The woman was a cheater, and favor was just the latest target in a growing trend that frustrated thousands of Americans, broke and left without a clue how to get their money back is a kind of phishing scam.
They will not disappear so quickly as scammers become smarter and more cumbersome in their phishing attempts. So you can avoid being the next to fall for one.
Here's how it works
Favor ignored the fraudster's first call – he did not recognize the number. But the same number called him again and as a business owner, accustomed to unknown numbers, he decided to pick up.
Favor said the woman at the other end said she was working at the bank and someone was trying to use his card in Miami. Favor, who lives in San Francisco, told the caller he was not.
Having received legitimate phone calls from his bank for attempted fraud in the past, he still did not suspect anything out of the ordinary.
Then it got weird.
After Favor had confirmed that he had not used his card in Miami, the caller informed him that the transaction had taken place and then asked for his membership number.
Gunst then received a legitimate confirmation PIN from the regular bank number via text that he promptly read out to the caller – without noticing that it was a code to reset the password.  The person on the line – a cheater – was present. She was able to access his account and began reading the last transactions that Favor had made, giving the call a little more credibility.
Then came the next question, which immediately put a red flag: "We now want to lock the PIN of your account so that you receive a fraud alert when it is used again. What is your PIN?"
Favor on. This is a number that no bank would ever ask for. He quickly called the fraud department of his bank and considered how the call went wrong.
"The problem is, the text should say what it's for," Gunst later told CNN the confirmation pin he tweeted in a much-read thread. "Someone is trying to reset your password, do not give that number to everyone else. "But that was not the case, it was just a generic pin."
He said this was a lesson from which the bank could learn.
The & # 39; Hack & # 39; Social Engineering Used
Hackers can use social engineering to try to get or compromise information about you, for example, to gain access to your bank account receive.
That simply means you have tricked you or someone you know to endanger your account.
And she could do so largely using information he posted online on social media: an Instagram check-in at a hotel and a tweet about a piece of furniture.
How? Both the hotel and the furniture company sent the hacker his personal data by phone.
It is not always your fault
Companies that do not have the right security The existing procedures often expose themselves and their customers to a social engineering attack.
A small business could easily be tricked into revealing personal customer information over the phone when a clever hacker has just enough information to be credible.
] According to Ron Schlecht, managing partner of security firm BTB Security, small banks and corporations are known to issue newsletters to members or even hold appreciation events for members who publish the invitation on social media. 19659002] An accomplished hacker could have used this information to find members of this bank and use social engineering to find information such as home addresses and phone numbers to fish for.
"It is unclear at this point where this happened, but I have no doubt that they knew that I am a client of this bank and that they have thoroughly understood the security procedures of this bank," says Gunst. "It was pretty purposeful."
While it is possible that Gunst's bank was compromised, Schlecht says that "they are more likely to disclose information without really knowing that it was bad."
Detecting the Fraud
There are a number of clues that should give rise to your suspicions.
"If you've been randomly selected for a grand prize, a vacation, or great savings, or if the IRS, Medicare, or the Social Security Bureau suddenly has to file a warrant for you to issue a warrant or a punishment, breathe deeply and consider whether the call is legitimate, "said Schlecht.
He offered a simple rule: "In general, when something seems too good to be true, or too bad to be true, it is likely." There is a possibility that you have not entered into a drawing or have even the idea that you have committed some misconduct. "
Phishing scams are common, but particularly clever phishing attempts can deceive even those who are aware of it are.
The moment the It is easy to make a mistake or miss a detail or clue that points to a fraud.
Knowing your bank or institution's approach to fraud can be helpful in detecting fraud, but it is not foolproof. Favor has in the past received several calls from his bank for real fraud, and he says the cheater has kept very close to the pattern. He said it was a "very clever trick".
"If I read this thread now, that's one red flag after the other," says Gunst. "But it's hard to express the social engineering component, my watch was not what it should have been."
"Zero Trust always wins," said Schlecht. "They can not check who they are, so call them after the notification instead of interacting with an incoming call."