Scarier than Halloween: My Brush with Identity Theft

Seeing our actual information on this page increased my feeling of panic. Even though I was 95% sure this was social engineering, I still felt the need to take proactive action. I immediately logged into the major credit bureau sites using known good links. I checked all my credit reports. To my relief, I did not see any activity that looked suspicious and didn’t see any accounts I didn’t open myself. While I was there, I put fraud alerts on my credit report, which, admittedly, I should have had those in place before my panic.

With my credit intact and assurance that I dodged identity theft for another day, I was feeling a little bit better about things. The malicious page requested the last 4 digits of my SSN, which I did not provide. The attack appeared to be a relatively sophisticated smishing attempt designed to trick me into voluntarily disclosing highly sensitive personal information through a deceptive verification service impersonation. Not having taken the bait, I felt somewhat relieved.

But what continued to nag at me was the fact that my phone number and wife’s email address were contained on the landing page. This caused an emotional reaction that I simply did not expect. Though I’ve had years of analyzing phishing emails and sneaky SMS messages, it hits a little differently when you see your own personal information in one. More about that in a moment.

This attack gave me the opportunity to follow my own advice to: 1) Stop; 2) Think; 3) Verify. That first step to “Stop” may be the most important. Taking actions quickly without thinking is precisely what the attacker wants you to do. The less you think, the more likely you are to ignore sound advice, not follow procedures, or completely violate policies. Stopping and thinking about what’s happening gives you a moment to digest what’s going on, bounce it against what you know to be right, seek counsel, and ultimately avoid making a terrible decision. The verification step ensures that you reach out to the person or organization you think is communicating with you, if possible. For things like bank account phishing or smishing, this simply means navigating to your bank’s website using a known good URL you have previously bookmarked or have saved in your password manager. You can also use known good phone numbers to call the person or organization to verify what is happening. I use the phrase “known good” because one thing you should never do is use contact information that was provided by the suspicious email or sender. Attackers often provide “help” numbers or links that lead to their own malicious call centers or web sites.

Following these three steps can prevent a lot of problems.

As for that personal data that appeared in the malicious web site, it’s very likely that it was part of one of the many data breaches we read about in the news just about every week. As more data breaches occur, it becomes more likely that your data will be involved and you’ll be targeted, if you haven’t been already. So, check your credit reports often. Put a fraud alert or a freeze on your credit reports. And do your best to keep a cool head.

No one is immune from falling for a phishing, smishing, or other social engineering attack, not even a CISO. Everyone has a “button” that can be pushed to generate fear and panic and cause them to make panicked decisions. But remembering to stop, think, and verify can help to keep you from having a very bad day.