For Cyber Security Awareness Month 2022, John Breton shares his story of when he almost fell victim to a phishing scam.
“A few years back, my credit card was up for renewal. I got a replacement card in the mail along with the usual disclaimer of needing to activate my card at an ATM, no problem. I figure I’ll go to the bank tomorrow.The next morning, I received a text from what appeared to be my bank, saying that my new credit card could be activated by calling the included number. I didn’t find anything suspicious given I just got my new card in the mail, so I dialled up the number. The person responding immediately identified themselves as an employee from my bank, and I explained I received a text to activate my new credit card. They took my credit card number and the email associated with my account. They never asked for my PIN or my card’s CCV, and just said that to complete the process I’d need to follow steps sent in a follow up email. About 10 minutes after the call, I get a very legitimate looking email, again appearing to be from my bank. So I clicked the link in the email.The link brought me to a page with plenty of secure software logos and a single text box asking me to enter my card’s PIN to finish the activation process. Fortunately I hesitated. I checked the number I had called, and it turns out it was not the number used by my bank. I found the correct number and gave them a call, and I was informed they were aware of this active card phishing campaign. They sent me a new card to be on the safe side, but I won’t lie and say I did almost provide my PIN. Everything was routine and I never suspected anything throughout. The timing makes me think this was a targeted phishing attack, but I had received those card activation texts prior to this incident, but ultimatelyIf there’s one takeaway from this story that I can provide: never share your PIN. It is never needed and your bank will never ask for it. Stay safe and don’t be afraid to double check things if anything ever feels suspicious.”