Does anyone know any good guides for being aware of these things, strategies used by scammers, and what to be suspicious of? Something that isn't patronisingly simple, but not aimed at teach expert users either.
> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.
This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.
Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"
About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)
They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.
I think the attacker called the bank and Mitch at the same time. The attacker knew that the bank would send Mitch a SMS code so the attacker asked the bank to send it, Mitch told the attacker, the attacker told the bank.
The bank was on the phone with Mitch and the attacker at the same time. Mitch thought the “other Mitch” was himself on the other line.
> “But as it turned out, that other call was the attackers also talking to my bank pretending to be me.”
I don't understand this part - the _actual_ bank said that he was on a different line with them? Wouldn't that mean that the scammers had authorised as him already, in which case the account is already compromised? Also, the bank asking for 2FA over the phone also sounds like training into bad habits, but I appreciate there's different approaches with different banks.
This is a pretty similar sequence of events to one a reasonably intelligent but non-tech friend of mine fell for this week: Got an email saying that the TV licence needed to be renewed. They followed the link on the email, didn't check the URL and filled out their account details to set up a direct debit.
Two days later, gets a call from their "bank", telling them that they filled out a scam direct debit (gets victim flustered to compromise judgement) but they need to authorise them first before they can speak any further... my friend challenged their identity but they used the exact same "fake caller ID" trick - to the correct bank number since they had the sort code from step 1, and that identifies the bank. I knew this (caller ID) was possible in general, but hadn't heard of it being actively used in the UK - only from stories in the US. After "verifying" they asked for the 2FA device code, then (registered a card for ApplePay and) asked them to "confirm" the code they had just been texted, which is the point I walked in and was "WTF are you doing?"
About 10 minutes later while in the waiting queue for the actual bank, the actual bank called them - when we said that we wouldn't trust the call they instantly gave us a reference number to quickly recall the case and advised us to call back quickly. Luckily, the bank reimbursed the amounts taken before they locked it off (apparently some UK agreement from a couple of years ago.)
They were pretty shaken up from the experience, and want to know what to look for in the future. It strikes me that a lot of these cases are hitting otherwise reasonably cautious people who aren't aware that something they think is authentication, really isn't, like caller ID.