I fell for a phish
I have not, to my knowledge, fallen for any phishing attempts and have been very critical of anything I receive whether its on email, text, slack, WhatsApp etc. If I am asked to provide anything I generally question it. Well, that streak is now over.
I have been speaking a lot at companies I have worked for about security like social engineering, password security and many other things aimed more towards the less techy audience.
I have not, to my knowledge, fallen for any phishing attempts and have been very critical of anything I receive whether its on email, text, slack, WhatsApp etc. If I am asked to provide anything I generally question it.
Well, that streak is now over.
What Happened
The above was (with the email signature redacted) the actual email I received. I was literally getting out my chair to run down and answer my door as this email came in. It was the perfect timing, I was distracted, I was in a state of urgency and then I get the email above pretending to be from a director of a company I work for.
The content of the email was also within the realm of believable, given what I know about this director and his potential whereabouts, so I replied to the email with my phone number, ran down to answer my door.
As I was walking up the stairs to get back to my office, it hit me.
That email, if I took just 2 seconds to look at it, it is blatantly obvious it is a phishing email, how could I be so stupid!
I guess it was a perfect storm for me.
How I responded
So I immediately informed the company what had happened and what I was doing to try mitigate any potential issues from this.
As I was doing my mitigations, I was getting replies to the email I send, asking me to contact them on WhatsApp, I played along by replying (to their emails only), in order to potentially buy some time in case they would be actively trying to clone my SIM.
Now, I am by no means anywhere remotely close to being "important enough" where I think anyone would be actively going after me, but I also know I shouldn't make that assumption either. From my days as a hactivist many many years ago, we world, for example, go after the cleaning personnel if they worked for a company or place which was the primary target, hoping that though them we might be able to get a foot inside the door - figuratively and literally.
What I did to try mitigate the issue(s)
This list of not exhaustive, it is purely the actions I took in the first 15 mins to hopefully help mitigate any issues which could come from this. If you think there are other actions I could take, please let me know!
Step 1: Contact Phone Carrier
I immediately contacted my phone carrier and made sure they would not give out any PUK codes, send out any SIM replacement or reset any account information. I had them add a note to my account for the future regarding this.
Possibly, I may have over exaggerated a little bit by saying I have been a target of a phishing campaign and people are likely to try clone my SIM, just to make sure they took it seriously :).
Step 2: Change account information
As I was contacting support, I found that the details needed for me to verify who I was to the phone carrier's support were really quite basic information, so I decided I need to change some of the details to hopefully associate my account with me.
The reason for this is, if you look up your email associated with your account on https://haveibeenpwned.com/ you might find that quite a few websites have been breached and some part of your personal information has been leaked.
This is the actual result from the email associated with my phone carrier account:
So if the attacker knew my phone number, they could find the carrier and from there they could find my email from just the phone number (side note: I did let hem know about this and the potential implications), and with the email the perpetrator could search breach corpuses for pretty much all of the details needed to verify themselves to the carrier support.
I did get confirmation from the support rep that they (the support) cannot send out PUK or SIM replacements and that it had to be done from the user control panel, so the best thing I could do was change the email to a completely unique alias of my real email (I use Proton.me so this was quite quick and easy, not affiliated).
This is not really a "fix" though, but at least it would make it just a little bit harder to find.
Step 3: Report email and WhatsApp number
This will most likely have very little to no effect on you and what has already happened, but still if it slows the perpetrators down just a little bit then why not.
I reported the email account to Google using their Report Abuse form, since the email was sent from a gmail address, and when the perpetrator messaged me on WhatsApp, I didn't reply or acknowledge the message, I just immediately reported and blocked the number.
Step 4: Monitoring
Going forward, I will be closely monitoring any changes to my account(s), support tickets being created, chat support histories and generally any activity related to my phone carrier and by extension any other accounts.
I hope this was useful or interesting in some way, I just thought I would share in case it helps just 1 other person.
Also I would like to highlight that my phone number is already well and truly breached based on Have I Been Pwned, still, when I actively give my phone number in a phish its a bit different than being part of 100s of GB of breach corpuses.
If you have any suggestions on any further action I could take please reach out!