Not all scams are easy to spot

We sometimes feel that, because we’re smart, we could never be scammed. Who could possibly fall for a badly written email or text, right? But, unfortunately, that confidence can make us careless. The fact is not all scams are easy to spot, and coincidental timing can make them appear even more convincing. In other words, we can all be had.

My bank recently sent me a new credit card. Within a few hours of receiving it, I also received a text message from my bank. The text correctly cited the first three digits of the new card number and asked that I click the included validation link. This didn’t seem particularly suspicious. I mean, the bank has my phone number and we all know that credit cards need to be activated.

But something wasn’t quite right. The language that was used seemed a bit unusual, as did the URL. Sure enough, a little research revealed that it was a phishing scam. The website the text linked to was less than 72 hours old, and it didn’t belong to the bank.

How did this happen? Was it a coincidence or did the scammers know that a card had been sent to me? I asked a former cybercriminal – a so-called carder – who said that the bank probably had a leak in its supply chain. In other words, an employee at one of the bank’s vendors – perhaps a post office employee – had told the scammers that a card was on its way to me. While they didn’t necessarily know the full card number, they were nonetheless able to cite the first three numbers of the card because they identify the issuer, and are not unique to customers.

The timing and use of the correct card numbers made the scam quite convincing. While I didn’t fall for it, others certainly will have. They’ll also have fallen for other scams which seemed more plausible because of the timing.

In February, science fiction author Cory Doctorow explained how he’d been tricked into revealing his card number to a phone-phisher who “then did $8,000+ worth of fraud with it before I figured out what happened.” I’ll leave it for you to read the details but – tl;dr – the scam succeeded due to coincidental timing and, perhaps, because Cory was on vacation and rushing to pick up a muffalata before heading to the airport. The irony here – and possibly a contributory factor – is that Cory knows about this stuff. He’s a regular at Defcon where he attends the social engineering competitions, and is actually writing a series of books about scams.

We often think that only stupid people fall for scams, but that’s not the case at all. To quote Cory:

… it’s also important to remind people that everyone is vulnerable sometimes, and scammers are willing to try endless variations until an attack lands at just the right place, at just the right time, in just the right way. If you think you can’t get scammed, that makes you especially vulnerable.

So, how can you avoid being scammed? Unfortunately, you can’t. But what you can do is make it less likely that you’ll be scammed. Be sceptical of any message or phone call that you receive, even if the timing makes you think it’s probably the real deal. When it comes to money-related matters, it’s always better to take a few minutes to check whether a message is legitimate. Look up the organization’s phone number and call, or visit its website and use the chat option.

Tools that can block scam websites – like the anti-scam feature built into our products – can help. But these tools simply help you reduce your risk. They’re not doing to block every bad link, and so you should still make checks.

Bottom line: we’re all vulnerable and we can all be tricked. The good news, however, is that we can also make it significantly less likely that we will be tricked.