The bad guys are telephoning, again, and last night, I was the target. I listened to the whole message just so that I could get a sense of what the scam was. Does this belong on Kerry's web-site? I don't know. But better safe than sorry. It's not specifically "computer related" but it is a sensitive information security threat, so I thought I'd share here.
Why did I consider it a scam right away? Firstly, because I don't respond to anything like that, under any circumstances. It's my "Rule of Thumb". It's non-negotiable. I simply don't respond to email or phone calls (or even letter-mail), immediately. I ALWAYS contact my trusted company myself, at a phone number or website with secure log in, and I always initiate the contact separately, using information that I have obtained from another, trusted source. It is that simple. By always sticking to this policy, I can better protect myself.
So ... back up a little: last week, I received an email from someone claiming to be my bank, saying that I had a security breach on my credit card. It had phone numbers and web links in the message. I deleted it. That is my rule of thumb. And the message was clearly a scam, so I didn't even bother to investigate.
Last night, I had a phone call; it was a recorded message, using the standard voice that most legitimate institutions use for electronic phone calls. It advised that there had been a security breach on my credit card, and gave four digits as the reference. I didn't recognize the numbers at all. And the e-mail I'd recently received came to mind, too. If there had been a genuine breach of my security, my bank wouldn't be emailing me, and then waiting a week or so to telephone me. Just didn't make sense.
The recorded voice gave phone numbers and a Post Office Box address for my bank, and advised that I could only use the card for point of sale transactions when I punch in my PIN code, and that they'd be sending me a new card shortly. I was to contact them immediately about the issue.
It all sounded so very very "official" and legitimate. But I hung up the phone when the message was over. I didn't even bother to take down the phone numbers that they gave. That is my rule of thumb: I absolutely NEVER respond directly to that sort of thing.
This morning, the first thing I did was signed into my on-line banking, and checked my bank's legitimate messaging system. There was nothing about a fraud alert. Given that this is their secure way of communicating with me, I would have thought there would be something there, if my card had truly been breached. Nope. Nothing from my bank.
The recorded message had mentioned a post office box address for Toronto. So I web-searched the headquarters address for my bank, and when I found it, it most definitely didn't include a postal box. This was another big red flag that told me the phone call had been a scam.
Then, I ran a web search for information about how my bank notifies folks about security breaches.
And I have to say that I was a little angry that I couldn't find this information EASILY … my bank's web site was full of all kinds of information; just not their specific procedure for notifying clients about security breaches. I think I'll be contacting the head office to let them know that there should be a quick link to their policies, on the web. But that's another issue.
What I DID find were a number of chat rooms and blogs, talking about this particular scam, and they were dating back as far as 2012. Some of the entries talked about why they knew it was a scam right off the bat (the four numbers provided in the message were wrong), and other entries assured that it was not a scam. Many entries assured me that the entries claiming it was legitimate were actually written by the bad guys, so that they can make their scams work. It was an interesting exercise in “be careful about what you believe” when web-searching.
I also found sites, including one from CBC news, that talked about hackers breaching thousands of accounts, and banks having to replace the compromised cards with new ones. That was a little worrisome. I found blogs and special web-sites dedicated to notifying people about scams, but I was quite concerned that the notices were often un-dated. I had no idea if there had been a large breach last week or last year. Always check the date on a web-posting. Just because it comes up first in your search results doesn't mean that the information isn't ancient.
It was an interesting exercise. I couldn't get a straight answer anywhere that I looked.
But I found this: http://www.cba.ca/?cat=Fraud-Prevention
The Canadian Banking Association has a website with a number of resources, including tips on how to avoid fraud. I would encourage everyone to have a read through it. The information is quite "general" in nature, but what they have to say can get us thinking about how we deal with our sensitive information in our digital era. You can even sign up for a regular e-mail newsletter and fraud alerts.
As for my own "Rules of Thumb" ... I, and everyone else in my family who has used our home number for trusted company contact, will be calling our bank branch as soon as it is open, this morning, just to double check. I couldn't find, and confirm, my bank's specific policies about fraud alert phone calls, so we will follow up, ourselves , to ensure that our card security is fine ... and to report what I very strongly suspect is another scam attempt.
Always be suspicious, folks. The bad guys are sophisticated. With more and more financial transactions occurring digitally, we need to keep up to date.