Scarier than Halloween: My Brush with Identity Theft

There is at least one more thing scarier than Halloween: identity theft. That’s the fear that swept through me last month when I received a text message purportedly coming from “SimpleVerify” regarding my “application”. Saying that it was fear is somewhat of an understatement. I was almost in a panic. Thus far, I’ve been able to avoid having my identity stolen. So, seeing a text message that indicated there was an account in my name with an indication of “previous actions” caused my stomach to drop. My credit is pretty good. I thought to myself, “I didn’t open this account! Wait! Who did???” I texted my wife to let her know what was going on. She provided assurances that she didn’t open a loan account either.

Screenshot of text images I received

What was going on?

Knowing that there was a strong possibility this was an SMS phishing attempt (also known as “smishing”), I proceeded cautiously and used a sandbox tool to explore the link. In many cases, these types of social engineering attacks seek to steal information rather than propagate malicious code, but one can’t be too safe.

After navigating to the link, I saw what appeared to be some sort of login page with a field that was already filled in with my actual phone number. In the URL (redacted in the screenshot), it showed my phone number and my wife’s email address.

Screenshot of malicious “SimpleVerify” page

Seeing our actual information on this page increased my feeling of panic. Even though I was 95% sure this was social engineering, I still felt the need to take proactive action. I immediately logged into the major credit bureau sites using known good links. I checked all my credit reports. To my relief, I did not see any activity that looked suspicious and didn’t see any accounts I didn’t open myself. While I was there, I put fraud alerts on my credit report, which, admittedly, I should have had those in place before my panic.

With my credit intact and assurance that I dodged identity theft for another day, I was feeling a little bit better about things. The malicious page requested the last 4 digits of my SSN, which I did not provide. The attack appeared to be a relatively sophisticated smishing attempt designed to trick me into voluntarily disclosing highly sensitive personal information through a deceptive verification service impersonation. Not having taken the bait, I felt somewhat relieved.

But what continued to nag at me was the fact that my phone number and wife’s email address were contained on the landing page. This caused an emotional reaction that I simply did not expect. Though I’ve had years of analyzing phishing emails and sneaky SMS messages, it hits a little differently when you see your own personal information in one. More about that in a moment.

This attack gave me the opportunity to follow my own advice to: 1) Stop; 2) Think; 3) Verify. That first step to “Stop” may be the most important. Taking actions quickly without thinking is precisely what the attacker wants you to do. The less you think, the more likely you are to ignore sound advice, not follow procedures, or completely violate policies. Stopping and thinking about what’s happening gives you a moment to digest what’s going on, bounce it against what you know to be right, seek counsel, and ultimately avoid making a terrible decision. The verification step ensures that you reach out to the person or organization you think is communicating with you, if possible. For things like bank account phishing or smishing, this simply means navigating to your bank’s website using a known good URL you have previously bookmarked or have saved in your password manager. You can also use known good phone numbers to call the person or organization to verify what is happening. I use the phrase “known good” because one thing you should never do is use contact information that was provided by the suspicious email or sender. Attackers often provide “help” numbers or links that lead to their own malicious call centers or web sites.

Following these three steps can prevent a lot of problems.

As for that personal data that appeared in the malicious web site, it’s very likely that it was part of one of the many data breaches we read about in the news just about every week. As more data breaches occur, it becomes more likely that your data will be involved and you’ll be targeted, if you haven’t been already. So, check your credit reports often. Put a fraud alert or a freeze on your credit reports. And do your best to keep a cool head.

No one is immune from falling for a phishing, smishing, or other social engineering attack, not even a CISO. Everyone has a “button” that can be pushed to generate fear and panic and cause them to make panicked decisions. But remembering to stop, think, and verify can help to keep you from having a very bad day.