I talk to clients and prospects daily about the threats to their business as it relates to Cyber-attacks. Last week it hit home when I was the intended target.
It started out with a text message to my phone. The message said that it was from my bank’s fraud department and wanted to verify 3 charges. Before I could respond to the text message, I received a call from a blocked number. I ignored the call and was going to respond to the text when a second call came in from a blocked number. I chose to answer this call and the caller said that they were with my bank’s (and they said the name of the bank) fraud department. They just saw 3 charges come over from 3 separate stores in the Minnesota area. I was back in Akron and had not agreed to any of the 3 charges totaling around $1,500. The caller said that we can take care of it but would like me to go into my online banking account. I did that and signed in. He asked if I saw the charges and also asked what my last charge was. At one point he even told me that I was being recorded and asked if I would say that I did not approve these 3 charges.
The conversation took a twist when he said that he needed my User I.D. I told him that I was not comfortable with that. He said that he was with my bank’s fraud unit and that he could give me his badge identification number. I told him that I would have nothing to check that against. He continued to press and even said that he can’t remove these charges unless I give him my User I.D. I was in the middle of a few other items at work and reluctantly gave him my User I.D. Fortunately, I was sitting at my desk in my office, and I immediately saw an email from my bank saying that my password had been changed. I questioned the caller why he would change my password and he denied changing it. I became more aggressive and asked a few more times. He continued to deny and now was asking for the 6-digit code that was just texted to me.
The code is a Two-Factor Authentication that most online secure sites use. In the past I had always hated this part of going online to my bank. I can honestly say that I do not dislike this part of any site anymore. I did not give the code to the caller and quickly hung up and called my bank. My bank was able to freeze my online access and we quickly changed the user and password to my account. The scary part of this incident is that if I would have given the caller the 6 numbers, they would have had access to my personal accounts along with my business accounts.
I continue to use the Two-Factor Authentication and I have increased our Cyber insurance to protect Oxford Risk in the future.
Jim Kahoe
President
Oxford Risk LLC