Our family has had a PayPal account almost since PayPal has offered them.  It’s remarkably convenient, it provides us great flexibility to shop online using a single payment source and I love that we’ve been able to change funding sources several times over the years.  It’s always conveyed a certain sense of security; I’ve just always felt safe using PayPal.  I’ve even gone so far as to suggest that at some point, if PayPal management grows things just right I could see a future state where paper currency and maybe even actual physical credit cards go away and are replaced by some version of their services.  When I discovered this past year that Home Depot already allows you to use PayPal to make in-store purchases I was convinced I was right.  Now I’m not so sure.

Over the past year or so I’ve been getting the occasional email ping from PayPal regarding our reaching a spending limit.  It’s a fairly high limit for most but considering that we’ve been using PayPal to make purchases going back nearly a decade maybe not as much.  But the message has been quite clear; if we didn’t verify our account before reaching this limit it would be “ the maximum amount of money you can send or use for purchases before you need to become Verified”.   So how you become verified is quite simple – either give up your bank account information or apply for a privately owned credit card.  No, seriously, those are the only two options.

My first thought was that although I liked having the protective layer of a credit card product buffering my PayPal account from my actual money I was okay with providing bank account information.  It’s not like I don’t use that in other places to make payments and so there wouldn’t be any enhanced risk by doing so again.  I wasn’t going to apply for a PayPal-based credit card because I don’t want one or need one and I wasn’t looking for a new credit source anyway, I just wanted to continue using PayPal.  I clicked on the option to provide my bank account information and after the initial screen where they ask for the routing and account details and clicking on “Submit” I was presented with a screen that I still can’t believe exists.  Right there before my eyes was a screen from PayPal in which they ask me to provide my online banking user-id and password so they can verify a series of PayPal generated payments thus confirming my banking details.  Let me repeat that one more time; PayPal asked me to provide them with my online banking user-id and password.

Has PayPal lost its collective mind?  Seriously, have they?

I was stunned, almost to the point where I couldn’t get coherent words to flow.  I immediately fired off an email to PayPal customer support asking them how they could do something so outrageous.  Within minutes I received an automatically generated reply which I always find insulting, as if though I’m not worth an actual intelligent and personal response.  It was a complete regurgitation of everything stated on their website and completely ignored the gist of my email.  I fired off a second email missive, this time way more specific.  Here’s what I wrote:

I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money.  And much to my chagrin, the schemers are enjoying some measure of success.

Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500.  She needed it because someone contacted her with an offer that was impossible to ignore or turn down.  If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million).  The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them.  And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it.  Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.

Now to be honest with you I was stunned to learn that this scam ever works.  I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail.  But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic.  But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter.  But what if that email finds someone who is perhaps a little lonely or a little desperate?  What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing?  I wouldn’t have thought it possible until last week but sometimes it works.  And when you think about it just a little bit more it’s the perfect scam.  Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities.  And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.

Then this week a story was shared with me about how someones identify was stolen but with a twist.  They didn’t try and completely take over the identity but rather borrow it.  The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them.  The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day.  This has proven successful for both Person A and Person B for several years.  Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request.  After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment.  Person B responded by asking “what payment?”.

Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity.  They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A.  So Person B had no idea there was something amiss and Person A saw very little outside of  normal communications.  But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation.  A long painful phone call ensued and some amateur detective work confirmed their suspicions.  And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.

That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing.  You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up.  And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking.  The popular adage about suckers has never been truer only now there are two to the power of X ready to take them.  There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.

So here’s the sum total of my PSA: If it seems too good to be true it is.  And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.

Ms. Keen was kind enough to share her story with me so that I in turn could share it with you.

Her bad day started with the most basic error in judgement: She responded to a Yahoo-branded email requesting that she confirm her account information or else her account would be closed.  She said that “despite my initial instincts, I fell for it.”  It’s not hard to understand why.  Like most parents with school-age children, she has too much going on, depends on email to keep things moving and if she is anything like my wife, is of a mind to address things as they arise; she was a perfect target for a hacker.

Ms. Keen first became aware that she was about to have a bad day when she received an early morning phone call from a friend indicating they’d received an email from her asking for help.  She attempted to sign on to her Yahoo account to see what was going on but the hackers had changed her password and she was locked out.  She explained what happened next:

“I had to wait for Yahoo to open at 9:00am to resolve the issue and regain access to my account.  Yahoo was extremely helpful and we were able to take the account back quite easily.  The representative I spoke with knew to advise me to confirm if any of my personal information had been changed, which it had.  An alternate email address had been added by the hacker as a way to retain control of my account even after I had gotten back in.  And my understanding is this is how they would continue to log in and check to see if anyone was actually trying to send me money.  If I did not know to delete this alternate email, the hackers could continue to monitor the account and target anyone asking me where to send the money.”

I asked her if anyone actually attempted to send money or respond favorably to the hacker’s phishing attempt and fortunately no one had.  While she did receive a few calls and/or emails trying to confirm if the request was legitimate, because as Ms. Keen explained, “They did indeed want to help me if I really needed it,” no one actually took further action.  Apparently the majority of people who received the phishing attempt knew it was a hoax and ignored it (score one for security awareness in the private sector).

Was there a lesson learned from all of this for Ms. Keen to share?

“Do not respond to emails requesting personal account information, no matter how reputable they may seem,” she said.  ”As Yahoo explained, they would never request that sort of account information from me (they already have it and there is no need for it to be confirmed).”

