Today we have a phish targeting customers of Barclays Bank, located at:
bank(dot)barclay(dot)co(dot)uk(dot)olb(dot)auth(dot)loginlink(dot)action(dot)p1242557947640(dot)chofcg(dot)com/bd/
The phish opens up with an initial lunge for personal details:
The first page asks for a surname, then offers the potential victim a variety of petards to hoist themselves from – do you want to enter your membership number, card number, or sort code and account number? Please, step right this way.
The second page continues the deep dive with a move into the realm of PIN sentry codes:
Barclays use a device called a PIN Sentry for certain online (and offline) activities. Step 2 of this phish asks for the last five digits of your card, the eight digit code that appears on the device, and “your four digits ATM code”. After that:
A 5 digit telephone banking passcode and a mother’s maiden name, you say?
It would appear the phishers are trying to get enough bits of information to try some social engineering on someone in a call center, though they’re not going to get very far with a 4 digit PIN given the person on the other end of the line wouldn’t know it. Only today, a friend of mine told me their husband nearly lost his business account cash (held with another bank) because someone phoned him up and asked for his personal details. He only realized something was wrong when they asked for his PIN number – but he nearly didn’t phone the bank because he thought they’d “tell him off”.
Don’t be like him. Should you ever run into a scenario such as the above, the very first thing you should do is call your bank for help. They’ll give you the best course of action from there, and with any luck, your hard-earned money won’t be going elsewhere.
Christopher Boyd