Not a day goes by that I don't have a suspect phishing email in my inbox. While most get snagged by the built in filters and wind up in the Junk folder, invariably one or two make their way through. Usually it's because sometime in the past I had interaction with a site or service, but gave up on them long ago. Subsequently they were hacked, their client info hit the dark web, and my identity fell into the hands of a scam center in Cambodia.
The approach from them is usually in the form of a ham-handed strong arm. It might threaten to delete all my photos if I don't contact them to update my account. Or freeze my credit card if I don't confirm my phone number. Maybe cancel my auto insurance if I won't verify my bank information. The tells that these are bogus are numerous: weird fonts, misspellings and old email addresses are the most obvious. That, plus the fact that the return email from PicturePerfect.com is bradxx720467@rus.ex Not suspicious at all. They all get deleted without a second thought.
Experts tell us that that level of suspicion and caution is good, the correct way to view any email that we have concerns about. But it raises the question: if we view everything as a potential fake, how do we know if it's real? That was the issue I encountered when I got an email from my bank.
Or was it? It had a real-looking header and logo, along with a reference to the last four digits of one account. It said that they needed to talk with me to clear up some information, and provided a long reference code that started with "KYC, " as well as a phone number. I had two weeks to call, or else they'd have to restrict my account. Couldn't sound more scammy if it tried, so I deleted it without a second thought.
A week later a strange number popped up on my phone and I let it go to voicemail. The message in a foreign sounding voice reiterated the same request and provided the same information. Hmmmmm. A single scammer by email or phone is hardly unusual, but twice with the same info? Might it be real? Some online research was hardly conclusive, with half the people saying it was a scam, half saying it was legit. Even our vaunted AI helpers said the same: "It is highly recommended that you treat this as a potential phishing attempt, even if the number appears to be from your bank. Scammers can make their caller ID show any number, including official bank lines, and a 'KYC update' is a common pretext for scammers to ask for sensitive data."
Still. I decided to check by calling not the number provided, but the one on the back of my ATM card. The person on the other end asked how he could help. I told him I had no idea, they had reached out to me. He said he would check, but needed to verify my info. But now we had a sort of "Mexican standoff." Even though I was the one who had called, I was leery of giving him anything, and he couldn't help me until I did. I told him that they had my email, my phone and the last four digits of the account in question, so work with that. He suggested he text me a code, and if I read that back he could verify me. That worked, and so we were "in."
There was nothing flagged on my account, and so he transferred me to another department for more help. That associate also saw nothing. But when I read out the reference code, she jumped in: "You said KYC, correct?" Turns out that means "Know Your Customer," a regulatory framework whereby financial institutions need to verify account info to guard against money laundering and the like. Eventually I got to those folks, who reviewed my info, found no major issues, and bid me good day.
It all begs the question: how do we know anybody? What proof is there that we are we, and they are them? In 1993 The New Yorker published Peter Steiner's famous cartoon with the caption "On the Internet, nobody knows you're a dog." Turns out that these days it's not so easy to know if you're a bank either.
-END-
Marc Wollin of Bedford tries to keep his info safe. His column appears weekly via email and online on Substack and Blogspot as well as Facebook, LinkedIn and X.
No comments:
Post a Comment