See Something, Ask Something - Fighting Phishing Fraud

Yesterday I noticed on Facebook that one of my favorite aunts was sharing a heart wrenching story about one of her grandsons, in which he and his new bride were facing a rare form of cancer. Someone had setup a Gofundme page soliciting donations for related medical expenses. The Gofundme page was full of pictures of their wedding. I went to the Gofundme page and saw that many of the people and relatives I knew had already donated and donated more than I would have expected. Seeing such love and generosity I pulled out my credit card and put in twice the amount that I originally thought I would give. I typed in all my information, put in the amount, and all I had to do was click on the Continue button to finish my donation. Then it hit me, “What if this is a scam?”

 I think I’ve heard about these sorts of scams before. But in this case, the original notice was from my aunt who I occasionally FB back and forth with, and the Gofundme request had all the right names and pictures. I even knew most of the early donors listed on the page. But working for a security awareness company has made me ever skeptical and vigilant. If my aunt’s FB was taken over, the scammer would have all the relationship maps and pictures to pull off a realistic Gofundme page. A scammer could glean everything they needed from my aunt’s FB page and even use the real Gofundme web site. The list of supposed donors could be a moving list of the possibly scammed.

So, I did what I do more and more now – I FB-messaged my aunt a question that she would know, but the scammers, if they existed, would not. I asked, “What city did we both live in when we lived only a block away from each other?” I had to ask a question that was very unlikely to be either previously posted online and unlikely to be in a public or private records check.

So, was the Gofundme request legit? Yes, my relatives are in need of some help, and the love is pouring in. My aunt returned the right answer, and we talked more about our loved one’s hardship. I explained to my aunt what I was doing and told her I would donate to the fund. In the end, it all worked out, as it usually does.

I don’t see my “give me proof of your identity” question as wasted effort. In fact, it’s something I’m doing more and more ever day now. Our lives are full of potential scammers. They are emailing, calling, and messaging us with scams all the time. These days it’s not uncommon for me to be reviewing potential phishing emails in my inbox only to have the phone ring with a purported “Microsoft rep” trying to help me remove malware from my Windows PC that they’ve so kindly proactively detected. We are being inundated with scams and scammers. And unless you want to lose some money or other personal information, you need to be skeptical and ask a question or two.

The Underlying Problem

The overall problem is that our real world has a problem that was exacerbated in our digital world first – the lack of mutual authentication. Most of the scams in the digital world happen because malicious parties fake who they are or take over a legitimate account to then phish us out of something. The digital fix to that is to require better, two-way, mutual authentication. And when that can’t be guaranteed, other offsetting controls including security awareness training. We are making great strides in both the controls and education surrounding phishing in the digital world. But we aren’t reacting as quickly or well to the real-world scams. Today, they often overlap.

One of the most costly online scams in the world is that of “CEO Fraud” or what is also called wire fraud or business email fraud. That’s where someone receives an “emergency” request from the CEO or other C-level executive requesting that some money be sent somewhere unusually immediately to put out some unexpected “fire”. The FBI says this sort of scam is on track to steal $12 billion in less than a year-and-a-half (https://blog.knowbe4.com/fbi-warns-that-business-email-compromise-is-a-12-billion-scam).

The Solution

The best way for any company to fight business email fraud is security awareness training that focuses on that specific type of scamming to the employees that are capable of being successfully seduced by. Anyone who has the ability to transfer money should be aware of the types of scams, be given lots of real world anecdotes of what the phishing emails look like (to see how realistic they can appear), be given periodic simulated phishing tests to gauge their susceptibility, along with additional, focused, training.

One of the easiest training defensive controls is to create a policy and process that requires that all non-routine wire transfer requests (e.g. due to timing, subject, or account to transfer to) require the employee to pick up a phone, call the requester, and verify all critical details of the request. If the requester cannot be contacted via phone, or some other reliable, previously agreed upon, secondary method, the employee must not transfer the money. The employee and the potential requesters must know that this is the policy and it cannot be violated.

