security

fraud-attempt-using-equifax-data-breach-personal-information-and-masquerading-as-santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander

Fraud Attempt Using Equifax Data Breach Personal Information and Masquerading as Santander 1400 950 Jason Stadtlander

I have never seen such a well-engineered fraud attempt, so I thought that I absolutely must share it with my readers for your own protection. I will also note that it was something that I began to actually fall for, but then started to see red flags. I will note the red flags I saw in red and I’ll note the red flags that I should have seen but did not, in orange. I want to extend my deepest gratitude to Santander and the customer service representative that helped me identify this fraudulent attempt.

I was ending my day at work this afternoon when my cell phone rang with a toll-free number (877) 768-2265. I didn’t immediately recognize the number, so I figured I’d let it go to voicemail and if it’s legit, they’d leave a voicemail. Well, no voicemail. Then I got another call, and another, and another. Seven calls later I finally pick up the phone, “Hello?”

“Hello, this is Daniel Morgan from Santander’s fraud prevention department, is this Mr. Stadtlander?” the man asks.
“It is,” I reply.
“Is your home address ***************, Massachusetts?”
“It is.”
“Do you have a debit card ending in ****?”
“Yes, it’s right here in my pocket.”
“We are showing two charges at a Walmart in Atlanta, Georgia for $280.87. Are you currently in Atlanta sir?”
“No, I’m in Boston.”
“This was registered as an alert in our system and we wanted to reach out to you to resolve this. Do you have a few minutes?” the man says.
“Yes of course,” I reply.
“We would like to close this card and send you out a new one. Let me just confirm that there are no other charges appearing other than these two. One moment.”
He did not bother to verify any transactions with me. This did not occur to me until later.
There is silence as he ‘checks his computer’.
A moment later he comes back, “Yes. It looks like those are the only attempts. We will need to send out you out a new card just to be safe. Can you verify your mailing address as **************?”
“Yes, that’s correct.”
“And the best number to reach you is ***************?” he asked stating my cell phone number.
Yes, that is correct.” I reply.
“And your debit card ends in **** with an expiration of ** of ****?”
“That’s correct.”
“Ok, we will send out a new card via Fed-ex and you should have it by tomorrow. Let me just check with my supervisor that we can waive the $15.00 charge for overnighting it.”

Despite my irritation that someone must have been using my card, my eyebrow raises, why would they charge me to overnight a card if I’m their customer? But, I go along with it. In the meantime, I put him on speaker and google the phone number, which sure enough comes back as Santander’s customer service number. I am aware that it is not hard to spoof (fake) a caller ID number, I’ve demonstrated how to do it myself. But at this point, I’m not on full alert yet.

A moment later he comes back on and says, “Ok, no problem. We can have this to you by tomorrow morning. We want to reset the PIN as we aren’t allowed to use the default pin. What is your current PIN so we can reset it?

WHAT?! Why on EARTH would they need my PIN? I think to myself. Now my ‘bullshit’ antennas are quivering like there’s a thunderstorm coming.

“I’m sorry, I’m not comfortable providing that over the phone,” I reply.
“I can understand your concerns sir, I assure you that this is just to protect your own confidentiality and ensure that we expedite your card back to you as soon as possible.” he begins calmly. “If it helps, I can verify additional personal information.”
“Ok, thank you,” I say. (At this point not believing a word that’s coming out of his mouth.)
“Can I verify that your date of birth is __________ and your social security number is _________?” repeating back to me my true date of birth and my full social security number. My jaw drops open and my mind is reeling.
“Yes, that’s correct,” I begin, “My PIN is _____.” I stated, giving him a fake PIN, then I say “can you hold for just one second, I have an emergency call coming in on the other line from my child’s doctor. One second.”
“Certainly sir, I’ll hold and see if I can get this input while I wait,” he states and I press the mute button.

I get on my work line and dial the same number that called me (which is also on Santander’s website) and after a series of verification prompts a woman picks up. “Hello, this is Beth (name changed to protect her identity) from Santander, how can I help you.”

I take a moment to explain the whole situation to her and I can sense her jaw also dropping open. “What?! We would never ask you for your PIN and we would never give out your social security number.” At this point, the man is asking if I’m still there and I ask her to stay on the line and listen in to the speaker call on my cell phone which she graciously agrees to.
“Hello, I’m sorry – are you still there?” I ask the man.
“Yes. Not a problem Mr. Stadtlander. I entered your PIN into our system and it says that the PIN is incorrect, is there a chance you gave me the wrong PIN?”
“No, it was definitely the correct PIN.”
Then Beth says to me in the other ear, “Ask him for his name and employee ID.”
“I’m sorry, I didn’t catch your name, what is your name and employee ID? I’m just taking notes here and want to make sure I get everything.”
“Certainly sir,” he begins, “My name is Daniel Morgan and my employee ID is 45321409.”

In my other ear, Beth states “Nope. Our employee IDs do not use that format. This is completely made up. Ask him to speak to his supervisor.”

