Saturday afternoon as I was mentally getting ready for the kids bedtime and drinking a Martinez (ooh, get me, though it was my first cocktail of the year, and no, I don't count G&T as a cocktail), I received a notification that O2 had failed to process my latest bill and that I should update my details.
My card had been updated recently and I'd had a slew of emails telling me that recurring payment had failed…though the last wasn't for a good few weeks.
With half and eye on my phone and partially aware of how O2 were being rubbish by asking for all my personal details that they should already have, I dutifully posted my details off a lucky fraudster.
Here's the SMS I received:
O2: Payment for your latest bill could not be processed by your bank. Please update your payment information via: https://myo2․bill231․com?o2=2
The URL then asks me to sign in, I did, and enter my address, I did, and enter my bank card and bank details, I did.
100% absent mindedly.
It's how accidents happen. My focus was on something else whilst my thumbs were on autopilot on my phone dolling out my details.
What's ironic is that my career is on the web and these kinds of hazards are part fo the territory and yet as seasoned as I think of myself I still made a simply and potentially costly mistake.
But the web we live in today is a bit of a jungle and sadly part of that is walking through long grass with snakes under foot. We conduct ourselves carefully and we navigate from one site to the next, and we protect ourselves with software, policies and knowledge, but what's important is that a bite from the snakes are not fatal.
It's how quickly you or I react to the incident that makes all the difference. Thankfully as soon as I hit send I realised my mistake.
The process was:
- Consider every data point I shared with the fraudster website
- For bank details (in my case), immediately contact the bank and block the card
- Revoke any passwords shared (I already use 1password so I know the password is unique)
- On going for the follow weeks, monitor the bank account to watch for unknown transactions - this is particularly important as the fraud web site had my account details which gives them enough to start a new direct debit (but this is also covered under direct debit protection)
The longer term changes that I'm putting in place are:
- (Though I know it) never follow a link to enter banking details, always type the target web site in manually (i.e. if O2 contacts me, I visit O2 myself, not via a URL)
- Adopt a new policy for receiving text messages which currently are almost exclusively 2FA codes, so it's almost worth disabling SMS messages entirely.
I've had exactly two previous fraud events in my past, both of which I learnt hard lessons from, but perhaps were unavoidable (unlike this more recent event).
The first was around 10 years ago, I received a direct message on twitter from a friend saying that some account details had been hacked and I should update my password immediately. I promptly followed the DM link inside the Twitter app, entered my password and … realised I'd been duped.
Following the link from inside Twitter's client meant that the URL bar was hidden from me, so I had no visual way of knowing what site I was on - it looked like Twitter (which was the point) so I fel for it. Since then I always disable "in browser" linking on apps I use.
The second was around 15 years ago. My laptop had been written off in an accident and it was sent to the insurance company, they paid me insurance money and the machine was to be destroyed. Except it wasn't. A few months after the incident, I was contacted via email telling me that this person had my laptop in front of them and was going to wipe the drive so that it could be resold.
Obviously this was a massive failing on the insurance company (I'm not with them any more and I forget who they were), but the individual on the other end of the email was just doing their job. He specifically got in touch to ask if he wanted me to send the contents of the drive before it was wiped.
I figured it might be a useful thing and said to go ahead. Except, he stated he couldn't get all the files off the drive, some were behind my password. I was hesitant when he asked for my password so he could send the files along, but said it made no difference to him as he was just helping me out, and "oh, I see you're a web developer, we need our web site redoing, maybe we could hire you…" and off my password went.
As soon as I hit send (yes, reoccurring theme) I felt my gut drop. It was a horrible feeling knowing that I'd just let some stranger into a personal space such as my hard drive. I emailed him back immediately, specifically requesting proof the drive had been wiped … but of course I never heard back.
Thank the stars there was nothing important on the drive, passwords or anything sensitive and the thought haunted me for months, but nothing came of it.
Suffice to say I've never uttered a password again.
One additional policy I adopted after these events were that if a service was trying to authenticate me, particularly over the phone, it would have to be a call that I had made and not them contacting me. This is similar to the policy of entering a URL manually and not following links.
I guess we live and learn.