On November 17, 2023, I posted about it being the start of the phishing season.

I’m going to update you on the latest round of attacks including what to do when it’s happening, what to do right now after reading this, and a few additional tips to help you keep yourself, family, and friends safer.

The attack category is Social Engineering Attack. So I’m going to start this with a little primer on these attacks.

Attack Type Communication Channel Target
Phishing Email All
Vishing Voice: often using VoIP All
Whaling Email and/or Voice Individual
Smishing Text Both
Social Engineering Social Media Both

How and Why:
Tactics: Impersonation, urgent action required, Threatening/Fear
End-Result: Personal information, Financial information

Most people have heard about phishing (the OG) and so they use it to describe any socially engineered attack.

Phishing and its voice counterpart target as many potential victims as possible. Usually for vishing, it’s a recording with a request to call a specific number.

Whaling targets a specific individual.

Smishing and Social Media SEs may target both.

Today, December 30, 2023, I’m going to talk about a specific whaling attack.

I’m seeing people I know posting about receiving a call from their “bank” with a live person who has a considerable amount of information that makes the call recipient believe it is legitimate. Now if you’re expecting a call from your extremely local bank because you called and left a message, you probably know exactly who is calling you back.

First thing to know: There’s a lot of data collected by legitimate data collectors and it’s for sale. There are also breaches occurring where the illegally acquired data is also sold.

Second thing to know: No bank or financial institution will cold call you via a live representative.

The best security practice most banks use is to leave a voice message, usually identifying the department (i.e. fraud) with the instruction to:
CALL THE NUMBER ON THE BACK OF YOUR BANKCARD/CREDIT CARD.

So, here’s what to do if it happens to you:
1️⃣ HANG UP - yup, cut them off right after they say the financial institution’s name, if possible.
2️⃣ CALL THAT NUMBER - Ask for the fraud unit and let them know there was a potential phishing/whaling attack.
3️⃣ GET A CASE # - If the bank unit opens a case.
4️⃣ CONTACT LOCAL POLICE - If you’ve gotten a case number.

So, here’s what to do right now after reading this post.
Login to either your bank app or directly online:

1️⃣ SET-UP NOTIFICATIONS - Set-up notifications for every bankcard transaction to be sent to your email account.
⏺️Purchases outside of physical merchant
(may show up as Card Used Online, by phone or by mail)
NOTE: depending on the bank, you may be able to set-up
physical purchase notifications
⏺️Direct Deposit Notice
⏺️Low Account Balance - You set the amount for this notification.
2️⃣ SET-UP MFA - Multifactor Authentication is the strongest account security.
3️⃣ CHECK FOR SECURITY RECOMMENDATIONS - then use them.