Phishing: A humiliating experience
Jun 27, 2019 / Swimlane
Shortly before I came to work at Swimlane, I was the victim of a phishing scam.
Upon reflection, the experience was more embarrassing than anything because I allowed the scam to go further than it should. When I finally figured out it was a phishing scam—and not a support call—was when I was directed to a cryptocurrency website to “make sure my information was encrypted.” Of course, in the aftermath I was concerned about identity theft. But when I had to go to my bank and close one of my accounts, I was mortified recounting my story because, in retrospect, it was SO CLEAR that it was a scam. I was suckered. I was furious (at myself) about the situation. During the phishing expedition I thought I did my due diligence in asking the right question. I asked the guy to verify I was talking to the company and customer support that I was contacted by.
To make a long and personally embarrassing story short(ish), here is what happened:
On a Friday afternoon, I was called by an 800 number. When I googled the number, it came up as Apple Care. I listened to the voicemail, hit redial and was connected to “support.” I was told my laptop and phone had been compromised and that my system was being used to distribute child pornography in New York. “Support” needed to verify my identity and make sure my information was encrypted and not being used to distribute illegal videos. I was skeptical from the start, but my brain pretty much shut down. I panicked when the words “child pornography” were uttered. I asked for the person to verify he was from Apple, and he gave me the 800 number to search, his name and support identification number. I searched the number online and assumed I did enough to confirm that the number was from Apple.
Spoiler: it was not.
About an hour later it occurred to me I needed to shut this down. On the call, I verified the information he already had: my email, my bank account, the last four digits of my social security number, and I had given him access to my desktop to search IP addresses.
In recounting this, I am cringing at myself and my naive trust in a number that came up online.
I began to get very nervous about the information he was verifying. Finally, something clicked prompting me to hang up. I called my local Apple store and was told this was a known scam, I needed to call the police, and that Apple would never call me—if there was a problem I would need to contact customer support.
All this happened on a Friday afternoon. I was winding down from a busy week at work and apparently not paying enough attention. Needless to say, I spent the next Saturday morning closing bank accounts, reporting a compromise to my credit card, changing passwords, and talking to the police—who could do nothing unless actual money was taken.
Thankfully, all this nonsense was relatively simple to resolve. My bank was easy to deal with, and they were sympathetic. I did not actually lose any money and mostly suffered from self-inflicted humiliation.
However, it was disconcerting knowing that unless I lost money very little could be done by the police or by Apple other than advising me to keep an eye on my credit report and bank account. Not exactly the justice I sought.
What is still so infuriating is the sophistication of the scam. When you trust a brand it is easy to let your guard down. I appreciate the fact that Apple is working to combat these scams. As a consumer being able to trust support or a brand is important. These scammers prey on that trust and to be at a heightened level of alert ALL THE TIME is simply exhausting. Which is how these jerks are successful.
I was lucky in this situation because none of my money was stolen. Many are not. Spotting phishing attempts takes a combination of common sense, training, practice and healthy skepticism. It's important to stay vigilant to avoid falling victim to one of these scams. And remember: Apple Support will never call you.
Latest BlogsSee all blog posts
The Fourth Annual March Hackness Phishing Bracket
Mar 2019 / Area1
Contrast Security recognised as the only "VISIONARY" in the GARTNER MAGIC QUADRANT for application security testing for 2019
Apr 2019 / Contrast
Understanding Microsoft's OAuth2 implementation - Part 3: Using Microsoft Graph API
Apr 2019 / Swimlane