We hear about email scams regularly. It happened recently to me on an otherwise quiet, uneventful Saturday morning. I received an email message from what I thought was a trusted source on a work-related site. The email subject line read “REQUEST”. I saw the familiar name of a colleague and thought “OK, he needs my help.”
The message read “I’m tied up now, I need you to take care of this for me now. I need some Apple iTunes gift cards sent out to a client today.” Red Flag #1.
“Let me know if you can get it now and I will advice (sic) quantity and denomination.” Red Flag #2 was the frequency and urgency of the email follow-ups.
Additional email correspondence said to purchase seven $100 iTunes card (Red Flag #3), scratch the codes, and send a photograph of the codes ASAP. (Red Flag #4).
I contacted the real trusted source to see if this request was legitimate. He called me to assure me that the request was a scam.
I received one additional false source email and I replied that I had spoken to the real person and we knew they were scamming. I won’t bother you with my response to the scammers but let’s just say, I don’t think they will be bothering me again.
Oh, I forgot to mention, my wife prayed that we would receive clarity about the legitimacy of the email and we did in a big way. This saved us from financial hardship.
- If you receive an email like this CHECK THE EMAIL ADDRESS. The email address was a contrived AOL account, not a legitimate account.
- Contact the “real” person immediately and apprise them of the situation.
- DO NOT MAKE ANY PURCHASES
- DO NOT SEND CODES VIA EMAIL, TEXT OR OTHER ROUTE.
How did someone know the name of my boss or president?
This tactic is called spear phishing. Phishing is a process most are familiar with. You get an email that asks you to reset your password to share some kind of information, like your credit card number. Phishing attacks are usually broad, don’t use your name or the name of people you know, and are most often posing as a company. Think someone faking PayPal’s email design to trick you into paying a fake PayPal invoice.
Spear phishing works similarly to scam you out of money or personal information but is much more targeted. Emails instead come from the name of your boss or a client. They ask for a specific thing like, “Hey, do you have a second to talk?” If you respond, now the bot knows you’re a real person. You’re hooked. Then they request urgent help to play off a human touch. Now they’ve got you in the net. If you play along and follow the request for sending cash, PayPal, gift cards, or other valuable currency, they’ll have you hooked, netted, and in the boat.
Businesses and nonprofits who list their staff on their websites or other public lists are at risk of this tactic. Staff listings and board appointments often denote who is the CEO, President, or Manager and also list the names and email addresses of “subordinates” or colleagues, it’s easy for a bot to automatically scrape the name of the leadership and send an email to everyone else listed alongside them.
Spear phishing attacks combine automated bots crawling the web and scraping information with nuanced human interaction signals. The result is an email from someone you know, trust, and probably want to please or respond to with as much urgency as they want you to respond with.
How did someone fake their email address?
Spear phishing frequently comes from a similarly-matched domain, like “acmme.com” instead of “acme.com”. Or a company with two l’s in the middle, like Travellers, which is easy to skim and miss.
If the email looks to be “from” your real domain name, that’s called domain spoofing. There are tactics IT departments can use to mitigate these issues like setting stringent SPF records and DMARC records. Both SPF and DMARC are standards used to “verify” that an email sent from a domain is received by your email and matches the sender’s purported identity. Like showing ID or a Passport at the airport. Talk to your security administrator about DMARC and SPF protocols, or contact us for help discussing your company’s cybersecurity protocols.
Will spear phishing get worse?
Most likely we’re going to see more sophisticated spear phishing attacks on people through more channels than just email. You could imagine how a broad phishing campaign could hijack someone’s Facebook password. Armed with that, an attacker could send messages through Facebook Messenger to specific people on your contact list. Automated with more intelligent AI about how to converse with humans and follow a person’s own writing style, these kinds of attacks are going to be the new frontier for cybersecurity.
As always, your best defense is being skeptical. If in doubt, don’t click anything and call someone directly so you can hear their voice. Or, use a secure and encrypted messaging channel like iMessage on iPhones (traditional SMS “texting” is not end-to-end encrypted or at all secure). And always use different passwords that are secure and unique to each service. An attacker who finds your Facebook password and can then figure out your email, bank, WhatsApp, Twitter, and other accounts can easily try using the same password. And more often, they can do so through automated bots and attack thousands of people at a time.