I like to think that I am fairly savvy when it comes to online scams. I know not to click on weird links or give out my personal information, and that people can call and impersonate my bank. I also work for an organisation that is extremely proactive when it comes to cybersecurity. And I’ve even worked for a bank, so if you’d asked me two weeks ago, I would have said that I know what to look for.
Yet last week I suddenly found myself the victim of a highly sophisticated cybercrime. I feel incredibly embarrassed and stupid – the sense of shame has been quite overwhelming – but I feel that the only way I can regain some sense of agency is to share what happened, in the hope it stops it from happening to others.
It started with an SMS from what I believed was my bank, saying that someone had tried to set up a payment to a new payee. The text message said that if this wasn’t me, I should call the number provided. It looked completely legitimate and, because it was from a number I had previously received verification messages from, I had no reason to doubt it. (I have subsequently learned that this is called “ID spoofing”.)
I called the number and the first thing I heard was a message saying it was the bank’s fraud line and that due to an increase in cybersecurity breaches, there may be some delay in answering my call. The recorded message and music sounded exactly like my bank’s.
I soon spoke to a person who sounded like a bank employee. He got me to look at my…
