How a Bot Attempted To Get My Bank Information Via a Remote Work “Opportunity” Phishing Scam
It’s the year 2017 and I suppose thieves really are desperate to steal your money (and particularly my money — but I may be a little biased about this) as I recently was nearly victim to a complicated phishing scheme.
Phishing schemes, if you are not aware, are when organizations attempt to trick you into giving over private and sensitive information — usernames and passwords to web sites, banking information, etc — by pretending to be someone or something you trust. Now, I have been looking for remote work recently (a second income doesn’t hurt when you have two kids, I assure you) and I got an e-mail that should have immediately been deleted upon receipt. This should speak to how much I would like that second income, that I even justified it with a response. The e-mail read like this:
Hello and how are you today? Your resume has been reviewed and forwarded to the Head of Operation and you have been considered and scheduled for an online interview to discuss more about the job position that you are to occupy.You are required to set up a gmail Account (http://www.gmail.com) on your desktop if you don’t have one.After this process you are to add (fake name) on her gmail Hangout, email is (fake e-mail) to your gmail hangout list ASAP for the job briefing and comprehensive details.
She is online waiting to talk to you ASAP.
Venue: On line Via gmail hangout
Training is Available
Some things that should have occurred to me right away :
- Generic introduction with no information about sender.
- They sent the e-mail to my g-mail but couldn’t figure out that I would NOT need to set up a gmail account?
- The job position that I am to occupy?
- Weird that they specify that training is available without mentioning what the job actually is. Big red flag.
So I did it — I messaged the ‘person’. For the sake of privacy of the actual human being whose photograph I have to assume was stolen from somewhere online, I will use a poorly doodled robot to represent the bot, whom I will call Phish Bot, and an even more poorly doodled me to represent me. Sorry that I am the worst at drawing. Here is the actual chat transcript.
Hi, I got an e-mail about an online interview, more information would be really helpful, thank you.
Lahey Health Would like to welcome you to their company.
Have you been interviewed online before?
I’m also a bit confused as I didn’t apply to any job with Lahey Health and don’t live in Massachussets
I can work remotely, mind you.
Are you getting sick of seeing my poor drawings? Okay, let me just do the rest like this:
Phish Bot : This is strictly an online and work from home job the working hours are flexible and you can chose to work from anywhere of your choice.The pay is ($31.8) per hour training is ($16.8) per hour and you will be getting payment bi weekly via direct deposit or paycheck working 20 to 30 hours weekly,if you are employed you are going to be working as a full employee and not an independent contractor.Benefits: Health, Dental, Life and AD&D Insurance, Employee Wellness and 401k plans.Paid Time Off and Holidays with Generous Company Discounts…Are you still ready to proceed with the interview?
Me : well what actually does the job entail — and why sometimes twenty hours, and sometimes thirty
Phish Bot : RESPONSIBILITIES/DUTIES: Heavy Receptionist Data entry/administrative tasks Updating client information in computer system Running and processing multiple documents utilizing Microsoft Word, Excel, and Access Inputting purchase orders Other various administrative tasks,Inputs information from a variety of sources into a computer database. May take customer orders and enter them into a pre-established tracking system Assignments will be sent to you via e-mail or Hangout and you will report directly to your immediate supervisor…Can you handle that?
(Reading this a second time, I realize that my question was not answered.)
Me : sounds like a lot of what I do right now, except now I do it in person in an office, yeah.
Phish Bot : Here’s is the company website www.laheyhealth.org you are required to use 5 minutes of your time to read more about the company, then let me know when you are done so we can proceed with the interview okay
Me : I actually searched for it right after you sent me their name. Go on.
They’re good people.
Phish Bot : You will undergo a one week training from your training supervisor he/she would be training you on how to Enhance your working skills with the programs accurately.Included with other Data entry job you would be needing to get done. Your training is going to be done online through your PC/Cell Phone.
This went on and on and on. Lots of questions that would be quite normal for a job interview. Then suddenly this happened.
Phish Bot : The salary will be $31.8 per hour and you will be receiving your payment via Check or direct deposit, And what bank do you operate with ?
That stopped me dead in my tracks. Uhm, what? Why are they asking me this very irrelevant question? Oh. Crud. This is a phishing scam.
Me : That seems like a suspicious question for an interviewer to ask.
Since I will be working directly for the company I can provide them directly with that information should that arise.
There was a silence. A couple of minutes passed.
Me : Is the next step someone from Lahey HR contacting me?
A minute passed and I got a message back from the Google chat client saying my message was not delivered. Probably because they disconnected from me and deleted the bot immediately, because bots are free to make if I had to bet.
Next I found Lahey Hospital and Medical Center on Facebook and sent them a message :
Me : I got a very unusual e-mail from someone claiming to be a hiring firm saying that they wanted to interview me via Google hangouts. I agreed and the person (or perhaps bot) interviewing me said they were interviewing on behalf of your organization. It was a lengthy interview and suddenly they asked me what bank I use and I said I was hesitant to give out bank information, and they blocked me. I went to your web site further and don’t even see any jobs with the description they gave.
I am just wondering if this is something of which you are aware and if not, be aware that there are phishing people out there pretending to represent you.
They responded that they absolutely do not have any such job listing and would I please send them the e-mail I got as well as the chat transcript — so I did. And now you have seen it all.
Lesson Learned! It seemed too good to be true and it absolutely was too good to be true — because it wasn’t.
If you’re searching for work and your resume is openly visible on job sites, beware — the new Phishing Bots may come for you next!