Close encounters of the phishing kind

A couple of tales of real and imaginary phishing attempts on me

(Link to this same post on WordPress)

Phishing is the term for an attempt to steal our digital info and use it to steal our money. I assume it’s called phishing because it resembles fishing. A bait is dangled before the intended catch with a hook hidden in it. This usually happens in the form of a call or message assumed to elicit my user info. I used to think only a fool would fall for such attempts. But a couple of close shaves have made me aware that even the smartest of us can be easily taken for a ride. Let me illustrate with a few incidents where I was the target.

Anyway, it began with this call I got from an unknown number claiming to represent a verification agency for Amazon. He said he was calling to check if I had applied for increasing my credit limit on Amazon Pay. I had done this, so when he requested me to come on Google Duo (video chat). Once I came on the video chat, the guy who looked like a friendly sort, held up his visiting card for me to check as proof of his identity. He asked me to hold still for a mug shot and then asked me to hold up my Aadhaar and PAN cards so he could scan them. I did all that he asked without a second thought, and the entire encounter was over in a couple of minutes.

It was only after I put down my phone that I realised what I had just done.

My heart thudding violently, I paced around trying to clear my head. I needed to figure out the ramifications of what I had done, and limit the damage. I knew speed was of essence. Like if a credit card is hacked, the faster you block it, the less chance the hacker has to run up huge spends on it.

Was something similar possible with my ID cards?

Google directed me to UIDAI, the Indian government site, which lets me lock the usage of my Aadhaar card to prevent biometric verification. There was no such option for my PAN. However, being able to do something instead of nothing, was such a relief that I finally calmed down.

As I began thinking clearly, it struck me that preventing biometric verification didn’t make sense. The hacker doesn’t have my eye scan or my fingerprints, so why block him from using biometric verification with my Aadhar? However, UIDAI wouldn’t offer this facility for no reason. It could probably be a last line of defense in the remote possibility that the Aadhaar server itself is hacked and all biometric info on it leaked. Or maybe, a thief can steal something I have held in my hands, and pick up fingerprints and use it. Sounded more like a Hollywood movie than real life though. But then, the Indian government does move in weird ways its wonders to perform. And they do do wonders, like when the Indian economy was relatively unaffected in the last giant financial crash when the US economy nearly went for a toss (Grammarly says ‘do do’ is incorrect. I disagree, but will admit I didn’t know it was possible till it typed it. Oops, sorry for the detour.). Anyway, a bit more digging around on the UIDAI site reassured me there was not much a hacker could do much with just my Aadhaar card.

Since there was nothing more I could do, I called Amazon, related my story, and gave them the number on which I received the call, as well as the name of the guy, and this supposed verification agency. The Amazon lady put me on hold, and after an agonising five minutes, confirmed the number was genuine, and the agency was indeed contracted by Amazon. It was only then that I stopped sweating.

Much ado about nothing, but it had been a very stressful 45 minutes.

I mention this incident to illustrate how easily even a reasonably, tech-savvy guy like me, acted like a complete nincompoop and gave away vital info. All the caller had to do was say the right words. In this case, the words were, ‘…in response to my request.’ Most of us have usually requested for something or the other, and it’s easy to fall for this con. I think it’s something to do with our human psychology to assume things. This is a favorite tactic of phishers, and I actually know a guy who fell for it and had his bank account cleaned out.

As for real phishing attempts, the first such one happened quite a few years ago around the time banks first started going online in India. Having an ‘early adopter’ mindset, I was quick to hop on the bandwagon. Then one day, I received an email which seemed to be from my bank, asking me to update my info for better service. Seemed a genuine request so I clicked on the link and was taken to what looked like my banking login site. If I had entered my user name and password, the phishing attempt would have succeeded, and the hacker would have been able to access my bank account. However as I was new to online banking, I was ultra-cautious and always checked the URL on banking sites. So I noticed that it did not display the secure (locked) symbol, and was not https. On taking a closer look, I noticed that though the URL had my bank’s name, it read ‘banknameinfo.com’ instead of ‘bankname.com.’ It was a subtle and almost unnoticeable change, designed to fool a layman.

I went back to check the email that had fooled me in the first place. They had copied the bank letterhead perfectly, complete with logo. Usually, the language of the letter is a giveaway but this one was grammatically correct. Guess it was my lucky day as I was alert enough to spot it at the website level.

Please note this phishing email happened on my Mac. So don’t assume you are safe because you use a Mac. An antivirus may have spotted this mail before I opened it. I learnt my lesson, and installed Sophos on my Mac that very day. Besides phishers are not the only danger. Malware from emails and websites can install on your machine, and steal your banking info. Better safe, than sorry. I must admit my Gmail has grown a lot smarter now. It probably diverts such emails to my spam box, which may be why I rarely see such stuff anymore.

Phishers often try to use new developments to make their pitch credible. An example is the time a few years ago when all Indian banks were required to update their credit cards with the embedded chip technology.

Anyway, I got a call from a guy who claimed to be from my bank. He said I needed to update my credit card with a new chip-embedded card. When I mentioned that my card was already a chip card, he said there was a technical issue with that particular chip, and the card had to be replaced. He then asked me if my card was a Visa or MasterCard, and informed me that the card number would start with 4 if it’s a Visa and 5 if it’s a Mastercard. After thus lulling my worries with his friendly expertise, he casually asked me to read out the remaining digits of my card number. It was only after I had read out the first eight digits that I realised what I was doing. I stopped and asked him why he wanted my credit card number. He told me not to worry as he wasn’t asking for the CVV. But my antenna had gone up. So I deliberately gave him wrong numbers for the remaining 8 digits and googled his phone number while I was talking. It came up flagged as a scam. Meanwhile, the guy wanted me to doublecheck and read out the numbers again. I insisted it was correct, and told him to come on a Skype and read the numbers directly from my card. I’m not sure why I said that but it may have been curiosity to meet a real-life crook. Sadly, it was not to be. Something must have given me away because the guy abruptly cut the call.

So how do we tell when we are being phished? Though they keep changing their tricks, there are some ways to spot a phishing attempt.

Phishers usually try to pass off as if they’re from a company we know or trust. It was a bank with me, but it could also be websites and apps where you make online payment. They often try to con us with a story to trick us into giving them our data, click on links or open attachments. The phisher tried the credit card chip upgrade story with me. Other stories they favor are telling you they’ve noticed some suspicious log-in attempts on your account, or a problem with your payment credentials or you are eligible for gifts or refunds. Once they feel they have hooked your attention, they go for the kill, asking you to confirm your personal info or click on a link to make a payment.

It’s been a while now since I have any such encounters, but I can tell you I’m not missing our friendly, neighborhood phisherman.

it’s an odd world

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store