I received a text message the other day that looked a lot like what I might get from my bank if I triggered some antifraud check. The timing was impeccable; I had just used the card to pay for takeout and had walked out to my motorcycle to head home.
When I initially got the text message, it seemed normal — a little annoyance you’re trained to expect by the financial institutions that are trying to save themselves chargeback costs. I didn’t even think to be critical of the provided phone numbers. Bad security guy, right? The problem is, these attacks require you to be on high alert 24×7, and sometimes you’re tired from working all day and just want to go home and eat your tea leaf salad with curry chicken noodles. The dinner transaction had gone through, and I wasn’t planning on making any more stops, so this particular antifraud alert wasn’t a priority. I hopped on my bike and figured I’d deal with it when I got home.
Here’s where I almost fell into a trap. I looked at a message I’d received, recognized it as something that didn’t need my immediate attention, and mentally added it to a to-do list. I had no intention of responding immediately, so I didn’t take the time to question its veracity.
When I got home, I opened my phone, anticipating the 5 minutes of my life I was never going to get back as I dealt with an antifraud department, confirming transactions and resolving whatever holds had been put on my account. I dialed the number, and the automated prompt asked for my 16-digit card number . . . I can’t tell you what it was about that call that made me pause. During the few seconds it took me to get my wallet out, I realized I was about to provide my credit card info to a system at a phone number that had been provided me by an unverified entity.
Here’s where it gets really tough: I called my bank using the number on the back of my card, and while it was ringing, I started really questioning myself. Was I just being a “paranoid security geek” who was creating friction in a process that was designed to protect me? Was I going to have to call back in the morning if I didn’t use the automated system because the fraud department was closed? Was I stupid for doing this?
The resolution was that my bank was able to confirm that this was not from them and therefore a fraudulent attempt to get my card info — but the resolution isn’t the important part here. There was a sequence of events here where I was vulnerable to being phished. More and more, I’m hearing security pros talking about close calls they’ve had and think this is a good time to remind people: Cybercrime is a business. Criminals make capital investments and build infrastructure, knowing what it’s going to take to return a profit.
I’ve heard users say they are going to click anything that shows up in their inbox and that it’s security’s job to protect them. In the past, I’ve scoffed at this idea, but I’ve come around, and you need to, as well. Our end users have a financial incentive to be productive in the form of performance reviews, and until security professionals stop getting phished, it’s disingenuous to expect our end users to be able to tell the difference themselves.