Why phishing works

Two of my credit cards were affected by one of the data breaches this year. I’m sure many of you had the same problem at some point within the past months. What caught my attention is how banks react when something actually happens.

Now, we have all been taught to not click random e-mails that supposedly are from our banks asking to verify our account details for security reasons. Even with things that seem harmless and legitimate, you will still find me looking at e-mail headers and the HTML source behind the links.

But when it comes to suspected fraud, Bank of America seems to throw all of the cautioning overboard.

This is what happened in my case: At 9.06am I received a text message from “354-22” saying “FREE TEXT: Bank of America has temporarily restricted the use of debit card ending in 0777. Call 1.877.248.6278 to verify. To opt out of text alerts reply STOP”.

At first glance, I had no idea if 354-22 has anything to do with Bank of America. My debit card at the time did end in 0777, but the phone number I’m asked to call to verify matches neither the ones on the back of my card nor does it seem to appear anywhere on bankofamerica.com.

Five minutes later, my cell phone rings. 315-724-4022 from Utica, NY. Someone introduces herself as part of Bank of America’s fraud protection team and asks me to confirm whether I am Stefan Wild of archivedi, LLC. She then goes on to tell me they have noticed suspicious activity on my debit card and asks me to give her some details to identify myself to her. Details just like the ones that their machine asks when you call one of their service numbers.

Let that sink in for a second.

Only the Utica number matches the one on the back of the card for calls from outside the US. The other two phone numbers are practically not verifiable. To be fair, they got all my information right. But apart from the last four digits of my card number, that information is basically public. And asking them to provide some information to prove they are not scammers basically got the call stuck.

Now, you could think Bank of America is just one bank that handled this one incident poorly. But, they did it the same way when they suspected another fraud case. And the call I got about my German PayPal account was no less fishy: Luxembourg number, a friendly woman asking me to confirm my name and the e-mail address I’m registered with at PayPal and then some more information that I wasn’t willing to give, which of course got the call stuck.

This makes me wonder, why businesses – especially financial institutions –don’t establish a trusted communication channel and then always stick to it. Instead none of the banks I do business with even offer end-to-end encrypted e-mail.

It’s time that we come up with communication solutions that we can trust.

This post was originally published on svbtle.com