Phishing gets more focussed
It’s a story that’s well-known in net-savvy circles, but a couple of recent personal experiences bring home how phishers are changing.
First story – on the phone. I’ve had a spate of “sell the business” and “reduce my bills” calls. Among them, one from a caller identifying himself as from my provider, O2. He’d done his homework, knew my name and my company, and was an English voice, not an obvious Indian call-centre (which might, ironically, have made more sense if it really had been my provider). Everything to put me at my ease.
He didn’t start with the ritual of security questions: that would of course alienate the mug on the other end of the line, not to mention raise who are you concerns. Instead, he wanted to talk about whether I might qualify for a new “free” handset, and reducing my bills. He asked about my existing handset (answer: how is that relevant?) and on the subject of bills said “you’re paying about £x-£y/month now, right?” (wrong, by an order of magnitude). OK, you’re plausible, but if you were really from O2 you’d have access to your customer’s details and not have to ask!
After that one I tried calling O2 to confirm it really wasn’t them being daft. The automated introductory message reminded me what security questions I’d need to answer. Damn, I don’t have that information to hand, can’t even ask them the question! Never mind, I went through my options in detail less than a year ago when I got connectivity for the pocket-‘puter, and I’m not looking for a change.
The second story came in a ‘phone call from my mother earlier this week, and served to remind me that not everyone finds it as easy to dismiss them as I do. She had email about her bill from mybebook.com, and wondered about clicking the link. OK, that’s an old-fashioned phish, but coming “from” a minority site that she has bought from (though not recently) gives it extra credibility over the one “from” amazon or ebay. Or indeed “from” tesco or waitrose. I suggested she hover the mouse over the link to see where it really leads. Turned out to be some .exe on an unknown site. Just as well she’s not a complete mug ;) Googling mybebook.com finds a thread about the phish, and the site itself has posted a warning! Having reassured herself about deleting that email, she then contrasted it with a legitimate email from John Lewis about an actual recent purchase: the invoice was in the mail itself, with nothing to click.