For years, KnowBe4 (https://www.knowbe4.com), my employer, has advocated “picking up the phone” as the easiest and best way to avoid CEO fraud. We just need to extend this more and more into our real, non-digital life, in other scenarios where fraud can happen.

More Real-Life Examples

Here are some more recent real-world examples from my life. Two months ago, I was buying a new house. A few days before closing, my title company sent me an email asking me to transfer tens of thousands of dollars to such and such bank account, with a warning that it had to be done immediately or my closing date would be in jeopardy. It included my title officer’s name and a phone number for me to call, if I had any questions. It even included boilerplate references and links warning me about mortgage closing fraud…which reminded me of all the fake anti-phishing warnings I’ve seen in nearly every phishing email.

Mortgage transfer fraud is particular known for the bad guys taking over legitimate title insurance agent’s emails, reviewing them for the pending closings, and then sending emails from the agent’s email account to the people and deals they are actively involved with. The only difference between the fake request and the real forthcoming request is the receiving bank info. So, just because it is coming from your real agent doesn’t mean the email request is valid.

After first confirming that the phone number was legitimate, I called the title company and asked to speak to my agent. I was told that she as in an all-day meeting. How convenient! The person who answered the phone said she confirmed that my agent had requested the money transfer. Being skeptical…because the person who answered the phone could be anyone, I asked, “What is the name of the store right next to your office in your other location?” She gave me the correct answer immediately.

I explained why I asked. She laughed, and said she wish more people in the industry called to confirm the wire transfer request before sending the money. She said it was a big problem in their industry and she personally knew someone that fell for a wiring scam and lost tens of thousands of dollars.

Legitimate Cable Company Request?

Soon after that someone claiming to represent my cable company called making me an offer I could not refuse. They would increase my bandwidth to something that sound like a gazillion megabits per second for the same price as I’m already paying them for my less than a gazillion megabits per second bandwidth today. She said there were no strings attached. That of course, made me immediately suspicious.

She asked me for my account number and password so she could complete the transaction. I told her to tell me my account number and password, because I didn’t know whether or not she was really from my cable company. She said she couldn’t access my account until I verified it with the information she requested. I refused to budge and so did she. I asked if it was possible for me to call my cable company’s main number and get transferred to her. She said, no, that she was in another call center in another country. With that stalemate, I hung up the phone and didn’t get the purported deal. Sorry, this world is too scammy for me to be handing out my personal information to someone I don’t know over the phone.

Microsoft Scam

Let’s not forget my helpful Microsoft support guy. He called back and said my computer was infected, and that he and Microsoft wanted to help clean my computer. He asked if I had a Windows computer. I said I did. Well, that’s the one that was infected. I asked what the Windows edition, version, or serial number was. He didn’t know…of course.

I told him he should be ashamed of himself for trying scam people. I said his family would be ashamed if they knew he was scamming people out of money, that his village would be ashamed of him, and that his country would be ashamed. I told him to get a job that didn’t require that he sell his soul to make money. He cussed at me and hung up the phone.

I guess that he didn’t know that I worked for Microsoft for almost 12 years, and that I know that Microsoft does not proactively call people to tell them that their computers are infected. Microsoft, like every other big company, avoids calling customers with human callers like the plague. They want to handle as much of everything as they can using other automated methods. Using human callers is very expensive and slow.

In fact, as I often tell audiences, if you get infected and call Microsoft with a valid credit card and pay the hundreds of dollars up front that they require, after you get through 20 minutes of phone tree hell, it will appear to use as if Microsoft doesn’t want to talk to you, even when you have lots of money. That’s the real Microsoft. They certainly aren’t proactively calling you for free.

 Summary

Anytime you get an emergency request to share personal information or send money, be skeptical. Take a second to ask a question, using another method than they contacted you, to confirm their identity or the details of the request. It can save you lot of money and/or hardship. Do this in your online life and in the real-world. And make sure your friends and co-workers are educated to do the same.

 See something, ask something.

 Make sure your security awareness training includes this useful advice.

 Fight the good fight!

 Roger