You might like to think that you would be able to recognize a phone scam the minute the call comes through. But Pieter Gunst didn’t — and he’s spent years working as a technology lawyer.
Gunst is now the founder and CEO of Legal.io, which helps corporations and state bar associations make better use of technology and talent.
The sophisticated scam went viral after Gunst shared his story in a Twitter thread. As It Happens host Carol Off spoke to Gunst about his cautionary tale.
Here is part of their conversation.
Peter, tell us about the initial phone call you got. Who was it from?
The person calling me, in the first sentence, introduced themselves as working for my particular bank.
I picked up the phone and they said, “Hey, this is your bank speaking. It looks like there has been a fraud attempt on your account.”
OK. You didn’t fall off the turnip truck yesterday. So a bank calling you and saying something like that — did it set off any alarm bells?
It should have, in retrospect. But I think one thing I learned is that if you’re not super vigilant and you’re really deep into other things, and you get a phone call like that, it can be quite startling.
So they said that there’s been a potential fraud. What did they ask you to do?
They said, “Someone tried to take $50 out of an ATM in Florida — was this you?” And I said that it wasn’t me.
And so then they said, “Great. We’ve blocked this transaction and we want to do some other things to up the security of your account. Can you please confirm the member number that you have with the bank?”
The member number is a bit like a user name. Not every bank has it. But it’s a unique identifier for each customer and it’s supposed to be a private number. It didn’t seem super unreasonable for a bank to ask — although, of course, this should have rang alarm bells.
But no. I thought, OK, this is a fair way to verify, and I gave them the number.
Oooof. Was just subjected to the most credible phishing attempt I’ve experienced to date. Here were the steps:<br><br>1) “Hi, this is your bank. There was an attempt to use your card in Miami, Florida. Was this you?”<br><br>Me: no.
But not the passwords. So that, just on its own, wouldn’t have been enough to have them break into your accounts. Right?
That’s right. With the number alone you theoretically can’t really do anything, or at least, so I thought.
Then they said, “Look, we’re going to verify your identity by sending a verification code to your cell phone.” And the moment that this person said that, I received, from the regular bank SMS text number, a verification PIN. A six-digit code. And they said, “Can you please read this code to us?”
But this came from your bank. This appeared to be, or was, coming from your bank?
It was. It was a very, very clever trick. What they figured out is that this particular bank, if you go to log in, and you say I forgot my password, they ask for your member number. And then, they basically allow you to do text message verification.
So they were pretending that they could see it. But they wanted to see if you could see it.
Exactly. I read it out to them.
And then they could change your password.
That’s what they did, seconds later.
Wow. And so then what happened?
So then they continued upping the credibility of the call. They basically gained account access. They couldn’t do transactions, but could see information.
And they said, we will now verify some other transactions to check whether these were fraudulent. They started reading some recent transactions that I did. So I confirmed all those charges as charges that I had made.
And so it appeared that this was the bank and it was reading your transactions. It had access to that and it was verifying your account. So it still felt quite legitimate. What did they do then?
They said, “OK. The next thing we are going to do is we are going to block the PIN number on your debit cards. So can you please provide us with that information so that we can block future transactions?”
At that point, it was getting pretty clear that this wasn’t a legitimate call. But the funny thing is that I still didn’t fully think I was dealing with a scammer. I told the person the bank should update its procedures. I’m not giving you this number.
And at that point, they started asserting authority — “You’re on a recorded line. We’re not going be able to block this transaction if you don’t give us this number” — and kind of upping the aggressiveness of the call, at which point I terminated it and called the fraud department.
You called because you knew this was a fraudulent call at that point?
Yes. Although, I have to be honest. I was maybe not 1,000 per cent aware. Like, there was a world — given the set-up and how convincing they made it all — in that this was just a really poor bank policy.
Now, the PIN number over the phone, I would never give it. And obviously that is a huge red flag. So it triggered. But it’s amazing how credible they made it feel.
Our CEO, <a href=”https://twitter.com/DigitalLawyer?ref_src=twsrc%5Etfw”>@DigitalLawyer</a>, exposing a recent phishing attempt. <br><br>76% of organizations say they experienced phishing attacks in 2017. <br><br>Stay safe out there! 🚨🚨🚨🚨 <a href=”https://t.co/1zuSNopPhx”>https://t.co/1zuSNopPhx</a>
Now Pieter, you know all this. In fact, you work in technology and law. So what does that say that you should have fallen for this scam?
Yeah. I read the [Twitter] thread 48 hours later. I’m like, I would never fall for that. But I did.
It’s just incredibly difficult to stay vigilant all the time. And with the right timing and execution, I think you can be successful with, you know, a reasonably sophisticated target.
What are the lessons learned that you can pass on?
I learned a lot. The easiest ways to block this would have been as soon as I received a call, say, “Thank you, I will call you back on the number on my card.” And that would essentially have stopped the attack.
The second mistake was giving that member number. Just don’t give personal information to a caller, regardless who they say they are.
At a higher level, I was reminded of how difficult a problem this is and how important it is that we share these stories so we can increase awareness, because it is by no means a victimless crime.
Written by Rachel Levy-McLaughlin and John McGill. Interview produced by Rachel Levy-McLaughlin. Q&A has been edited for length and clarity.