It was a calm Thursday afternoon, or so it seemed until I went to visit my good friend Johnny. A couple of days before that, he had a conversation with his financial institution about his CC reaching its expiry date. This call and subsequent conversation transpired right in front of me. Two days later, he had a new CC in his mailbox. By the time I visited him, the enveloped card was sitting on his desk, for anyone to see. Something on that envelope caught my eye immediately. A returning address that I had memorized, with many others in the past. And because he is my friend, I tried to warn him.
- Me: “Hey buddy, the address on this envelope is the same as it is on these bank credit card statements, but these are two completely different financial institutions.”
- Johnny: “So? It’s probably MasterCard Items.”
- Me: “The other statements come from Visa.”
- Johnny: “It’s probably their printing company’s address.”
- Me: “I guarantee you, this is no printing company.”
- Johnny: “Hold on, I’ll call them and find out right now!”
Johnny’s line of questioning follows….”Yes, can I ask a question? How is it that Financial Institution A and Financial Institution B are sending their mail from the same address?”. I could hear the person on the other end of the line scrambling and then reply “I don’t know sir” with Johnny immediately responding “Is it possible that you’re using the same printing company?”, Looking at me at the same time with the kind of look that said: “This answer will bring me victory!”. Now, after this employee initially said he didn’t know, suddenly he reinforced Johnny’s “Eureka” with “Yes, I think you’re right about that sir.”
Well done Johnny! I’ve been investigating these people for three years and I’ve divulged to you enough information about the situation so that you can keep yourself safe, yet you don’t seem to remember important specifics. These addresses have been identified as being utilized for fraud and other criminal activity since 2014. You just handed some social engineer a believable lie to tell to countless of innocent people out there, that might perceive it as authentic because they just don’t know any better.
Although I became very angered at him for what he did, I went and let my frustrations out at the gym. There is no printing company at that address Johnny. It’s just a postal office that holds a few hundreds of postal boxes. They don’t print out anything. This address is only a storage facility for mail and parcels. It closes somewhere between 3:00 to 5:00 pm, Monday to Friday, Holidays and weekends closed. Besides the off-balanced operating hours of this place (only government does Monday to Friday, 8:30 am to 5 pm), even if some printing company out there had permission to put their addresses on confidential documents like that, it would be quite unprofessional. Confidentiality between you and your bank is of utmost importance. Can you imagine paying for printouts, logos, company cards, etc. and having the printing company’s address embedded in these types of documents? Don’t you know my friend, that printing of this nature, is performed directly by the bank or creditor?
Fortunately (or rather unfortunately in my experience), my memory is very persistent with certain things, or mainly, anything that grabs my attention, bad or good. Because our brain is an object that only has so much capacity to hold information (also depending on relevant training and other factors), to help me memorize items and subjects better. I think of my memory as being like a huge filing cabinet, much like ones you may find in an office. Although it sounds odd, it does help me remember things better and faster. In this case, the returning address on this envelope was one filed away as a very significant one in my file folder called “Cautionary Items.” Near mid-2015, I came across my first indications of a massive phishing and data theft operation, which deployed through none other than Postal offices and Financial institutions, and the address on this particular envelope was one carved in my mind as a cautionary one. I don’t know at which point banks, unions, pension plans, insurance, credit reporting companies and other major corporations and agencies, decided arbitrarily to start using P.O. boxes to conduct their business.
It is a horrible idea for security on so many levels because it makes me wonder: who picks up the correspondence from these post boxes? Are these people monitored somehow? How could a bank ensure that the employee who is picking up sensitive documents, isn’t “going for lunch” somewhere during the process, extracting sensitive account info and then repackaging the envelopes? Mail gets lost or delayed all the time. What if a susceptible package caught the eye of a postal office employee? I know someone from Europe personally, who was apprehended performing a similar theft before the Internet of Things became ubiquitous. How much easier can that be made today, when someone who just happens to have the right app installed on their phone or tablet, can scramble cameras, edit actual footage or even modify their GPS as to where they have been in a day?
Almost three years into my research now, I have discovered how these people find info about us, how they engineer and reverse engineer us into giving up our credentials. I investigated the subject so intensely and saw so many affected by it, that when I thought to give an exam on Social Engineering, the resulting grade was 98%, without having studied any material or cheat sheet, just by having personal experience on the subject.
After years of failed and some even laughable fraud attempts, and a handful of disgruntled employees going through trials, others took an example from that and refined their methods. As a result, pathetic phishing attempts turned into determined social engineering attacks. This collecting and selling of sensitive info, has been around far too long now and with the bursts of worms, botnets and the rise of social engineers, it has moved far beyond the realm of disgruntled employees and insider or outsider affiliates.
The weakest link in any security implementation is the human factor. A person’s vulnerability is exposed partially due to lack of awareness about the hazards related to Information Security. People don’t seem to understand why or how a breach of data can seriously affect their lives. Recently I was asked “Why does it matter if this is coming from a fake address? I haven’t noticed any intrusion yet on this one…”. The conversation was about a credit card that this person had changed three months ago due to unauthorized activity. Would you recognize if there was a small extra charge from a company that you deal with regularly? What if a small amount from your debit lands into your credit and then mysteriously gets cashed out? These are the minute transactions, which often go unnoticed to the untrained eye, but can cost thousands in the end. When you call the number on your monthly statement or the back of your credit card, do you know if someone out there may have cloned your phone or might be intercepting your calls? Do you know if the number you are calling has underlying breaches, leading you to talk to the wrong person? Are you aware that, since the bank and other companies have the right to log your calls, you have every right to record conversations also? You should digitally document verbal interactions if you suspect you’re getting to misleading answers. Shortly, I will upload all voice files from an Identity Fraud case, see if you can distinguish when a social engineer is picking up at the other end. Stop trusting the fact that if you’re the one calling the number depicted on that false statement, then you must be talking to the right people.
My big hit is a sound file I have with an employee admitting to me that she was lying about her name because this is apparently their policy. This phone call was one of many made to none other than Equifax. It is unlikely that this is, in fact, Equifax corporate protocol. Do employees attempt to hide their identities from company watchdogs by using invented names and employee numbers? Another supposed employee of the Canadian Revenue Agency gave me her ID number as being 00001…I should have gone to play the lottery that very moment! Seemingly, I was talking to the very first CRA employee on record and her name was Priya. What are the odds? Really?
Take my advice if you will: when getting a statement, letter or new card, from a financial institution, retirement fund, investment, union letter, revenue or anything containing sensitive info, keep the envelope (because it contains important info 99% of the time) and go through all depicted information on the sheet of paper you’re holding. Even if you see a seemingly insignificant variation in your correspondence, for example, the document suddenly reads “I” when it’s supposed to read “we”, consider that document to be suspicious. Computers usually compile these documents, and well-designed software doesn’t make these types of mistakes.
As a tribute to Johnny and all others like my good friend in this world, I will create a page, capable of being updated by the public, with fraudulent post office boxes and addresses as well as the companies with which they have pretended to be through time. An additional page will catalog habitual phishing callers and the companies they apparently “represent.” Another page will have a list of Web sites that are known to attempt to steal your information (IP, bookmarks, etc.) or lead you to divulge your private data. Be aware of the friendly social engineer, phishing for info. Educate yourselves on what information you are legally obligated to provide to each corporation or government agency and give them no more and no less than what the law of each country and territory permits. Make sure you are in fact talking to the right company, and not a scammer. Even if you’re the one making the call, scrutinize the other side with questions, before you start supplying answers, and record the conversations for later reference.
Cyb3rS0ft 