back to article Fraudsters add IM to phishing attacks

Fraudsters have begun experimenting with introducing IM chats to phishing attacks. Conmen are trialling the inclusion of IM features into fraudulent e-banking websites. The tactic is designed to trick prospective marks into handing over the answers to secret security questions, thereby giving cybercrims an increased ability to …


This topic is closed for new posts.
  1. npupp 1

    oh great :/

    What irks me is that people would likely fall prey to such calls because they have been conditioned by their banks to not expect any form of security over the phone. Anyone tried verifying the identity of a bank representative calling you? The logical paradigm that ensues is hilarious.

    "Hi this is Barclays calling about a query you made, for security i need you to verify a few details with you"


    "This is for security, what is your mothers maiden name?"

    "no, i need you to first prove you are from my bank, what is the last 4 digits of my account number?"

    "I'm sorry i cannot do that sir, data protection laws forbid me to give out account details until you are verified, could you answer the question?"

    "no. unless you prove to me you're from barclays, i'm not giving you anything"

    "Of course i'm from barclays, I have your phone number"

    "... "



  2. Sam Liddicott

    @oh great

    I had a great talk along those lines with a caller from Co-op bank.

    The caller tried to assure me that "we take security very seriously" but could not understand that this was a security problem that they could not understand and that therefore they should let me talk to someone who could understand.

    I was given an extension number I could ask for after dialling a published public number for Co-op bank and hear the message they were trying to give me.

    Having thus called, and thus having a modicum of confidence, I identified myself and was given the message: "Now CIS and Co-op bank have merged there are some new services we can offer....."


    I note that after a COUPLE OF YEARS (it seems) they stopped cold-calling me and asking me to prove I was their customer.

    In the meantime they were conditioning every customer they called to believe that any caller who said that they weer from the Co-op bank was indeed from the Co-op bank and should be trusted. Ouch.

  3. Anonymous Coward
    Anonymous Coward


    Actually, I'm with the coop bank and when they ring me up I tell them that I'm not about to give them any details, they say "fine, call us back on our published number and there will a note on your account telling the person you speak to what we're calling you about."

  4. Anonymous Coward
    Thumb Up

    @ npupp 1

    npupp 1 has hit the nail on the head!!

    I have had almost exactly the same conversation with numerous companies that have called me up unannounced and unrequested.

    They absolutely refuse to recognise that verification is a 2-way thing and they just want me to hand over a load of personal information on their say so (and to add insult to injury, this is usually done by people calling from a telephone number that has withheld its caller ID).

    I just tell them that unless they can verify who they are to my satisfaction, I will not continue the conversation (then I hang up).

    Even BT used to show "Withheld" when calling (and they run the damned caller ID system) but they've since mended their ways, although they still won't prove who they are.

  5. Anonymous Coward
    Anonymous Coward

    @ npupp1

    As everyone else has said, nail on the head etc. I had the misfortune of working as an outbound telesales rep for a bank once (karma, I must have been Pol Pot in a previous life) and had the same problem. We got around it by going halves, I say the first bit of your postcode, you finish it off, etc. That probably wasn't DPA kosher, but it worked.

  6. Anonymous Coward

    Similar Problems With E-Mail

    Not to dilute the conversation, but security practices of commercial entities and businesses are frequently terrible. They seem to love to send out e-mails with links to click on to take you to the login pages of their systems to retrieve or set some kind of information. All they are doing is making sure to condition their customers to click on links in e-mails that take them to login pages.

    They should not send links at all. If I do online transactions with someone, I know how to get to their website. It's no wonder so many criminals have such an easy time baiting and engineering account information from the security uneducated.

  7. Jay Castle


    It seems to me that all the different vectors these miscreants can take are totally irrelevant. No matter what funky tricks they use, there is only one thing you have to remember.....

    Your bank\building society\whatever has told you, I'm sure, "we will never ask you for your account number etc". Most banks have a very clearly set out policy concerning what information they use for IDing you. If the person calling you strays from that, hang up.

    It really is that simple. And the same goes for emails - how many times are people told by their bank what to expect in any form of communication? The ground rules are set-out from the very start. If you don't listen or you forget or you're too stupid to understand...well, shit happens.

  8. Sly

    IM scams...

    nothing new here. Been getting scam attempts on AIM and ICQ since I started using them... sometime early 1997.

    The only real point is this... you can't cure stupid without education. Social engineering works no matter the medium if you target enough people. Eventually you'll find someone gullible enough.

    Maybe one day people will actually be taught how to know when they're being scammed... but until then, stupid is as stupid does...

    /mines the one with the notepad full of credit card numbers in the pocket

  9. northern monkey

    @Jay Castle

    Did you read any of the previous comments? They [the banks] might not ask you for your account number but they will ask you for your mother's maiden name, first line of your address, date of birth, 3rd and 6th letter of your password, etc. And as has been pointed out they refuse to give you enough information for you to be able to verify that they're actually your bank.

    As you yourself point out most banks have a clearly set out policy on what information they use to identify you, so any miscreant calling you knows exactly what they need and what to ask you for.

  10. Scott 19


    I had this yesterday, my mobile rang "Hi this is your car insurance company contacting you about your new policy, can i confirm who you are by you telling me your date of birth and mothers maiden name", the answer was a very firm "Eerr, no!!".

  11. Anonymous Coward

    hsbc joins the club

    Hsbc have phoned me on 2 separate occasions recently to talk about my account and asking me to provide answers to security questions. When I say " how do I know you're from Hsbc?" they're generally flummoxed but say that I don't have to take the call, so I don't. Silly people, they still don't understand security, do they?

  12. David Eddleman

    Been like this for a while

    I get an occasional call from "Verizon" wireless, claiming that I am on track to running overages. First thing I get with the foreigner on the line is a request for my phone number, my social and something else (can't remember what else it is they want), but basically with it they get free reign to use your account to buy whatever they want.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022