• Home
  • Services
    • Cybersecurity
      • Cybersecurity Awareness Month
        • Cybersecurity Q&A with CISO Avery Moore
        • The cybersecurity work no one talks about but everyone depends on
    • ICAM
    • System & Application Development
    • IT Support Services
    • Low-Code Development
      • Grants Management Solutions
    • Consulting & Advisory Services
  • About
    • About JSL
    • Contract Vehicles
    • Resources
    • JSL Companies
    • JSL Defense
    • Giving Back
  • Case Studies
    • Case Study: Securing Millions of Accounts with MFA
    • Case Study: Modernizing Labor’s Job Corps System
  • Clients
  • News
    • Press Releases
    • Cybersecurity Blog
    • Cybersecurity Awareness Month
  • Careers
  • Contact Us

Jazz Solutions, Inc. (JSL)  

  • solutions@jazzsol.com
Connect with JSL
  • Home
  • Services

      Cybersecurity

      JSL’s security team applies a comprehensive view of IT security, integrating assessment, audit, and compliance.

      Learn More

      ICAM

      JSL provides customers with  reliable, secure solutions across multiple ICAM technologies to protect systems and data.

      Learn More

      System & Application Development

      JSL’s Agile process emphasizes collaboration, hands-on demos of functionality, and usable software with each cycle.

      Learn More

      IT Support Services

      JSL’s IT support services allow our clients to focus on their core competencies, improve operational efficiency, and reduce costs.

      Learn More

      Low-Code Development

      JSL offers low-code, full-custom development, and hybrid solutions, focusing on immediate needs as well as long-term success.

      Learn More

      Consulting & Advisory Services

      JSL helps government agencies improve efficiency, streamline processes, and manage resources.

      Learn More

    • Cybersecurity
      • Cybersecurity Awareness Month
        • Cybersecurity Q&A with CISO Avery Moore
        • The cybersecurity work no one talks about but everyone depends on
    • ICAM
    • System & Application Development
    • IT Support Services
    • Low-Code Development
      • Grants Management Solutions
    • Consulting & Advisory Services
  • About
    • About JSL
    • Contract Vehicles
    • Resources
    • JSL Companies
    • JSL Defense
    • Giving Back
  • Case Studies
    • Case Study: Securing Millions of Accounts with MFA
    • Case Study: Modernizing Labor’s Job Corps System
  • Clients
  • News
    • Press Releases
    • Cybersecurity Blog
    • Cybersecurity Awareness Month
  • Careers
  • Contact Us
Linkedin
  • Home
  • Services

      Cybersecurity

      JSL’s security team applies a comprehensive view of IT security, integrating assessment, audit, and compliance.

      Learn More

      ICAM

      JSL provides customers with  reliable, secure solutions across multiple ICAM technologies to protect systems and data.

      Learn More

      System & Application Development

      JSL’s Agile process emphasizes collaboration, hands-on demos of functionality, and usable software with each cycle.

      Learn More

      IT Support Services

      JSL’s IT support services allow our clients to focus on their core competencies, improve operational efficiency, and reduce costs.

      Learn More

      Low-Code Development

      JSL offers low-code, full-custom development, and hybrid solutions, focusing on immediate needs as well as long-term success.

      Learn More

      Consulting & Advisory Services

      JSL helps government agencies improve efficiency, streamline processes, and manage resources.

      Learn More

    • Cybersecurity
      • Cybersecurity Awareness Month
        • Cybersecurity Q&A with CISO Avery Moore
        • The cybersecurity work no one talks about but everyone depends on
    • ICAM
    • System & Application Development
    • IT Support Services
    • Low-Code Development
      • Grants Management Solutions
    • Consulting & Advisory Services
  • About
    • About JSL
    • Contract Vehicles
    • Resources
    • JSL Companies
    • JSL Defense
    • Giving Back
  • Case Studies
    • Case Study: Securing Millions of Accounts with MFA
    • Case Study: Modernizing Labor’s Job Corps System
  • Clients
  • News
    • Press Releases
    • Cybersecurity Blog
    • Cybersecurity Awareness Month
  • Careers
  • Contact Us
Linkedin
Cybersecurity

