Analzying a Vishing Attack

There’s a CRA (Canada Revenue Agency) scam going around right now.  I received a call from “Roger” at the CRA this week, asking me verify my current address.

Let’s analyze at the attack.

The Attack

Flag #1

Roger’s number displayed on my phone – 905-XXX-XXXX. Nope.

The CRA agent’s number will never display, it will come up as “Private” or “Blocked” because imagine? People would lose their minds dialling directly to harass the agent.

Flag #2

Roger lists my last 3 home addresses, my company name, then asks for only one piece of information to verify my identity – my birthday. One piece of publicly available information to verify me?  No way.

From the CRA website, here’s the list of identification questions they’ll use.

Flag #3

Me: this number on my screen, if I call it back it’ll go to you?
Roger: yes, that will go directly to my desk.

Uh-huh. See Flag #1. Plus, if he’s at his desk, why don’t I hear office noises in the background?

Let’s keep talking.

Me: what’s the problem?
Roger: the address we have on file for your company is incorrect, because the mail we sent you was returned. We need to update your address.

Flag #4

Not only do I have my mail forwarded from my old downtown address, but my accountant and I are very on top of things, so there is no chance this is correct.

I tell him to switch it to my home address, which he has already listed, and he rushes off the phone.

I immediately email my accountant, who searches the CRA database and comes back with this confirmation – my correct address is on file.

Flag #5

I call the number back and it goes straight to voicemail.

Not only is it full and cannot accept new messages, but the name on the voicemail is not Roger.

Flag #6

I trace the phone number, and land up at a suburban house just outside of Toronto. Not posting a map of that, bet the poor guy has no idea his number has been hijacked.

Flag #7

Over to Google, and there’s news everywhere, including one from CBC a couple weeks ago warning Ontario residents. Read it here.

The Defence

– stay sharp and calm… the above played out over 60 seconds, as in, quickly. And if the call comes in while you are distracted or busy, that’s how you slip up and they win 

– when in doubt never ever give out personal information, especially your Social Insurance Number (SIN)

– call the CRA directly to confirm the validity. Say something like, “I’m very busy at the moment, but will call you back by end of the day.” That way you’ve initiated contact, and the problem should be listed on your file

– ask lots and lots of questions, they don’t like that

– the scammer will be skilled on the phone, they’ll sound smooth, almost too-smooth

– CRA emails will never contain any links, nor will they contain personal information

– listen to your gut, it’s the best defence in these scenarios

See the CRA website for more details on scams.

As always in suspicious scenarios, be wary of clicking on links in an email, and if you must, expand the URL before clicking.

Test yourself here – Spot the phishing email

Blog tag = phishing




Writing a Country Song about Phishing

My neighbour and I started writing a country song last night.

A video posted by Keri Blog (@keriblog) on

I had a virus, now nobody emails me” 

Brian: I used to talk on email all the time, but then I got a virus
Keri: what did it do?
Him: told everyone I thought they were fat
Me: snort
Him: I told them it was a virus, but no one believed it and stopped talking to me
Me: (this happens

Ahh Thursday night, best night of the week. Bet I jacknifed 4 times, got invited to a party and was even drunk dialled, my favourite.

(why it’s the best night, and blog tag = #ThursdayNight)



Can you Spot the Phishing Email?

It arrived in my Gmail earlier this week. How many clues can you spot?

I’ll give you the first two, it’s unfair not to…

1 – I didn’t order anything, and if I had, it wouldn’t have been using that email address.

2 – terrible spelling and grammar, FedEx would never

3 – the big red flag – a non-FedEx email

4 – the absence of information, there’s no links, tracking number…

5 – Operation Agent. I like the name though

As far as phishing emails go, this one’s obvious; see the LinkedIn one for a more sophisticated example here.

—-> ! Know what’s impressive though? —-> !

The attachment made it through Google’s security checks and filters.  Nicely done guy.

That’s why never let downloads open automatically – more here.

And see how small it is? 4K, tiny. Doesn’t take much to mess your machine up.

Stay sharp out there.

Blog tag = Phishing



LinkedIn Invites are Great for Spreading Malware

Fake LinkedIn invitations are one of the most effective methods of getting a human to click a malicious link.

This type of attack, a phishing attack (or a more targeted, spear phishing attack) works because who doesn’t want to increase their LinkedIn number up to that magical 500+. Plus, LinkedIn is maybe the most reputable of all the social media networks, so that reputation is exploited.

Additionally, LinkedIn is a business-oriented social media site, therefore, most use occurs on a computer attached to a corporate network.  And that’s more valuable to a thief than a lone, personal computer.

The Attack

You receive an email, “Let’s connect!”

It looks like a real, and safe, LinkedIn invitation.

Click on “View Profile” > goes to a fake site > where a virus / malware / etc is waiting >  that’s then installed onto your computer > now the attacker has a way into your machine > and potentially the corporate network it’s attached to.

The Defence

I rely on 2 things – my gut, and LinkedIn’s security (note this method is not 100% fail-safe.)

1 – hmm, I have never heard of this human, and something about the name / company makes my gut say wait….

2 – I open a new browser, go to LinkedIn > Invitations > is the same name on my list there?

If yes: click around to verify identity, check for connections in common, and lots of Googling.

If no: delete the email


Don’t be shy to ask for more clarification, proof of identity, reply with “do I know you, and how?”

And always listen to your gut, the best defence against social engineering



Expand and UnMask URLs Before Clicking

URLs shorteners are used to simplify a complicated URL, for the purpose of sharing.

Shrink it to better fit into Tweets, Instagrams, make it more manageable. For example:

becomes, or Google’s shortners are popular, good ‘ole TinyURL.


It’s a blind click, just trusting that the URL
goes to where you’re expecting it to

The attack:

Phishing and social media scams use shortened URLs… example: a private message is sent, “Click here to see the photo I posted of you on Facebook!”.

Click the shortened link > hey this isn’t Facebook > it’s a website that just gifted you a virus, or malware.

The defence:

Expand the URL, “unmask it”. Then, decide if you want to click it.

Try or

If your gut makes you pause, listen. Don’t click it.

Infecting your entire system irreparably, can happen with one bad click.