Recently, I received a rather unusual call that claimed to be from National Australia Bank (NAB), one of the four largest banks in Australia. The caller had my complete name and my address. They claimed that they had flagged a suspicious transaction from my account to an Alex Smith in New Zealand to the tune of 700 Australian dollars. They needed my NAB number to confirm if the transaction was legitimate.
There was just one problem with this seemingly plausible call: I wasn’t an NAB customer. I offered to call them back – and when I did so, they simply hung up on me.
These sorts of calls are not the only threats that arrive via phone – for example, fake “support” calls that are supposedly from Microsoft that offer to remove malware from user PCs are sadly commonplace. To most users who simply go about their daily lives, these calls can sound quite convincing and can cause a lot of problems.
However, this is something of a teachable moment when it comes to these attacks. We tend to think of different security problems as unrelated, but more often than not they can be related. For example, whoever was behind this scam knew enough to match my name to my address and my phone number. While I didn’t have an NAB credit card now, I did have one several years ago.
How did they get that all that information? We don’t know. However, it’s very possible that somebody somewhere had a data breach. They may not have known about it, or they may have decided that since the information “wasn’t critical” – say, they didn’t have my credit card or banking credentials – that it was harmless. However, now you can see how seemingly “harmless” information can be used to carry out real fraud.
Since last year, we’ve been pointing out the huge gains in banking malware. Just as support scams can be thought of as a “real-world” equivalent to ransomware and fake antivirus, so can these sort of phishing calls be the equivalent of these banking malware threats.
These threats should serve as a wake-up call that good security is the responsibility of everyone – consumers should try to learn how not to be fooled by these scams, and enterprises should take their own security seriously - particularly when it comes to user data.