Wednesday began as it usually does. With dustbins and shopping lists. The former is The Husband’s job and the latter is a kind of joint effort that starts with meal planning (yes, I know I’ve promised…it’s on another list…) and culminates with his famous spreadsheets. He “translates” the paper scribbles, notes prices and, well, generally does what he’s done for the last nearly 20 years. Shopping over the weekends is hell. When the practice began, he didn’t have a regular day job. Truth be told, he has a lot more focus and discipline than I. He’s a lot less distracted by potentially interesting things might not be on the list.
Anyhow, not long after he’d sat down to perform the ritual, his phone pinged. It was the bank:
Suspected unauthorised transaction ZAR 13k on your account. Phone xxx number.
The number looked legit: just like a Johannesburg number, and where the bank’s head office is. The Husband called.
To say that tech and the Internet of things frustrates The Husband is an understatement. He views them as a mostly (un)necessary evil. His phone is not smart. Although after this experience, it will have to smarten up. A lot.
They get you in a tizz
What followed got both of us in a tizz. He’d gone into the garden to make the call. Because we live in what amounts to a Faraday cage so mobile phone reception is dodgy. He came back into the office, phone stuck to his ear, white as a sheet:
Nigerian hackers – they’re active now!
Don’t log in! We’ll help you!
He went to his computer, following instructions to open his browser to the Google search page. There was an urgency because the implication was that he/we should be catching the culprits red-handed. Of course, under that pressure one does what one is asked.
At this point, I’m helping because of the level of The Husband’s discombobulation. There is a little voice at the back of my head that’s a bit unsure, but the threat of someone clearing out what little money neither of us – mostly in overdraft – has, is nothing short of terrifying. On speaker, with a heavy Indian accent, hard to understand, Mister F shrilly issues panicky commands.
At one point, I muttered to the Husband,
Are you sure it’s the bank?
His response,
He answered, XY Bank Fraud Division
Among the commands to follow was downloading an app Ultarviewer. Believing one’s talking to the bank’s FRAUD division …
Letting them in
Now I’ve done some homework, some of Mister F’s evident excitement was because it’s a small app. It’s a quick download. I was taking too long, he was probably beginning to think he might be uncovered.
It was installed and yes, I let him in. That, too, took a while because his diction and connection were indistinct. And, he did not understand me.
Another warning. Had I paid attention through all the noise – literal and figurative. There was a great deal of evident background noise at the other end of the line.
Then, Google open, and interestingly not in the browser The Husband usually uses, but Microsoft Edge:
You see that? That’s your IP address. It’s public. That’s how hackers get in.
Now, let’s log you in.
The Husband does. To the bank. Nothing’s amiss. The Husband’s relief that “everything in order”, is palpable. Mr F sees that there’s virtually nothing in the account.
Done with The Husband, he changes tack. A victim not worth the effort.
Your wife, she also banks using this network, right?
Wrong. Sort of. Never from that PC, anyway, and using a different browser. I say so.
But it’s the same internet connection. Log in. We need to secure the account.
I try. It doesn’t work. Even with the correct details. He doesn’t believe me.
More commands
I know I’ve not made a mistake, but now I’m in in such a state, I tell him
Stop shouting at me! You’re making me make mistakes! Tell me exactly what you’re doing and why.
Then he, wait for it: tells me where in my phone app to find all my login details.
Then
We’re in. Next he says
On your phone, open the Playstore.
I draw the line.
Ok.
The “bank” screen is open. My profile is there for all and sundry to see. Like The Husband’s it has very few zeroes and a couple of minus signs, to boot.
The call drops.
The Husband tries to call back. Twice. We want to be sure that the accounts have been secured. Each time the call drops.
Another cup of coffee
Having “seen” that nothing was amiss, we both kind of calm down and have that second cup of coffee.
Listening to that little voice
As I was staring into that coffee, that little voice began to boom.
Love, I think we should both change our passwords.
Notwithstanding the stress of having to dream up new usernames and passwords – and remember them – we both did.
The Husband also resolved to go into the bank when he was in town and to report it. From the branch, they had him talk to the real fraud department.
Turns out, we’re not alone. This is the flavour of the month and they’ve had a slew of similar, if not the same incidents, over the last few days; with the same modus operandi, using the same apparently “legit” numbers.
Hindsight – what we should have seen
The first sign was the text message. On closer inspection, it was definitely not the bank’s standard format. In number, structure or convention. Given the threat of a breach on one’s account, one looks past that.
Lesson one.
Mr F’s accent and manner: our bank uses local agents with local accents.
Lessons, two, three, four…
Our bank’s “usual” call centre agents –
- do not just speak clearly, they are calm and polite and more to the point, patient to a fault
- work hard at calming the customer down and resolving the problem
- never ask the customer to download an app to look around one’s computer – and profile. They don’t need to.
- always ask one to log in to one’s profile without asking one to share details
- access one’s profile from the bank system without having access to one’s PC. If need be, they can see what one’s doing. Usually, it is not their business.
We learned, the hard way, about smishing.
Lessons learned. Be warned. Be alert.
Until next time, be well
Fiona
The Sandbag House
McGregor, South Africa
Post script
If this post might seem familiar, it’s because I’m doing two things:
- re-vamping old recipes. As I do this, I am adding them in a file format that you can download and print. If you download recipes, buy me a coffee. Or better yet, a glass of wine….?
- and “re-capturing” nearly two years’ worth of posts.
I blog to the Hive blockchain using a number of decentralised applications.
- From WordPress, I use the Exxp WordPress plugin. If this rocks your socks, click here or on on the image below to sign up.
- Join Hive using this link and then join us in the Silver Bloggers’ community by clicking on the logo.
- lastly, graphics are created using partly my own photographs and Canva.
