Written by Guest Blogger Nick Cavalancia, Microsoft MVP
Hear one cybersecurity expert’s experience of missing the signs and getting duped over the phone. If it can happen to him, it can happen to your users.
“Vishing” is the art of “voice phishing” – a social engineering technique used to trick people over the phone to divulge information that a scammer can use. This is my story of how I got vished, what they did “right”, what they did wrong, and what you can do to ensure your users never fall for this kind of scam.
I was on my way to Microsoft Ignite this week and just as I arrive in my hotel room, I get a call from a “1-855” number. I answer and it’s “Paypal’s Fraud Department”. I’m asked if I setup Google Pay from a Samsung Galaxy X (I have a different brand of smartphone). I of course say no. I’m told once setup, criminals can simply hold up the phone to a terminal and pay for items against my PayPal account. I asked which PayPal account (I have several) and they told me an email address that is associated with my personal PayPal account. So, they had my email and phone number.
I log onto my account on my phone and can’t see any inappropriate activity. I’m told I need to verify it’s me and that they are sending me a verification code. While I’m not worried about the potential fraud (as I know I’m not responsible for it), I’m still a little thrown about how someone got access to my account. I read the “PayPal” person the code - my first mistake. I should have seen the signs right here – PayPal’s own text messages say the code is good for 10 minutes; the woman told me I needed to give it to her immediately as it expires in 60 seconds. (That was my first red flag)
While I’m in the PayPal app on my phone (she’s on speaker), I’m kicked out of my account and can’t log in. She tells me it’s probably the scammers and she’s trying to deactivate the Google Pay. I’m a security guy… I’ll just reset my password and they’re locked out. So, I do that on the fly. She tells me she’s getting an error on her end and that I should stay out of my account and asks for another verification code. Then, the emails from the real PayPal start popping up in my notifications – “Password Reset”, “Google Pay Added”, etc. And THEN it hits me! AHHHHH! I CAN’T BELIEVE I FELL FOR THIS!!!
These sneaky bastards conned me into becoming THEIR two-factor authentication source! They hadn’t broken into my account… they were breaking in while I was on the phone and I was helping them!
I hang up on her and start looking for a phone number to call the real Paypal. Scammer lady calls me back. I tell her “I’m calling PayPal Fraud directly – thank you” <CLICK>. She calls back two more times before giving up.
I get it all cleared up with the real PayPal in about 5 minutes and I was actually super excited – “I GOT VISHED!” I told the woman at (the real) PayPal.
So, how did they do it? How did they fool me?
Here’s what they were doing on their end:
- Call someone with a PayPal account (PayPal, unfortunately, gives active feedback when doing a password reset to indicate whether an email is a valid PayPal account or not – they should do the whole “if an account exists with that email, we’ll send a reset link to that email address” instead.)
- Tell them they’re PayPal’s Fraud Department and that someone has added Google Pay
- Scam the user into giving up the 2FA code via text to complete a password reset
- Log onto the account and add Google Pay (I’m assuming with an automated tool for speed and accuracy. I also don’t think they’re worried about emails notifying me of the add; they could just say that was from the original add that they are calling about.)
- Tell me everything’s fine and start spending.
What the Scammers Got Right
The most successful scams build up credibility with contextual details and stir up emotion (negative or positive) to elicit a response. They did both:
- The used a toll-free number (which would seem reasonable for PayPal to use)
- They claimed I was a victim of fraud and that their systems caught it early (I’ve had calls like this from my bank, so it seemed somewhat viable that I’d get a call.
- They created a sense of urgency with the whole “with Google Pay, they can start charging to your account”. (And while this didn’t create the urgency in my mind, I could see other people getting flustered and doing whatever was asked of them to stop the supposed scammers from using their account.)
- They had the right email and phone number combination – THIS is what I think brought my defenses down. Replaying the scenario in my head, I now realize she asked me if I had my mobile phone handy (which meant she didn’t know my mobile number and I made an assumption they did).
Despite all this, I did eventually realize this was a scam. So, what did they do wrong?
What the Scammers Got Wrong
Because I write and talk about security nearly every day, my mind is normally pretty much in a state of scrutiny. She caught me at the perfect moment – I was tired after a long multi-hour drive. But I eventually smelled a rat.
In hindsight, the only things they got wrong were that she was a bit too unprofessional, her mismatch of how long the validation code was good for, and that I was fortunate enough to be logged into my PayPal account (and got kicked out, letting me know someone was actively changing my password). They had their scam down to a science.
Vishing and Your Users
If *I* can get scammed, what about your users? During the entire phone call, I was processing both what was being presented to me, what I knew should be happening behind the scenes, and what I was experiencing myself with my password resets, emails, etc. If I simply paid attention to the woman on the phone, I would have successfully become a victim.
If the proper context and credibility is used, it’s highly likely your users will fall for a scam like this or one relevant to their role within the organization.
So, what should you do to thwart successful vishing scams?
- Always verify who is calling – In my case, the proper action was to find a customer service number on PayPal’s site and call them back. Users should never take the word of anyone over the phone. NEVER.
- Never give up any details over the phone – unless #1 is absolutely addressed first.
- Consider Security Awareness Training – I never promote anyone’s product, ever. But in this case, it’s prudent I at least make you aware of the need to continually educate your users about scams via phone, email, or web. Without it, you’re likely to become a victim.
In the end, I was able to recognize the scam for what it was, but I certainly did go pretty deep down the rabbit hole. I wanted to share this story in an effort to raise your appreciation for the art of the scam, and the need to proactively protect your organization against it. If you’re reading Stu’s posts daily, you know these scammers are working in campaigns, using the same scam on tens, hundreds, even thousands of people – playing the numbers game until they get a hit. Don’t become their next victim; make your users aware of vishing.
UPDATE: Brian Krebs also just published a great post on the very same topic...