Saturday, January 27, 2024

The Barren Swarm


It finally happened to me but I don't want to talk about it, at least in much detail, but I finally fell victim to a phishing fraud and am now working my way through the consequences.

On an appalling regular basis, I get emails and texts telling me that the Amazon order I placed needs clarification of the mailing address (when I hadn't ordered anything from Amazon), that my credit card is being frozen due to suspicious activity (when the card's online site shows nothing to be amiss), that someone needs my approval to ship the new laptop I just purchased (when I hadn't purchased anything, much less a new laptop).  You probably get these as well - they're a minor nuisance of the age in which we we live. I just delete them without any response or other interaction and move on with life.

Some of them are very clever and look and sound very much like legitimate messages, but there's almost always some goofy grammatical or punctuation error ("your credit card will be cut-off," or "please to respond immediately"). Regardless, I delete and ignore.

Early yesterday evening, I was at an unusually vulnerable moment. I had just paid a new contractor online for gutter and roof cleaning, and before said contractor was even out of the 'hood, I got a text message from my bank about a suspicious purchase at a Walmart store.  Fifteen or so years ago, the last time I experienced fraud, checks were being cashed in my name at a Walmart's, so the message triggered me. 

It looked very authentic without the usual grammar errors, and said that if the charge wasn't mine, I should click the link for [bank name].cancel.info.  I knew better than to click a link in a text message, but I typed the web address into my computer and my bank's website came up. 

But as I logged in, a few things felt off. It asked for a phone number so it could text me a verification code, but my bank already had my phone number.  I sent my number anyway, and the code didn't work. A second text appeared on my phone without any additional prompt and the second code worked, but Windows immediately threw a warning message up about a fraudulent website ahead.

I immediately logged off and went onto my legitimate bank site and changed my password to a new "strong" one, but it apparently was too late.  I began getting literally hundreds of spam emails, coming in faster than I could delete.  I was under an extreme, spam denial-of-service attack.

Online advise about what to do was all over the place.  One site recommended I contact my ISP and change my email address, which I didn't want to do as I've had the same address for some 20 years.  Another site advised to just "grin and bare it," and that these attacks usually last "less than a week." One said I should contact my firm's network administrator for help (as if I had one) and another advised that the reason for spam attacks like this was usually so the victim wouldn't notice or see legitimate notification emails from banks or credit cards - it's a smoke screen to cover the thieves tracks.

I started the Sisyphusian task of marking all the new emails as "spam" even as they were still swarming in, and noticed that, sure enough, there was a legitimate notification from my bank in there advising me that the email and home address on my account had been changed. Since I had only changed my password and not the other info, I immediately got on the phone with my bank. All my money was still there, but the bank acknowledged that someone had changed the email and mailing address. It took a long time, but the bank finally closed my account and froze it so that no funds could neither be withdrawn nor deposited.

This was all on a Friday evening, so the long and short of it is that I have to wait until Monday morning to open a new account at a branch office of my bank - apparently this can't be done on line or over the phone.  I can't do any online banking until then and my debit card is frozen.  But at least my money wasn't stolen.

The spam attack is still underway but seems to be abating. Where I was getting literally hundreds per hours last night, now I'm getting only 10 or 20 per hour. The nuisances of modern life.

Anyway, lessons learned and here's what I want to advise you, my friends. I was wary and alert to phishing schemes and thought I was smarter than the other victims. But then the perfect storm of a moment of uncertainty (who did I just pay with my credit card?) coupled with a particularly skillful scam (the fraudulent website really did look like my bank's) caught me off-guard just enough to overcome my skepticism and snag me.

Be careful out there. Trust no one. And if something doesn't sound right, it probably isn't.

No comments: