Back to News
Michael F. Odar, CFA® President and Chief Executive Officer

June 6, 2025

A Cautionary Cyber Story

On a recent Saturday, I received a panicked call from a client. He was on his way to the bank to change his account numbers after realizing he had been the victim of a cyber-attack. I am writing about this to raise awareness of a dangerous social engineering scam that can literally hi-jack your digital identity. Social engineering is the use of deception and emotional manipulation to influence someone else’s behavior.

Here’s how it works. You receive a text or call that appears to come from your mobile phone carrier (e.g., Verizon, AT&T, or T-Mobile). The message says something urgent, like: “Your SIM card has been suspended. To restore service, enter your personal identification number (PIN) to verify your identity.” Or “Your number transfer has been initiated. To restore service, enter your PIN to verify your identity.” If you enter your PIN, the attacker then uses this information to contact your mobile phone provider and transfer your information to a SIM card they control. A SIM card inside your mobile phone carries an identification number unique to the owner and stores your personal data. Once the attacker has control, your phone immediately loses service: no calls, no texts, and no data. The attacker now receives all of your text messages and calls as well as has access to any passwords stored on your phone exposing you immediately to potential identity theft or financial fraud.

This is exactly what happened to our client. A younger intelligent and technologically savvy individual, he was momentarily caught off guard when he received the text from someone claiming to be from Verizon requesting him to verify his PIN. He paused but had recently moved and was accustomed to changing his address on his accounts. He was also busy at work and had his mind elsewhere. As soon as he entered his PIN, his phone went dead.

Thankfully he was spared from the adverse effects of the scam after an immediate conversation with our Chief Information Security Officer and a lot of frustrating phone calls to secure important accounts. Afterwards, I recall him saying to me in disbelief that the attacker was “more me than me” after they gained his digital identity.

So, how can you protect yourself? Here are just a few tips.

  • Set up strong unique passwords.
  • Enable account alerts (bank login attempts, new device logins, etc.).
  • Never enter personal details or PINs from links or messages you didn’t initiate yourself.
  • Be suspicious of urgent messages pretending to be from an entity you conduct business with, especially when asked to enter a code or provide personal information.
  • Social engineers rely on urgency. Pause before you react. Verify the request and sender before replying. Adopt a mindset of informed skepticism.
  • Avoid oversharing on social media.

At Greenleaf Trust, we also have a useful mantra to help us slow down and think before we respond to electronic requests. I’m passing it along to you. It’s simple – If you see a link, stop and think.