To which I would add that you could easily replace the Yahoo name with literally any reputable business with which you have an online account.  I would also recommend that you print Rebecca Keen’s advice and tape it to your monitors and keyboards at both work and home for all to see.  Because whether it be the result of a successful phishing attempt, poor judgment or sloppy controls (e.g. sticky notes under the keyboard/phone/stapler, etc.) the number one entry point used by hackers to gain access to sensitive information remains password sharing.

Check back here next week. I have an interesting (if not scary) story to share about how some financial institutions are (mis)managing regulatory requirements.

Of course I don’t know anyone by the name Rebecca Keen and knew instantly that it was a phishing scam. It’s not the email by itself that made this a blog-worthy item.  What made Rebecca’s email this week’s topic was the reaction of someone close to me and their attitude about how to handle it.

At the risk of embarrassing anyone, I won’t go into specifics as to who the person is, but when I told them about the email as a way of educating them on how to identify and manage phishing attempts, they asked me how I knew it wasn’t legitimate.  Beyond the obvious fact that I don’t know now and have never known anyone by that name I’m not sure what else I’d need as proof this was a scam.

Here was the ensuing exchange:

“That may be true but what if they sent you the email by accident?  What if they misspelled the email address?”

To which I replied, “Still not my problem and I won’t respond because that establishes a dialogue which will only encourage the person further.”

“But shouldn’t you at least let the person know they reached the wrong person,” I was asked with a tinge of real concern.

“If I reply, that will send the message that they reached the right person. They’ll think I care, which will only open me up to additional pressures from the scammer”.

“People are so mistrusting these days.  I’d at least want to make sure this wasn’t someone who needed my help”.

And therein lies the problem: Despite this being a very obvious phishing attempt, it was only obvious to me. Despite the endless stories about people being exploited and robbed by an endless array of online and email scams, there are still people who respond favorably to these sort of things because of their basic decency. The person to whom I was talking wasn’t lacking in intelligence and isn’t typically naive, but when presented with these situations uses a different set of rules.

To make matters worse, the email from Rebecca Keen was properly formatted without spelling errors and actually looked like something I might receive from a legitimate source.  As a matter of fact, it presented itself so well that I actually opened it, which is a step further along than these things usually get.  But of course I knew instantly that it was just the latest example of how people are using the Internet to try and steal money.  And while the scam was obvious to me, there is at least one person I know who might actually have taken action upon receiving something similar.

You know what occurred to me today?  The reason that scammers continue to send out phishing emails is because they still generate the desired results.  Despite the endless marketing campaigns by a wide range of financial institutions to educate online users, there are still a large enough number of people who are victims waiting to happen.   And as long as even one person responds favorably to a phishing campaign, it’s considered a success.

I’m thinking that as a former New Yawker I should create a program for the FDIC based on my experiences growing up in New York City.

• Do not engage in any dialogue with anyone you don’t know about money in an unusual or inappropriate setting e.g. street corners, subway platforms, etc.
• If someone is selling something, offering to buy something or trying to distract you somehow when in an unusual or inappropriate setting (e.g. stopping you on the street, walking up to your table at a restaurant, etc.) immediately disengage and continue on your way or return to what you were doing without allowing the conversation to develop and/or continue.
• And if at any time your instincts tell you that something is wrong, amiss, out of place or odd err on the side of caution and do everything and anything to remove yourself from that situation.

P.T. Barnum was often credited with having said that “There’s a sucker born every minute” and apparently online there are somewhere between two and too many scammers waiting to take ‘em.

P.S. As I was about to publish this post I received an email update from Rebecca Keen letting me know that someone temporarily stole her email account and that there’s no emergency whatsoever.   Glad to hear it but I still have no clue who she is.

It’s February 2010, do you know when the last time was that your organization conducted a social engineering exercise?

I come across instances almost all of the time where financial institutions have obvious issues with regards to their staff and how they handle sensitive information.  I almost always find non-public personal information (NPPI) left unsecured on desktops, in printer/fax queues and displayed on computer monitors.  I can recall at least a half-dozen instances during the past year where I personally witnessed person-to-person exchanges where proper protocol was not followed in handling situations that are now supposed to be governed by the Red Flags rule.

It’s not hard to understand why these things happen; it involves human nature and that’s a wild card element that can’t be easily managed or controlled.  People are busy, people are inherently trusting and in their haste to help a customer or get their work completed, they lower their guard.  But it’s in those moments when good judgement is pushed to the side that an institution is most vulnerable.

A password is shared, a sensitive document is left exposed or a file loaded with account information is carted off on a USB storage device.  Ultimately, how it happens is never really the big story though, at least not for those impacted by the breach.  For the affected, it’s all about the damage, both potential and realized, that they’re confronted with.  And of course it then also becomes about the tarnished reputation of the institution connected to the breach.

Do something about it.

Schedule a social engineering exercise; it’s easy, it’s affordable and it works.  It tests the effectiveness of your security awareness program(s), illuminates what’s working and what’s broken, and allows you to adjust your training accordingly.  And you can vary the angles taken from year to year.  Start by seeing what happens when someone places calls to your staff trying to get them to share sensitive information.  Follow that up by doing the same with emails.  When you conduct your next internal vulnerability assessment, have the project include having the testing resources access secured facilities.  You can also mix in dumpster diving (a favorite of mine), fax phishing and eavesdropping (don’t laugh, it’s a great way to skim NPPI and impossible to trace).

The results will prove to be revealing – both good and bad – and will serve as remarkably effective fodder for your next round of training.  And the testing itself becomes an important tool because once people are aware that these tests are occurring, they begin to pay greater attention to their action. No one want to be tagged as being on the wrong side of the testing – trust me on this, I’ve seen this dynamic in play and it’s real.