Sherlock Holmes
___ is the primary source of information for all account investigations.
Admin Tool
True or False. Phone added and verified within 7 days prior to reported compromise is a High Risk flag.
False. Low risk flag.
This flag means that the customer can go through account recovery process to regain access to their account.
____ is a signal that you are communicating with an attacker.
Scammer Grammar
____ is the master workflow designed to address most Safety cases.
T1.5 Restoring Account Access workflow.
___ is the most comprehensive place to understand the flow of funds within an account.
Transaction History/Recent transactions
The ___ event activity name that checks phone ports/sim swap in customer's account.
Payfone_mobile_status event
What macro should you send if the IP address doesn't match the customer's geolocation?
Trust SME - Request ID Selfie macro.
___ is a malicious software that infects your computer and displays messages demanding a fee to be paid in order for your system to work again.
Ransomware
Admin note that indicates the account was via email by the customer?
Auto enabled at user's request
What are the two (2) indication in Gondor that the password reset has been made suspiciously?
IP address doesn't match the customer's geolocation and the IP Address is VPN.
___ and ___ should be marked as unauthorized transactions.
Complete external sends and unauthorized PayPal withdrawals.
True or Fales. If you see the Disable Crypto send for Account recovery, you will need to escalate the case to T2 SME safety for further review.
False. No need to escalate. This flag will automatically be removed.
____ is the path or means by which a hacker can gaon access to a computer or network.
Attack vector.
If we can confirm an ATO but we can't determine the exact attack vector, we can apply the __ label in Admin.
ATO_Confirmed_Customer_Reported label.
This tool assist us in identifying the type of device used for a given transaction or event.
User Agent Lookup Tool/Browser Lookup
4 highrisk email providers
Yopmail
Tutanota
Protonmail
CTemplar
What are the details that we check in Admin if the account was made as a part of a scam or someone else created the account.
Account Creation date (<1 month) and transaction history.
An Attack vector, where the scammer tricks the customer over the phone into giving them login information (like 2FA codes) to access their Coinbase account.
Vishing
Provide 2 indicators of suspicious activity
Email replies indicating we could be communicating with an attacker.
Suspicious ID/FM.
Recent admin notes indicating that the account could have been compromised
Recent password reset completed/device confirmation completed from VPN or suspicious geolocation
3 ways to isolate an event sequence
data range, device fingerprint, IP address
If the attacker enable the TOTP on the customer's account. How can we help the customer?
Add the block outgoing flag.
Remove the Account Compromise flag
Send the Pending Cx - Customer replaced device - totp disable macro.
Leave admin note: please escalate to t2 safety if customer contact us and bo flag is still in place.
The previous agent applied the trust_lowrisk flag and sent the Escalate to T1.5 Safety macro. However, upon your investigation the account has a high risk flag. What should you do?
Escalate to SME Safety, apply the trust_highriskflag label and the red flag labels.
If a customer is a scam victim and claims that they shared their login credentials to the scammer? What macro should we send?
No macro. Send a free form response, asking the customer for password reset.
If the customer is from Canada and the losses on the account is 18,000 USD. How can we help the customer?
Apply the trust_10kloss_needsreview label to the SF case and send the Escalate to SME - Safety macro.