Fred Posner

Fred Posner personal blog

Florida First Credit Union Phishing Attack

Posted . ~4min read.

So, today at work I got a call on my cell from a blocked number. I normally don’t answer blocked numbers, but for some reason I did. Anyway, text-to-speech engine identifies itself as Florida First Credit Union and that my credit card was suspended. I hung up.

I honestly assumed this was a legit call. You see, I recently changed my cell phone to AT&T and get a few calls a week for the former owner. Then, about an hour or so later, Yeni gets a call on her cell from 377-372-5939. She didn’t recognize the number (and also gets a few wrong numbers) and handed me the phone. 

The same text to speech engine, identifying itself as Florida First Credit Union had now called my wife’s phone. This time, I let it speak it’s script.

As best as I can remember, it stated that to reactivate my credit card, I needed to press 0. So, I did. The text-to-speech script was well written. It advised that the call may be monitored or recorded for quality and asked me to enter my credit card number followed by pound.

I tried 100# and was read back that I entered one zero zero. I was then told it wasn’t a valid card number. I tried entering 0#. I was told I entered zero which wasn’t a valid card number. I didn’t enter a valid card and eventually ended the call.

Yeni and my phone numbers are about 1500 numbers apart. I figured there was a call blast and tried to alert local law enforcement (the Alachua County Sheriff’s Office). The call taker brushed me off, but I insisted I wanted to make a report— this was a good script and I’m sure at least a few people in the area will get scammed. Later in the night a Deputy did call me and completed an information report.

I also called AT&T. After being transferred to fraud prevention (insert laugh), I explained what was going on. The call-taker was unfamiliar with phishing via the phone and simply did not understand how phishing could be done without a text or email (hello vishing). I was seriously talking to a wall.

The funny part with AT&T was that I called to report phishing on their network and called from my AT&T wireless phone. I was asked my address, full name, last 4 of social, and more. Very odd, and certainly not the most appropriate action.

Anyway, I tried. I don’t know what I wanted… I guess in my dream of dreams AT&T would stop the attack and have their network secured from bogus caller-id and blocked numbers. The dream was just that— a dream.

Why did I even try? I don’t know. I’ve always loved this quote from Albert Einstein:

“The world is a dangerous place. Not because of the people who are evil; but because of the people who don’t do anything about it.”

We’ll see. With luck, most people will realize this is a scam and it will fail. That being said, the script was well written. Social engineering is very powerful when done correctly. The writing on this attack was excellent.

Remember, your personal information is yours. You should never feel comfortable giving out birth dates, addresses, credit cards, social security numbers, etc. Here’s a few good tips to protect yourself from attacks:

  1. **Be suspicious. ** For example, if you’re receiving a call about your credit card number, why would they need your credit card number? There’s nothing wrong with asking why someone needs the information they are requesting. If you feel uncomfortable, don’t give it. I generally don’t. I’ll ask why they need the info and what else they can use instead of what they are requesting.
  2. Don’t answer calls from numbers you don’t recognize. If they don’t leave a voicemail, they weren’t worth your breath.
  3. Don’t answer calls from blocked numbers. Let me put it this way… why would you answer calls from blocked numbers?

By-the-bye, 3773725939 is a bs number. There is no active 377 area code. This is where I think ATT fails… why would a number like this be allowed on the network? That being said there is a Florida First Credit Union and this is a very good phishing attack.


Other people (including my mother-in-law) received the call with a CID of “8.” Looks like several friends on Verizon Wireless also received the calls.

28-Apr-2012. Getting hit again… which means it must have worked well enough the first time to target people again. Of course, despite requests no media has informed residents to be careful. =(

29-Apr-2012. I sent an email to Sgt Kelly at ASO… he was very good at getting the word out. For example, this small piece in The Gainesville Sun.

07-May-2012. Looks like more people are continuing to get hit. TV 20 came to the bakery today and did an interview.

Latest Posts