Following up on yesterday's social engineering post, the banking scammers don't just rely on ZBot -- the good old "paper based" advance fee or fake letter approaches still work, too.

ISC reader David, for example, got a fedex envelope with an unexpected check over 2'850$, with him as recipient. Diligent security specialist that he is, he called the issuing bank .. and found out that the account against which the check was drawn had zero funds. The way this works is that the bad guys follow up the first letter with a second, where they apologize for the mistake, ask the victim to "wire back" 2500$ and "keep the 350$ for your trouble". If you go ahead with this, by the time the check bounces, you have wired the money, and wired money is gone or at least very very hard to get back. Given that the crooks incur quite some expense and risk in this scenario (fedex isn't cheap and often traceable back to the source) they must still be making a killing out of this scam.

The second scheme is phishing via old-fashioned paper mail. You get a letter stating that "for security reasons" calling the bank now requires a pin code, included below. Follows a pin code of a length and complexity that makes it unlikely anyone would want to remember it, and two lines down, the helpful comment that the pin code can be changed by calling 1-800-whatever. You do so, and here's what happens next:

Voice: Please enter your account number, followed by the pound key [you type]
Voice: Please enter your current telephone access code [you type in the access code in the letter]
Voice: This access code is incorrect. Please try again. [you type - correctly again]
Voice: This access code is incorrect. Please hold for an operator. [you hold]
Operator: XYZ Bank, my name is QRS, how may I help you [you explain]
Operator: To identify you, we have to ask a couple of security questions. What are the last four digits of your social security number ?

Yep. You get the drift. After this exchange, they have everything they need.

Lesson learned: Do not ever call "your bank" on a telephone number included in a letter, email or left on your voice mail. Get to know some employees at the bank branch you do business with, and call them with any questions you might have. Recognizing someone's voice beats a "security pin code" any day.

Update: Apparently, a bank in the US is currently sending out letters about phone pin codes that look a lot like the fraudulent fakes described above - including both an unsolicited new pin code and an 800 number to call to change it.  If you received one of these letters, call your bank branch (as mentioned above) or check that the telephone number on the letter matches the 800 number the bank has listed under "contact" on their (real) web page.  "Trust, but verify" was yesteryear. Nowadays, the rule in banking matters changed to "Don't trust, always verify".