Not All Phishing Attacks Come by Email
Quick Answer
Phishing also arrives by phone. Lifehacker documented a case where attorney Pieter Gunst got a call claiming to be from his bank, asking about a suspicious transaction. He gave a non-sensitive customer number, then read back a verification PIN the caller said was sent by the bank, not realizing the attacker was using that code to reset his account password. The scam unraveled only when the caller asked for his card PIN to set up a 'fraud alert,' at which point Gunst hung up and called the fraud department directly. The rule the post gives: never give a PIN over the phone, and call the institution back at a known number rather than trusting an inbound call. For phone phishing, common sense is the only control. For email phishing, real-time link scanning catches the link before the user does.
Most phishing attacks are pretty straight forward. They try to get the login credentials to your bank account, wipe you out and go on vacation. I’m not really sure about the vacation part, but the rest is pretty typical.
What else is typical is that the way to get your credentials is to send you an email with a link to a bogus website that captures your information and looks convincing enough so that you’ll provide it. Phishing attacks mostly come by email, but not always.
According to a Lifehacker article, a lawyer was the target of a phishing attack over the phone recently. The lawyer outlined the steps the hacker took to get his credentials, including PIN. And he almost got away with it.
From the article, the lawyer, Pieter Gunst, “got a call from someone claiming to be from his bank, asking him if he had used his card in a far-away city. When he said he hadn’t, the caller blocked the transaction and asked for Gunst’s member number, which he explained in the thread is a customer number—not a bank account number.
The person on the phone said they were sending a verification PIN that Gunst read back after receiving from the phone number he associates with his bank. He later realized that the scammer was resetting his password with the verification number they sent to Gunst’s phone.
The scammer read off a few other charges, Gunst confirmed he had made them, and the scammer said, ‘Thank you! We now want to block the PIN on your account, so you get a fraud alert when it is used again. What is your PIN?’ That’s when Gunst knew for sure that something was up. He hung up and called his bank’s fraud department directly. Giving out his PIN would have allowed the scammer to withdraw money from his account, had he not realized something was amiss.”
Never give out a PIN over the phone. Better yet, never trust anyone that calls you on your phone. Call them instead.
You now see that not all phishing attacks come via email, although most do. There’s not much you can do to prevent phishing attacks over the phone other than to use common sense. But there’s a lot you can do to protect yourself from phishing attacks that arrive via email.
DuoCircle protects your from more common phishing attacks that arrive via email. It provides the most important phishing protection of all: real-time link scanning. It sets up in 10 minutes, costs pennies per month per account and comes with 24/7 live technical support.
When phishing attacks arrive on the phone, just hang up. When they arrive via email, protect yourself with DuoCircle.com
General Manager
General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.
Secure your email infrastructure
Protect, authenticate, and deliver. Contact our team to find the right solution.