a friend at church at 5:03pm.
At 5:04pm I received a called from “No Caller ID” and assumed it was probably him calling me. But when I answered, and they hung up instantly.
At 5:05pm I received a called from my bank and it was a gentlemen from the fraud department, and he identified himself, sounded professional, and called me by name (first and last). As I normally do, I actually looked at the back of my debit card and verified the number he was calling from was in fact the same number showing up on my phone on the caller id. All systems go…
He proceeded to tell me that my debit card ending in XXXX had just be used at a Texas Wal-Mart for $500.40 and it triggered a fraud alert.
So to be clear, thus far, he’s got my first name right, last name right, and the last 4-digits of my debit card correct, all lines up. Then he says that since most of my transactions are in Indiana, this particular transaction raised a red flag. So far still good…
I told him that transaction was not mine.
He then says he canceled it, no worries, and they will proceed to issue me a new debit card and it will send out in 1-3 business days. That lines up with my past experience with this bank.
Next he tells me that my online account was also compromised and they will need to issue a new username and password for my account access, which I didn’t balk at…
I asked which online account he was referring to, and he said the one associated with my debit card. So I asked again, which account is that? And he said he could not confirm any details about the account due to FDIC regulations. Fair enough….
So I then proceeded to tell him that I am logged in to my online account right now, and nothing appears to be compromised and the password has not been changed.
He assures me the password has been changed, and tells me what the new password was changed to. Some long string of numbers. He asked if I made that password change, and I said nope.
I asked him why I can still login to my account with my current password if it has been changed, and he said that it takes 1-hour for password changes to take effect.
Me… literally out loud… umm, no it doesn’t. I change my password with you all the time and it is immediate.
Him… sir, let me assure you, the way your account was compromised this time the password change can take up to one hour to change, but we have caught it in time, we just need to reset your account password and you will be safe.
Me…. That doesn’t sound right, but I can change my password on this side.
Him… sir, you won’t be able to do that right now because your account is compromised. But all I need from you is the online account password for this debit card and we can get everything reset?
Me… what’s that?
Him… we just need to confirm the old password and then we will get the online account reset completely and issue the new debit card, which will arrive in 1-3 business days.
Me…. Without thinking I just instantly blurted out: THERE IS NO UNIVERSE WHERE I WILL EVER TELL YOU MY PASSWORD…. What other options are there?
Him… immediately hangs up!
Me…. Under my breath or out loud, I cannot recall at this point. DO YOU KNOW WHO I AM? I am trained by the one… the only, and the legendary Kevin Mitnick. Do you know how many hours and assessments and trainings I have done on detecting fraud? Sometimes even double-doses because of client required training… I can’t believe this guy didn’t know I was a 4th degree fraud detection ninja… Sigh…
Me… snapping back to reality… Calls the bank’s phone number on the back of my debit card, which like I said, matched the number coming in originally… Spoke with a real person in the fraud department and verified it was in fact a scam, and that my account was fully secure and that I correctly snuffed him out…
All that to say…. This for me was the best scam I had encountered personally. They had several pieces of information right. The bank name. The caller ID was the bank’s correct number. They knew my first name. They knew my last name. They knew what state I lived in. They knew the last 4-digits of my debit card. And they were seemingly patient and building up trust… And then a couple red flags triggered and voila. FRAUD!
Anyway, I told Jill this story today and she thought you would enjoy it. Keep up all the good work you are doing. I know this security/fraud business can be difficult to navigate, and I am sure no one loves to take training (not me of course, I love it, lol), but this stuff really helps and it really works.