I nearly fell victim to a very sophisticated phishing attempt while traveling in Montreal. While trying to order from an Indian restaurant named [Redacted], I found a website with a very slick online ordering form. After entering my dinner choices, credit card info, phone number, and email, I was shown a dialog that indicated the last step I would need to follow for my order to go through would be to enter an SMS verification code.<p>Nothing up to this point seemed in the least bit phishy; in fact, the website was so professionally designed (including English and French language options, and pictures of the food) that it made me even more confident about the upcoming meal.<p>The code arrived with a ding on my phone, but when I went to enter it I noticed that it was actually a Bank of America 2 factor authentication code. If I had entered it I’m almost certain my banking credentials would have been compromised. And to top it off, I bet that I’d still need to order dinner.
I’ve updated the original post to remove the restaurant name.<p>After a little more digging, I’m more confused than ever.<p>Yelp and other sites list the website I used as the official website, the picture on the website matches the interior of the restaurant, and I don’t see scores of online users claiming their bank accounts were hacked after ordering.<p>I removed the restaurant name out of caution since the best I can tell, the website I used <i>was</i> the official website.<p>But I still for the life of me can’t think of any legitimate reason why the verification code on the order form would prompt me to receive a banking 2FA code unless it were a phishing attempt.<p>Does anyone have any theories on what was going on, and what if anything I should do?