Employee Cybersecurity Training –Mobile Phone Scams
Today’s discussion is regarding mobile phone scams. Since literally everyone is using computers and internet phones to conduct business, as well as manage our day-to-day lives, guarding against mobile phone scams is of great importance. You may be asking yourself, “What can go possibly go wrong with my mobile phone?” Since you have encountered no mobile phone scams before, you may be paying less attention to your intentions when using your mobile phone. However, there are some serious threats out there that we need to take note of. Scammers will go to lengthy measures to trick you into revealing personal information unintentionally. In fact, my co-host, Boris, was recently able to avoid a serious threat to his wife’s mobile phone. Let’s learn more about this story.
True Story of Mobile Phone Scam.
Boris and his wife’s eBay account was hacked, and the hackers sold some merchandise in their name. Fortunately, eBay was right on top of the situation and was able to stop the hackers. Since items were sold in Boris and his wife’s names, eBay sent them a bill for $20. Boris did not pay that bill immediately and then received several more bills from eBay with threats of suspending the account and charging interest on the amount due. Boris’ wife decided it would be prudent to contact eBay to discuss the invoice.
In her efforts to locate a telephone number for eBay support, she did a Google search. She clicked on the first item that came up in response to her Google search and called the number listed. The person on the other end answered, “eBay Support”. The caller was speaking with a foreign accent. When she told the person why she was calling, he responded, “Oh, we can definitely help you with that.” Unbeknownst to her, the person on the other end was actually a scammer. eBay Support does not have a direct phone number. You can only contact them online or through a chat.
The scammer told her he had an older Wells Fargo account listed for her and he needed her to update her account. To do this, he would need to install remote software on her phone. He then sent her a link installing software on her phone and redirected her to a fake website which caused an alert on her phone stating she had a virus. The scammer told her she needed to log into her accounts so that he could assist her in avoiding an attack on her phone. When she tried to log into her banking account at Chase Bank, Boris received a notification from Chase Bank on his phone which included an authentication code. He asked his wife why he was receiving the notification. She explained she was speaking with “eBay Support” and had received the message about a virus on her phone. She invited Boris to speak directly with “eBay Support”. Boris was quickly able to identify this as a scam. Boris was greatly relieved that Chase Bank had this extra security of providing a code authentication prior to allowing the scammer access to his account. Boris was then able to disconnect the call before the scammer received any further information. Boris then uninstalled the software on his wife’s phone, backed it up and did a factory reset. Boris also changed all their passwords immediately. This was a crisis averted.
There were a couple of clues that to identify this situation as a scam. First the fake “eBay Support” number started with 209. Most customer service numbers do not begin with 209. They usually are 800, although scammers can also purchase 800 numbers.
Scammers can also purchase Google Ads to make their scam look more legitimate. It may be more difficult to spot these on a mobile phone as opposed to your computer, as the screen is greatly compressed. Most people cannot tell the difference between an ad and a real website. Users of mobile phones are cautioned to adopt a common-sense approach when searching these sites. In the story, Boris’ wife almost gave away the keys to the kingdom because of this elaborate scam. Many people fall for this type of scam every day. A simple support call can turn into a disaster.
Best Practices to Avoid Mobile Phone Scams
Just as you would use common sense in looking both ways before crossing the street, you must also use common sense when doing searches on your mobile phone. This should be similar built-in response. Be cautious of what is going on when you are browsing the internet––especially using your mobile phone.
• Installing Apps
Make sure to only install apps on your phone from an approved application store such as Apple App Store or Google Play Store on Android. I believe that most of the phones that are sold are locked down to only allow app installation from those stores. However even if you have a phone that is more open and you can install apps, it is best not to do it. Install apps only from the Apple store or Google Play Store because they are curated and checked to make sure there are no security issues inside of them.
• Validate Remote Access Multiple Times
Next, we need to recognize that if we are talking to a support person who is asking for remote access, validating with them multiple times why they need remote access is necessary to make sure that their story matches reality. If you are just looking to resolve an issue with your account, the person on the other end of the line should not be asking to access your phone or your computer. You should demand an explanation for any reason that a support representative would need remote access on your phone. There are no cases when this would be true of customer service.
