Anatomy of a Phishing Scam

Recently, I was sitting in my home office working on a report. My cell phone rang. Normally this would not have been a reason for concern because I forward my work phone to my cell phone all the time.

So I answered the phone and a recording said, “this is AT&T, your account has been locked due to irregular behavior, please press one to unlock”. So obviously this was a scam, I looked at the screen and it said my name and nothing else, wherein normal instances, it would show my name and the name of my company.

But I was curious, so I pressed one. The next thing it said was “please enter your social security number”, definitely a scam so I hung up. I called AT&T and the customer service rep I spoke with verified that it was indeed a phishing scam and they have developers tools for users to deal with it.

The reason for this post is because we need to remember, especially those of us in IT or Cyber Security who think we “know computers”, that we must always stay vigilant. Despite what you may hear, the internet is still the Wild West.

So let’s look at this scam in detail:

  1. The phone rang, the ID showed my name as the caller. This is similar to phishing emails that show your email address as the sender.
  2. An automated voice said my account “had been locked due to irregular behavior”, refer back to number one.
  3. Next, I was asked to enter my social security number. Let’s think about this point for a moment, say I did enter my social security number, with that my telephone number and my name, they would have enough information to start stealing my identity.
  4. After I hung up, the first thing I did was call AT&T from the three-digit number for customer service, where I was able to speak to a rep and verify this incident as a scam.

This case is not unique to me, the reason phishing is called what it is, has to do with historical fishers used a wide net to catch as many fish as possible. The scam that I described above has happened to thousands, if not millions in one form or another. This is why CyberSecurity and awareness training should be a common practice, something that is discussed regularly at work and at home. It’s the only way to stay safe….as safe as possible.

Take care.

Jason Nelson @dragonwolftech

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s