A few years ago, phishing attacks were often carried out over email, but recent attacks have been more pervasive as ruthless threat actors accelerate the abuse of phone calls, text messages and social media. A regular phishing attack involves a threat actor attempting to trick the target into doing what they want. In this article, Intelligent CIO’s Arrey Bate narrates a first-hand account of a phishing attack when cybercriminals accessed his bank account through a fake delivery page.
It started around 6pm when I received a call that got me on my feet. On the other end of the phone was a lady who announced she was calling from my bank. I’ll call her ‘Karen’.
“Dear Mr Arrey Bate, I’m calling from your bank. If you check your account right now, £20 has just been deducted and I wanted to ask if you recently made this purchase?” These were Karen’s opening lines as she urged me to confirm this while she stayed on the phone.
I was half-asleep and half-awake and as my sleepy eyes recovered, my brain was trying to process all that was happening. She was right, £20 had just been deducted from my account without my authorisation.
“It’s a phishing attack on your account and I am calling to help you stop the fraudsters from taking out more money?” Karen said, building on that proof and adding that she was going to help freeze the compromised card and send over a new bank card within three days.
“First, I have to ask you some security questions to confirm your identity” she said. Like anyone else would be in that situation, I didn’t want to lose more money so, I was ready for Karen’s help.
It was this first deduction and the promise of a new bank card that created an instant surge of panic for me. Not panic that I was being defrauded, but panic that I was going to lose more money from that account if I didn’t take any action.
Preceding the phishing call
But how did these fraudsters access my card?
Karen’s call was preceded by a text message I received earlier that day. The message came from a delivery agent who said they missed delivering my parcel.
“Our driver could not deliver your parcel on Sat April 29 2023. To select a new delivery slot please visit: [URL].” part of the message read, requiring me to click and fill in my address and card details to confirm the redelivery of my parcel.
Coincidentally, it was around the same time I was expecting two parcels. The ‘delivery service’ said I was going to pay a £1.50 redelivery fee. I filled in my card details but ended up frustrated with the reloading pages not knowing I was in the wrong place.
Back on the phone with Karen, our entire call lasted only three minutes, but every one of those seconds felt like a decisive moment.
The first sum was already deducted from my account and to deduct a bigger amount, Karen and her team needed an authentication. That’s where I came in.
“First things first, we’re going to send you a new card in the next three days, but I need to ask you a couple of security questions to confirm this is your account and we have to be fast.”
We went through a few basic security questions and I kept responding. She asked for the digits in a security code that was sent to my phone.
“Read that out to me,” she requested and proceeded to ask for the next code sent to my email. It was at this point my suspicions were raised. Did I just help to authenticate these fraudsters into my account?
Giving that code meant I was giving Karen and her gang access to my account and helping to authenticate their login without knowing. So, I came up with a quick strategy to keep Karen busy on call. I asked her to reidentify herself and explain how she knew my account was being compromised.
In those seconds while she explained, I hurried into my bank app, the idea was to access my account as fast as possible and transfer all remaining money in that account to my other accounts or the last contact with whom I made the most recent transaction.
That’s exactly what I did within the timeframe Karen tried to explain herself. I wouldn’t know if she noticed but right after the transfer, she kept asking the last time I took out money from that account. I would presume she knew I had figured out her plan.
They had taken out the first sum, but to withdraw a major amount, the attackers needed authentication and that’s where the phishing call came in.
Final words
I contacted my bank to inquire about the call and they confirmed it wasn’t from them. The bank quickly froze the compromised card and sent over a new card. For everyone else who is concerned, here are some measures to guard yourself from a phishing attack.
- The bank would never call you telling you your money isn’t safe, that you need to move it to a ‘safe account’, tell you to take out a loan or overdraft, ask you to forward an email you normally get to log in with or ask for your pin.
- Always have a specific account or card dedicated to all online transactions and subscriptions. This should be separate from a savings account where the rest of your money is kept. Within this account, ensure that you only deposit the amount you are ready to spend for that month.
- Being cautious about links from unrecognised sources could be the biggest help. I have no idea how these attackers got my contact. These attacks can happen to anyone. To avoid falling victim to phishing, be suspicious of emails or texts from unrecognised senders. Clicking on a phishing link may lead you to a fake website that asks for your personal information, or malware may be downloaded onto your device.