Scarier than Halloween: My Brush with Identity Theft

By Avery Moore 

There is at least one more thing scarier than Halloween: identity theft. That’s the fear that swept through me last month when I received a text message purportedly coming from “SimpleVerify” regarding my “application”. Saying that it was fear is somewhat of an understatement. I was almost in a panic. Thus far, I’ve been able to avoid having my identity stolen. So, seeing a text message that indicated there was an account in my name with an indication of “previous actions” caused my stomach to drop. My credit is pretty good. I thought to myself, “I didn’t open this account! Wait! Who did???” I texted my wife to let her know what was going on. She provided assurances that she didn’t open a loan account either.

Screenshot of text images I received

What was going on?

Knowing that there was a strong possibility this was an SMS phishing attempt (also known as “smishing”), I proceeded cautiously and used a sandbox tool to explore the link. In many cases, these types of social engineering attacks seek to steal information rather than propagate malicious code, but one can’t be too safe.

After navigating to the link, I saw what appeared to be some sort of login page with a field that was already filled in with my actual phone number. In the URL (redacted in the screenshot), it showed my phone number and my wife’s email address.

Screenshot of malicious “SimpleVerify” page

Seeing our actual information on this page increased my feeling of panic. Even though I was 95% sure this was social engineering, I still felt the need to take proactive action. I immediately logged into the major credit bureau sites using known good links. I checked all my credit reports. To my relief, I did not see any activity that looked suspicious and didn’t see any accounts I didn’t open myself. While I was there, I put fraud alerts on my credit report, which, admittedly, I should have had those in place before my panic.

With my credit intact and assurance that I dodged identity theft for another day, I was feeling a little bit better about things. The malicious page requested the last 4 digits of my SSN, which I did not provide. The attack appeared to be a relatively sophisticated smishing attempt designed to trick me into voluntarily disclosing highly sensitive personal information through a deceptive verification service impersonation. Not having taken the bait, I felt somewhat relieved.

But what continued to nag at me was the fact that my phone number and wife’s email address were contained on the landing page. This caused an emotional reaction that I simply did not expect. Though I’ve had years of analyzing phishing emails and sneaky SMS messages, it hits a little differently when you see your own personal information in one. More about that in a moment.

This attack gave me the opportunity to follow my own advice to: 1) Stop; 2) Think; 3) Verify. That first step to “Stop” may be the most important. Taking actions quickly without thinking is precisely what the attacker wants you to do. The less you think, the more likely you are to ignore sound advice, not follow procedures, or completely violate policies. Stopping and thinking about what’s happening gives you a moment to digest what’s going on, bounce it against what you know to be right, seek counsel, and ultimately avoid making a terrible decision. The verification step ensures that you reach out to the person or organization you think is communicating with you, if possible. For things like bank account phishing or smishing, this simply means navigating to your bank’s website using a known good URL you have previously bookmarked or have saved in your password manager. You can also use known good phone numbers to call the person or organization to verify what is happening. I use the phrase “known good” because one thing you should never do is use contact information that was provided by the suspicious email or sender. Attackers often provide “help” numbers or links that lead to their own malicious call centers or web sites.

Following these three steps can prevent a lot of problems.

As for that personal data that appeared in the malicious web site, it’s very likely that it was part of one of the many data breaches we read about in the news just about every week. As more data breaches occur, it becomes more likely that your data will be involved and you’ll be targeted, if you haven’t been already. So, check your credit reports often. Put a fraud alert or a freeze on your credit reports. And do your best to keep a cool head.

No one is immune from falling for a phishing, smishing, or other social engineering attack, not even a CISO. Everyone has a “button” that can be pushed to generate fear and panic and cause them to make panicked decisions. But remembering to stop, think, and verify can help to keep you from having a very bad day.


Your password stinks! (And why that's putting everyone at risk)
Previous Article