I Too Was Nearly Phished
Kev Quirk wrote about how he very nearly got phished recently.
kevquirk.com: I Was Nearly Phished
Kev’s story is a good reminder that even the careful can get phished. It also reminded me of a pretty good phishing attempt that came my way several months ago and I think the biggest reason I didn’t fall for it was dumb luck.
The message
My wife is actually the one that got the phishing text message. It was a bank fraud message that read something like this:
[BANK NAME] BANK ALERT: We detected an unusual attempt at [STREET ADDRESS]. If this was not you, use the secured link to verify your identity and secure your account: [LINK]
There’s a couple things that made this convincing at first glance. The phishers either knew where we banked or just got lucky. The street address was somewhere in my wife’s area code. The link was also convincing and looked very similar to the legit login URL for our bank.
Thankfully my wife and I were just chilling at home at the time so we were able to take a closer look at the message before acting on it.
Red flags
Thinking about it, it made little sense that the bank would be telling us the street address where the suspected fraud happened. Wouldn’t it be easier for both us and the bank if they just told us the name of the business that the fraudulent charge came from? What if the charge had come from an online transaction?
The link attached to the message, although convincing, was actually a subdomain on a domain completely unconnected to the bank. This would be a really easy to miss detail if you were reacting quickly, especially if you weren’t all that tech-saavy.
But the biggest giveaway was really just luck. I had just happened to get a legit (false positive) anti-fraud message from the bank just a week or so before this phishing attempt and the two messages didn’t match up. The real anti-fraud message gave the name of the business, not the street address. It also didn’t ask me to visit a link and instead just asked for a “yes” or “no” response with a “yes” immediately canceling the card.
Be careful
Thankfully all this attempt amounted to was good practice for how to detect and handle a phishing attempt.
One big thing is to try to analyze the message while calm. A common phishing tactic is to pressure you into acting quickly before you have time to think. Don’t let potential attackers make you emotional. This is easier said than done if the phish is well crafted or comes through at just the right/wrong time though which is why it’s important to know other red flags to look for.
Never, ever, ever click a link in a text message or email you’re not expecting. Even after scrutinizing it. In my case, the fake URL was the last red flag that I caught. If you’re being asked to take action then go to the website manually to do it, ideally using a bookmark or your browser history. If you use Google to get to the website, avoid any links that have “Ad” next to them. Google has been known to serve up malware and phishing sites through ads disguised as search results.
Using a password manager (like Bitwarden) can be helpful because it won’t autofill your account credentials unless the URL you’re at matches the URL you signed up at.
Again, this was good practice to keep me on my toes. Hopefully that’s all the future phishing attempts will be too!