If you are working with an IT company, such as ArchIT, you would recognize us as your providers. You know your contact person. You have talked to them before. That is a little different story. Even then, they would most likely not need remote access to your mobile phone. Here at ArchIT, we currently do not allow that capability for our support personnel. We only have remote access to computers. And, again, that is because we are the trusted provider, and we were able to install our software initially on their computer. Be vigilant and do not allow remote access to your mobile phone unless you exclusively know who the person is and what they are doing.
• Searching Support Numbers
Never search for support phone numbers on Google. If you are seeking to get support from a company, go directly to the company’s website and use the channels that are available on their website to initiate your support. This is especially important advice to follow as Google can have all kinds of various information, just as we saw in the story. Do not look for support phone numbers on Google, use the channels that are available to you. There are many scammers who are successful in appearing to be a legitimate website. For instance, if you are calling Chase Bank, go to the Chase Bank website and look for their support number. If the company you are working with does not have a phone support, then use the channels they must reach out to them either online or through chat. Doing this can help you lessen your exposure to unscrupulous people.
• Auto Lock
Make sure your phone auto locks and that it requires your biometrics to unlock. Avoid using a pin which can be easy to discover. Instead, you should use a fingerprint or face recognition to unlock your mobile phone. Also, make sure your mobile phone auto locks after 15 seconds. Because our lives are in this device, we want to protect it as much as possible. Using biometrics and locking your phone is a great way to protect your device.
• Two-Factor Authentication
For the best protection of all your online accounts, use two-factor authentication. This can be something as simple as sending an SMS text code to your phone (which saved us in the story) or something a little more complex like a Google authenticator or Duo app to generate passcodes. You should have two-factor authentication set up on all your online accounts where you are storing credit card information, where purchases can be made, or any other bank information is available. A simple password is no longer an adequate secure mechanism.
Two-factor authentication is basically providing you with an additional method of authenticating you as a person and is not based only on your password. It is a good first step to use a two-password authentication. In addition, there are other apps that you can install such as Google Authenticator, Microsoft Authenticator or Duo. These generally require a code which is sent to your mobile phone giving you authentication to log into the website you are attempting to access. It proves that you know the password, and you are you because you have access to your device. Many companies allow us to set up a trusted device where you log in once from a secured device, such as your personal computer. You are then able to authenticate once, and your browser will remember the fact that you have already authenticated for a certain period. Be aware that you should only do that on the devices over which you have full control.
• Change Passwords
Make sure you change your passwords regularly, and immediately if you notice any hint of suspicious activity. A password manager can assist you with this. We will cover this more in detail in our next blog. Make sure you are changing your passwords at the smallest sign that something may be amiss. We are recommending that our clients change their passwords every 90–180 days. You should also change your log-ins. For your personal accounts, I would suggest changing your password at least twice a year, or at any sign of any suspicious activity.
• Antivirus Software
Finally, since most of our life is on these devices and given the fact that we are probably using this device more than anything else, you should have antivirus software on your mobile phone. You may be unaware that there are viruses that can target mobile phones. More of these types of viruses are emerging every day. People have figured out that this is not only the least difficult way to get into your life, but your mobile phone also stores the most information about your life. We will see a lot more of these viruses in the next couple of years. To protect yourself, think about purchasing antivirus software for your device. Your provider (Verizon or AT&T) may have a contracted service that you can participate in for a few bucks a month to help you protect your phone.
If you follow best practices, you will be in much better shape and more protected while using your mobile phone. We hope we brought you some value. ArchIT is an IT company that focuses on helping engineering design and architecture firms. If you are not working with us yet, we would love a chance to earn your business. Go to get ArchIT.com. Remember, do not search Google, go directly to https://getarchit.com/ and click on contact us.
In our next employee training, we will focus on teams training on password management. Stay tuned for that have a great day.