“I’m sorry, Daniel, can I speak to your supervisor?” I ask.
“Certainly sir, one moment.”
There is a pause of about a minute and then another male voice comes on the phone, “Hello, this Roger with Santander. I understand my colleague attempting to help you by getting a replacement card out to you? How can I help?”
“I’m sorry, what was your name?” I ask.
“Roger Smear.”
“Thank you, Roger. I’m sorry can you hold one second, I have an emergency call I am still trying to deal with, just give me two seconds.”
“Absolutely Mr. Stadtlander.”

Beth and I are both in shock at the level of detail on this and she recommends that I let him know that I have Santander Fraud Prevention on the other line and see what he does.

“Hello, Roger are you still there.”
“I am, do you have that PIN so that we can help get your card reset?” he asks.
“Actually, I just have a question. I have Santander’s Fraud Prevention and the local police tied in on the other line and they feel that things aren’t adding up. Do you mind if I patch you in?”
One second later he hangs up.

Now, I thanked Beth graciously and she did some further investigating while I had her on the phone and she was able to determine that there were two attempts to check my account balance using my debit card in Las Vegas a few minutes prior. But it registered as an invalid PIN and did not work. We talked for a bit and she also told me that she had recorded the entire conversation which I was happy for. She then helps me to cancel my card and send out a new one.

I am still floored at the level of detail and social engineering that went into this. As best I can figure, they got my debit card number and expiration (most likely from a card scanner in an ATM – it’s easy to do) and then matched up my relatively unique name to my information in the Equifax Data Breach (to which I am also one of the millions of victims).

Please, I cannot state this enough – be very aware anytime anyone is asking anything from you. Get validation and if there are any doubts, call your bank on the other line and confirm the validity. I would hate to guess how many people fall for this scam.

Women and Men, How Safe Are You? (In Your Daily Life) – 10 Tips to Protect Yourself

Women and Men, How Safe Are You? (In Your Daily Life) – 10 Tips to Protect Yourself 720 480 Jason Stadtlander

As I delve more and more into protecting personal information, protecting networks and helping with physical security – I tend to find myself thinking a lot about the security of the average person on the street. I walk down the street, mentally assessing each person’s vulnerability. Yeah, I know… it sounds a little creepy, but it’s amazing how many people are unaware of their surroundings.

So I want to take a moment and give you a few pointers on what I would term “S.A.R.E.”: Self Awareness at Recognizing Enemies.

It’s not about seeing everyone around you as an enemy. It’s about recognizing what your vulnerabilities are to an attack anytime you are in the public. I am shocked at how many people walk through the city, not paying attention to what is going on around them. Staring at their phones or simply not being aware of their surroundings.

I could make this list 20-30 items long, but these are what I would say are the most critical. And trust me men, this applies to you as much as to women.

How Safe Are You (In Your Daily Life) - 10 Tips to Protect YourselfTen Tips to Protect Yourself:

  1. Don’t be predictable. Be sure to alternate routes that you take when walking. Change up your schedule a little (even 5 minutes plus or minus can make a difference)
  2. Don’t stare at your phone while walking or being on the street. Glancing at your phone is fine, especially when following directions. Being fixated on your screen can cause you to trip, or more importantly be a target for an attack. Do not try and catch up on facebook or Instagram as you stand on the platform waiting for your train. You can catch up on that when you get on the train. Train platforms and bus stops are ideal locations for attackers and thieves.
  3. Don’t look down at your feet. Keep your eyes ahead of you. Looking down at the ground is a natural psychological trait. It enables us to not have to make eye contact with those around us (which in a city can be a LOT of people) and it allows us to be focused on our own little microcosm. But it’s very dangerous, especially when mixed with tip 3. If you’re looking down, you won’t see someone coming if you are their target and you also won’t be able to identify someone or a car if there is an incident that you ‘witness’. Look around at people constantly. You don’t need to make eye contact, but you need to be able to identify people if something happens.
  4. Be careful when wearing headphones while walking. Keep the volume low. If you can’t hear someone coming up behind you, then you can’t protect yourself, your purse or your backpack. If I were targeting someone for theft, I would absolutely look for someone with headphones on and looking down.
  5. Watch people watching you. It’s critical on the street, in the gym, even in the locker room to be aware of those around you. Try and mentally assess their motives, how much they are observing you, what kind of vibe do you get from each person. Trust your gut.
  6. Look around and be aware of the cameras that are watching you. This isn’t just seeing security cameras to ensure that you walk in areas that will see you if something happens. It’s also about making sure that you are not being videoed or photographed by someone with a phone without your permission.
  7. Watch out for tailgaters. A tailgater is someone that acts like they have access to the same building/gate that you have access to and following you in. If you don’t recognize someone and they are following you into a secure area, question them. (“Can I help you?”)
  8. Password protect your phone and don’t leave your phone at your workspace. Today’s phones are not cheap (as we all know). They are prime targets for would-be thieves.
  9. Keep your backpack/purse secured on yourself. Holding the strap of your backpack or your purse will ensure that even if someone ran by and grabbed your bag, they will have to handle the fact that you are already holding onto it.
  10. Be aware of your electronic presence. Google yourself regularly. See what shows up. Be aware of the photos you post. Don’t ever “check-in” when away from home, it’s a blazing announcement that it’s ok to go rob your home. Never post photos when on vacation on the same day you take them.
Back to top