Wanna bet that if I call anybody working in a bank, telling them I am from the IT department and I want them to check the new login page (done the way described in this article), they will enter there their login & password?
Well, first, phishing is not calling someone, but at our bank we train our employees monthly about phishing by testing them, and if they fail they must take a class. Serial failures could result up to termination. So, how much you wanna bet?
You're not resigned enough to be on an infosec team, and if you're not on an infosec team you probably don't know the true percentage of how many employees are failing over and over (it's a ton, it's always a ton).
Personally I'd be pretty sure that, at least at the bank I currently work at, this would rarely ever work.
I mean, other than the attempts to foster a relationship between bank staff and the tech people through things like days of letting tech people hang out and try and be helpful at branches in order to "see what real difference they could make" - and that laegely ending up being a fairly regular educational exercise for everyone involved theres two problems I see:
1. All the phone calls into branches are monitored (you may have noticed so many "we will record this call and it may be monitored" messages - they arent kidding) and if certain key words, or even key tones of voice are picked up someone from a relevant team silently dials onto the call to listen in.
2. The general process for anyone not in it interacting with any IT system is to click a button on their screen which generates a 6 digit pin and if you cant match that pin with the person talking to you and dont confirm success then alerts go out immediately.
And given the hit rate on the "generate pin" api, tellers are definitely using it properly.
So i'd be inclined to go pretty small if I where to bet at all.
Not sure why the assumption that you can social engineer your way onto any half way competent institution still persists,but nowadays, as far as I know, you have to pick the really low hanging fruit for someone to let you in so easily.
How often do they assume that non-scams are scams?
That part has always made me curious when talking about these tests, I mean I have a mostly fool proof way (type the url or navigate to it from the main page), but even including "this page is not linked from anywhere else for security, you must click the link) would probably fool people. Especially because I can imagine many orgs would actually include that.
At my previous bank, you could get your account password reset with SSN and birthday. Also, your account number (and your website login) was your social security number. And for the longest time, your password for your account online was your ATM pin. This is at a credit union in the US. I switched banks as soon as I had a significant amount of money in my account.
tbh, i'm surprised they don't have bank accounts emptied out regularly, but they're sort of small(limited to grocery store employees), so maybe its just nobody has seen it.
