Wordfence, a security plugin for WordPress, released an interesting public service announcement. See PSA: Widespread Remote Working Scam Underway, which outlines a sophisticated way to steal personal and financial information, and your money, disguised as an offer for a remote-working job.
Stealing your information need not be this elaborate. When you sell something online, and the ‘buyer’ asks for your phone number, instead of only communicating through the online application messenger. By doing so you may be verifying your information to a bad actor. If you are asked to reply with a security code you received in text unexpectedly, you may be giving the bad actor access to an account in your name.
Multi-factor, or two-factor, authentication (MFA or 2FA) are security models requiring a combination of means to verify who you are. This is where you provide something you know, like a username and password, and something you have, like a time-expiring security code from an application on your phone. It is recommended to use this security model where possible, especially for financial systems.
Bad actors using a phone call, text, email, social media, or internet application try to exploit people through our behavior and willingness to be helpful. Be wary and resistant to sharing your information. When dealing with an online ‘buyer’, for example, asking for your cell number to text you directly will verify your number. Asking you to reply to them with a code received on your phone may mean they are trying to access an account in your name. Giving them the code sent to you by the institution potentially gives them access.
Scammers often acquire databases of user information. Tricking you into verifying your information is accurate may be enough to use other data they have to hack your private lives.
Exploiting behavior is easiest when you invite the interaction, like selling something online. Wordfence documents an extreme and diabolical method praying on people looking for a job.
It is impossible to stay knowledgeable on all the tricks scammers use. The best you can do is stay aware. Does it pass the “smell test?” Does it feel too easy or too good to be true? Can you verify the contact or institution through other means? Question the actor. If you are suspect or want verify the authenticity of the person, disconnect the communication and contact directly the institution they claim to represent.
Enable multi-factor authentication for your online accounts, and, like passwords, do not share the access codes with others. Use password storage applications like KeePass to store your usernames and password, and do not re-use passwords. Overall, be vigilant and guard your information, because you are the weakest link.