New Scam Alert + Easy to Share Information for Employees

For Security Awareness to be effective, it has to be a continuous effort based on current threats. With our work and personal lives so intertwined, even seemingly simple actions like selling that exercise bike turned clothing rack on Facebook Marketplace can create business risk.

We believe that everyone should always be concerned with new doors that lead to breaches of sensitive information – but it can be hard to know ALL of the doors. That’s why educating people on the dangers of giving away personal information is always worthwhile and offers opportunities to practice awareness.

To make it easy to share current dangers, we’ve written out a scam we believe to be newsworthy below:

New Scam Details

If you are planning on placing an ad on Facebook Marketplace, Craigslist or any other classifieds site please take note. There is a new scam that is not obvious at first.

The scam progresses like this:

1. You place your ad.
2. You get a response, with the person asking if they can speak to you in person, possibly with an excuse for why they don’t want to use email/messaging.
3. You give them your phone number.
4. They say that they want to make sure YOU are not a scammer, so they will text you a number and if you text them back with that number then they will call you.
5. A number shows up as a text message on your phone.
6. You text back and give that number to the scammer.

At this point the primary exploitation of your helpfulness is complete, however, they may try to take it even further and ask if you have another phone as the one you used “did not work”.

So What Happened?

This con artist routine is designed to compromise security systems known as MFA (Multi-Factor Authentication).

In most cases, you are not the intended victim, but rather an innocent bystander. The evil hacker has used your phone number and response to get into an account such as your Google Voice account. They will then add their phone to your Google Voice account so they can APPEAR to be you when they make phone calls to hack or con other people or systems.

Text-based MFA systems attempt to validate identity by assuming the person in possession of a device such as a phone or security token* are the legitimate owners of an account. When you gave the verification number to the hacker he or she passed that on to the account verification system and they appeared to be in possession of your phone.

In most cases this is just part one of an attack. The next part of the attack involves the hacker pretending to be you and using your account to hide their actual identity and location. This is called “spoofing”. While the evil hacker might try to go after your accounts, most likely they will just use your account to attack someone else because their identity will be better hidden from the victim, firewalls, anti-hacking software and law enforcement this way.

What can you do?

1. Report them. Use the Facebook or Craigslist fraud reporting tools to report the account used to contact you.
2. Take screen-shots of your phone’s screen showing the text messages and the “buyer’s” account name. Keep these as evidence in case you need to prove your account was hacked.
3. Share this information with others such as your family and friends or anyone you know that might place classified ads online.
4. If you have a Google Voice account, log into your account and do this:
         a. Once logged into Google Voice go to settings (gear icon top right).
         b. Choose Verify Number.
         c. You will get a new text message on your phone, plug this number into your account.
         d. Look through your account and ensure all associated numbers and information are correct and belong to you.

If this scam happened to you and you do not have a Google Voice account use your computer or tablet (not your phone) to check your most important accounts such as your bank accounts for any altered information. If this happened on your work phone or you use your phone to access work information let your Information Security or Information Technology team know ASAP.

*A security token is typically a key-fob sized device with a small LED screen. It is used in many organizations for MFA. RSA is a popular producer of these devices.

Need more help proactively protecting your staff and your organization from this and other scams? Get more information on Cadre Trusted Advisor. Your Cadre Trusted Advisor can help you make preparations to avoid and mitigate damages from social engineering and many other kinds of attacks.