Vishing, from (not) the Bank



Vishing_As_A_ServiceWe saw yesterday how phishing affects the financial sector. Here we see another, related trend: impersonation attacks that purport to be from the victim’s bank.

Bank vishing scams are growing more convincing and harder to detect, CNN reports. A San Francisco man named Peter Gunst told CNN how he had nearly fallen for “the most credible phishing attempt I’ve experienced to date.”

Gunst said he received two phone calls from the same number, and he answered the phone the second time. A woman on the other end told him she worked for his bank and asked if he had just tried to use his card in Miami. Gunst said no, and the woman began to walk him through the process of securing his account.

She asked Gunst for his member number and he gave it to her. He then received a text message from the bank’s phone number containing a PIN, which he read out to the woman. This was actually a password reset code, and it granted her access to his bank account.

Next, the woman told Gunst they needed to block his PIN, and asked what his PIN was. At this point Gunst realized it was a scam, since no real bank should ask you for your PIN, and he hung up immediately. In hindsight, Gunst believes he should have been more suspicious of the caller from the outset.

“When I read that thread now, that’s one red flag after another,” Gunst told CNN. “But it's hard to express the social engineering component of it. My guard wasn't up in the way it should've been.”

Gunst added that he had dealt with real fraud prevention calls from his bank in the past, and the scammer knew exactly how this process worked. He also thinks the scammer somehow knew he was a customer of that particular bank.

“It’s unclear at this point where this happened, but there's no doubt in my mind that they knew that I was a customer of that bank and they thoroughly understood the security procedures of that bank,” Gunst said. “It was rather targeted.”

CNN points out that sometimes scammers gain an advantage by targeting employees of a company to gather information on customers before targeting those customers with scams. New-school security awareness training can enable your employees to be constantly on guard for suspicious requests.

CNN has the story: https://www.cnn.com/2019/10/27/business/phishing-bank-scam-trnd/index.html


Find out if your organization's MFA solution
can be hacked by cybercriminals now!

Did you know that all MFA mechanisms can be hacked, and in some cases it's as simple as sending a phishing email? That's why it's important to know the exact security risks your MFA solution has and how your users' accounts may be compromised.

masareport-thumbHere's how MASA works:

  • You will receive a custom link to take your assessment
  • Answer a series of technology questions relevant to your MFA solution
  • Get an instant high-level snapshot of potential risks with your MFA
  • Receive your in-depth report packed with actionable insight and detailed analysis on specific MFA attacks and tips for your top defenses 

Assess My MFA Solution Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/multi-factor-authentication-security-assessment



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews