I’m a security reporter and got fooled by a blatant phish
- Thread starter JournalBot
- Start date
Ya know, I’ve often thought I’m too savvy to get phished for all the same reasons. Thanks for sharing Dan… my arrogance doesn’t extend so far as to assume I’m more attuned to this stuff than you, so this is a great wake up call.
Upvote
250
(253
/
-3)
Happens to the best of us. I got caught out late one night while sleepy by a "credit card fraud prevention" phone call. A few minutes after I hung up, I realized what happened and called the credit card company myself.
Upvote
125
(130
/
-5)
...but you weren't, ultimately, phished, from what I can tell. You're defenses, even with this much social engineering, withstood the assault. Or have I read the article wrong?
Upvote
107
(112
/
-5)
Always make up a long number......with a decimal in there somewhere & ask them to read it back to you
If it's a legit call you will know by the response, if not you will get cussed at & they will hang up
Upvote
35
(40
/
-5)
No, I don’t think you read it wrong. But look at the speed at which I took a screenshot and tweeted it. I acted on it before I had fully read it. I’d like to think there’s no way I would have actually sent the info to Twitter, even if I had really wanted the verification, but if I can twee out a screenshot, I can probably do other, worse things on impulse too.
Upvote
177
(180
/
-3)
IPunchCholla
Ars Scholae Palatinae
My employer recently started phishing us, as a way of educating us about phishing. It has really upped m paranoia. Because, if we get phished, we have to take classes on not getting phished. (Shiver).
Upvote
241
(243
/
-2)
This is a great story - if you have some time, I'd love to see what I think is the conclusion from your Twitter account added in for context.
If I'm understanding it correctly, Twitter, for some reason, genuinely decided to mark your account as verified, and you never attempted to actually go through that process. That bit is still technically a mystery.
Then, through some API, luck, or other method, a phisher seemed to notice this genuine activity from Twitter, and attempted to capitalize it? (This is the bit that I'd love added - the "how" a genuine action and phish-attempt action were paired).
Interesting experience to read about. Glad we haven't yet seen Ars making articles asking for donations to "its" crypto wallet yet!
My employer also does this. It felt a little silly at first, but the simulated phishing attempts have gotten progressively more realistic; one of the more recent ones was a "dissatisfied with your job? I'm a recruiter working for X and looking for engineers, I wanted to reach out." kinda thing. It's a little creepy to think of the company collecting metrics on people who click links with that kind of lead, but at the same time I can't deny that it seems like it would be a really plausible email to phish a genuinely dissatisfied employee.
Since it started, I think I look at almost every mail that I'm not expecting with a much more critical eye than I did a few years back.
If I'm understanding it correctly, Twitter, for some reason, genuinely decided to mark your account as verified, and you never attempted to actually go through that process. That bit is still technically a mystery.
Then, through some API, luck, or other method, a phisher seemed to notice this genuine activity from Twitter, and attempted to capitalize it? (This is the bit that I'd love added - the "how" a genuine action and phish-attempt action were paired).
Interesting experience to read about. Glad we haven't yet seen Ars making articles asking for donations to "its" crypto wallet yet!
My employer also does this. It felt a little silly at first, but the simulated phishing attempts have gotten progressively more realistic; one of the more recent ones was a "dissatisfied with your job? I'm a recruiter working for X and looking for engineers, I wanted to reach out." kinda thing. It's a little creepy to think of the company collecting metrics on people who click links with that kind of lead, but at the same time I can't deny that it seems like it would be a really plausible email to phish a genuinely dissatisfied employee.
Since it started, I think I look at almost every mail that I'm not expecting with a much more critical eye than I did a few years back.
Upvote
117
(118
/
-1)
Upvote
-1
(57
/
-58)
Been there! One of the companies I used to work for would regularly do testing of their employees by sending fake phishing emails to everyone. If you clicked on the link, you got a message saying you failed the test. If you reported it as a phishing attempt, you pass!
Most of the time they were very, very obvious. But I definitely recall one time just totally missing it and stupidly clicking the link. Everyone slips up now and then. My mind was probably on something else when it happened, but obviously that's what most of these attempts count on. If just one out of a hundred succeeds, it's worth it to them.
Most of the time they were very, very obvious. But I definitely recall one time just totally missing it and stupidly clicking the link. Everyone slips up now and then. My mind was probably on something else when it happened, but obviously that's what most of these attempts count on. If just one out of a hundred succeeds, it's worth it to them.
Upvote
91
(93
/
-2)
I just got a really realistic one from Paypal. Used their email address, all links went back to paypal and weren't to another site, everything looked legit. The phone number and a little bit of broken english was the tip off in the end. The phone number isn't associated with paypal (with a little googling) and after I thought about it, we all know that paypal doesn't have a single human available to chat on the phone....
It was spooky though.
(small edits for clarity)
It was spooky though.
(small edits for clarity)
Upvote
101
(103
/
-2)
We have been doing that for years. It is a very effective way to increase employee awareness. We snagged employees from all levels, extra cool when we phish the c-suite.
Upvote
55
(57
/
-2)
It is neat seeing them getting the timing right on purpose now.
A few years ago, a (very technically savvy) coworker got phished by receiving a perfectly timed email. They realized it practically instantly, but by then the damage was done.
They were doing the email verification step for an account. Had submitted the form and then 1 minute later the email they were expecting from what looked like the expected sender arrived. That they were expecting the email is really what got them to let down their guard. By the time they caught the signs their password was already gone, and we heard a flurry of curse words from their desk.
It turned out just to be dumb luck. We all got the same phishing email. It just so happened that it was for exactly what they were doing, at the exact right time. Scary how effective it is when the timing is perfect.
A few years ago, a (very technically savvy) coworker got phished by receiving a perfectly timed email. They realized it practically instantly, but by then the damage was done.
They were doing the email verification step for an account. Had submitted the form and then 1 minute later the email they were expecting from what looked like the expected sender arrived. That they were expecting the email is really what got them to let down their guard. By the time they caught the signs their password was already gone, and we heard a flurry of curse words from their desk.
It turned out just to be dumb luck. We all got the same phishing email. It just so happened that it was for exactly what they were doing, at the exact right time. Scary how effective it is when the timing is perfect.
Upvote
120
(120
/
0)
Thank you so much for sharing this. I recently fell victim to a rental scam and, as an IT guy, looking back there were so many red flags. Even more than the money lost, what upset me the most was the shame that I fell for it when I should have known better. Seeing this article really helped me feel a little more accepting of my human flaws.
Upvote
95
(95
/
0)
@Dan
Part of the issue is the near real-time nature of Twitter, which causes you (and others) to respond on impulse
So the probability of being phished is slightly higher
Things take slightly longer on email etc
The above is simply due to the way we are wired & I expect things may get worse & have more information overload
Upvote
9
(13
/
-4)
I just kinda assume I'm going to get Phished, I just hope it's not to an account that I care too much about. I do know that I'll ring the bank if I get things from them, and not do it over the internet, It's a bit hard with these online only companies though
Upvote
6
(6
/
0)
Been seeing quite a few about "your office 365 email recently had a person added to view it, if this is unexpected, click here" that used perfect English, and very believable URLs. took even my very jaded self a bit of looking to see it was a phish. They're getting very, very good.
Upvote
37
(37
/
0)
I think we had 7% fail the latest phishing test. And this is in "Enterprise Security" at a major US Bank. Fun stuff. I can't imagine how bad Sales & Marketing scored on that same test campaign.
Upvote
70
(70
/
0)
But you said you didn't apply for the blue checkmark. Isn't that a sign that the scammers somehow applied for you, rather than just scanning to see when unpredictable things happened?
Upvote
93
(95
/
-2)
Almost got scammed recently when I was expecting a parcel and got an email looking for a customs fee at the same time (probably because Amazon's prime day had just happened) . As the parcel was coming into the EU from the UK, I thought it initially legitimate and was almost going to pay until I copped on a few details (including an SSL cert only registered a few hours ago) but it's exactly that sort of timing that they prey on.
Upvote
37
(37
/
0)
My employer fished us with a free Uber eats coupon for being great employees. A disturbing number of people clicked on it.
I was almost done once with a fake Microsoft login. I was having issues logging into something at the time, having verifications pop up on every app and got an email saying please click here to verify yourself.
Up comes a standard Microsoft screen, I typed my username and was about to type password when I looked at the screen a little closer, then noticed the fake URL.
Upvote
42
(42
/
0)
Dear Mr Goodin,
We’re glad you shared your story on the Internet so hopefully we can now reach you by this means.
According to our records, you haven’t submitted a proof of identity to our services yet.
For your verification to become permanent, you need to respond to this message with either your driver's license, passport, or other government-issued ID.
Best regards
We’re glad you shared your story on the Internet so hopefully we can now reach you by this means.
According to our records, you haven’t submitted a proof of identity to our services yet.
For your verification to become permanent, you need to respond to this message with either your driver's license, passport, or other government-issued ID.
Best regards
Upvote
102
(106
/
-4)
I got caught in one of my employer's phishing tests last year. It was one of those 'external surveys' that referenced an official recent activity. Originally I wasn't sure it was authentic so I just let it be. Later I completely forgot about it, saw the email, and clicked away.
My lessons?
1. Flag suspicious stuff right away when I'm alert and don't let any time bombs linger.
2. Don't use Twitter.
My lessons?
1. Flag suspicious stuff right away when I'm alert and don't let any time bombs linger.
2. Don't use Twitter.
Upvote
18
(19
/
-1)
Like others I’ve been phished by my employer… and I was pissed because a) I was arrogant, as the article suggests, and for two years prior I’d caught every attempt they’d made, and b) I REALLY didn’t want to do the mandatory training that came with it.
Nothing motivates a corporate employee like the threat of mandatory video trainings… they’re all just so painful to watch.
Nothing motivates a corporate employee like the threat of mandatory video trainings… they’re all just so painful to watch.
Upvote
78
(78
/
0)
So.. People call me paranoid, but...
1. No Facebook
2. No Google
3. No Twitter
[[..]]
98. No Orkut
Upvote
-3
(24
/
-27)
I bought something this last weekend using Pay. Monday I get an email from the vendor "support" that said my ordered triggered some fraud flags and I need to email a picture of my ID and Credit Card to support.
I responded that they could cancel the order, no way was I sending someone on the internet a picture of my ID and a picture of my credit card (which being Pay from an AppleCard would have had to be a screen shot of the Wallet app.
The item arrived problem free today without me really doing a thing. Phish or not.
I responded that they could cancel the order, no way was I sending someone on the internet a picture of my ID and a picture of my credit card (which being Pay from an AppleCard would have had to be a screen shot of the Wallet app.
The item arrived problem free today without me really doing a thing. Phish or not.
Upvote
19
(21
/
-2)
Considering my major US bank still thinks one-time codes sent over SMS are something to tout as a security feature, I am not surprised.
Them: Oooo look we have 2FA!
Me: Great, where do I enroll my hardware token?
Them: What's that? We'll just send you a text!
Upvote
65
(65
/
0)
A friend of mine got phished a number of years ago in such a specific way that I never expected the bad guys were doing.
Some black hat got his email login password from him having logged into webmail on a compromised computer in a hotel (his company switched to 2FA after this). Those credentials ended up sold/transferred someone smart/patient enough to do the following:
1) Notice that my friend was the CFO of his company.
2) Notice that he handled large invoices (hundreds of thousands of dollars) that were sent to him in email, and forwarded to his accounts payable through email.
3) Wait until my friend was out of town and in a meeting. Since it was an Exchange account, they had access to his email and calendar.
Then while he was in the meeting:
4) Set Exchange to automatically move new emails to a newly created folder, so that new emails would no longer show up on his phone. This stopped him from seeing any confirmation replies sent in response to emails going out from his account.
5) Doctored a real and unpaid invoice (hundreds of thousands of dollars) from his Inbox to change the wiring instructions to the bad guys’ account at a Mexican bank.
6) Sent the doctored invoice to the accounts payable guy who usually gets sent such invoices, with a note to pay it immediately, as the vendor had just called impatiently asking for payment. The note was worded similarly to previous notes he had sent with invoices.
7) With the following addition: “And don’t worry, I already checked with them about the Mexican bank account. It’s kosher.” (Not the actual quote, but something like that.
)
8) Companies often have a setup process for a new vendors that might raise alarms if a fraudulent invoice were from a new vendor, so the attacker seems to have specifically made sure this was a repeat payee.
9) Accounts payable dutifully paid the invoice immediately.
Not much later:
10) My friend gets out of his meeting, calls his office to chat about something else. “Oh, just so you know, I paid that invoice you sent me” … pause … “What invoice?”
They managed to get the money back, but only because they called their bank fast enough for them to call the Mexican bank and freeze the receiving account. But it took the whole rest of the day to get it straightened out and his bank told him that if he’d called much later enough time would have passed for the trail to that money to have essentially disappeared, with no recourse. Those kinds of moneys gets swept right away to another bank, to another bank, etc., in a process where following it eventually hits a dead-end.
My surprise at all that is that, besides the initial process of getting my friend’s login from a compromised computer, nothing about the attack was automated or even generic. Someone read through his emails/calendar to develop a specific attack targeting his workflow.
Some black hat got his email login password from him having logged into webmail on a compromised computer in a hotel (his company switched to 2FA after this). Those credentials ended up sold/transferred someone smart/patient enough to do the following:
1) Notice that my friend was the CFO of his company.
2) Notice that he handled large invoices (hundreds of thousands of dollars) that were sent to him in email, and forwarded to his accounts payable through email.
3) Wait until my friend was out of town and in a meeting. Since it was an Exchange account, they had access to his email and calendar.
Then while he was in the meeting:
4) Set Exchange to automatically move new emails to a newly created folder, so that new emails would no longer show up on his phone. This stopped him from seeing any confirmation replies sent in response to emails going out from his account.
5) Doctored a real and unpaid invoice (hundreds of thousands of dollars) from his Inbox to change the wiring instructions to the bad guys’ account at a Mexican bank.
6) Sent the doctored invoice to the accounts payable guy who usually gets sent such invoices, with a note to pay it immediately, as the vendor had just called impatiently asking for payment. The note was worded similarly to previous notes he had sent with invoices.
7) With the following addition: “And don’t worry, I already checked with them about the Mexican bank account. It’s kosher.” (Not the actual quote, but something like that.
)8) Companies often have a setup process for a new vendors that might raise alarms if a fraudulent invoice were from a new vendor, so the attacker seems to have specifically made sure this was a repeat payee.
9) Accounts payable dutifully paid the invoice immediately.
Not much later:
10) My friend gets out of his meeting, calls his office to chat about something else. “Oh, just so you know, I paid that invoice you sent me” … pause … “What invoice?”
They managed to get the money back, but only because they called their bank fast enough for them to call the Mexican bank and freeze the receiving account. But it took the whole rest of the day to get it straightened out and his bank told him that if he’d called much later enough time would have passed for the trail to that money to have essentially disappeared, with no recourse. Those kinds of moneys gets swept right away to another bank, to another bank, etc., in a process where following it eventually hits a dead-end.
My surprise at all that is that, besides the initial process of getting my friend’s login from a compromised computer, nothing about the attack was automated or even generic. Someone read through his emails/calendar to develop a specific attack targeting his workflow.
Upvote
151
(152
/
-1)
Carpetsmoker
Ars Praetorian
Many probably aren't, except the ones who are
It can be used to verify, "yes, this is really Elon Musk tweeting out these crazy things! lolwut?!" (previously: Donald Trump).
At any rate, a few years back I got sent an unexpected Amazon gift card. It took me a lot of staring at the email headers to become convinced it was real. I've implemented various email systems for a living for ten years, read most pf the RFCs from cover to cover (and implemented them!), and know more about the details of email than most. And while everything *looked* real, I was convinced I must be missing something for quite a while. Eventually I became convinced it was real, but it wasn't easy to determine. Then a few weeks later I recalled that I participated in an online study almost a year prior which involved a video interview, there was no mention of any compensation that I recall, so I wasn't expecting any, which explained why a random university from the other side of the world sent me a Amazon gift card in the first place.
You can correctly identify 99 scams and that's all fantastic, but make a mistake once because you're distracted because you have a cold and had a fight with your spouse this morning and you're out of a few thousand money units, your business is on its arse, or worse.
Upvote
34
(35
/
-1)
My company does that now too. The spam filter is very aggressive so that I have never received a legitimate spam email to my company account (I can't even get some emails through that I send myself from my personal email) so I almost failed the first time they tested everyone. That first message was presenting itself as an electronic greeting card like thing. Since the spam filter was so aggressive and some of my coworkers are so dumb I expected someone might have legitimately sent something like that to me. I didn't click on it, not because I thought it was a phishing attempt, but because I thought it was stupid. It was only later that I learned it was the start of a new enterprise security test. The ones I've received since have all been blindingly obvious now that I know they're doing it.
Upvote
8
(8
/
0)
Upvote
14
(14
/
0)
I agree, SMS OTP delivery is less than ideal. Although perhaps this may comfort you some, there is A LOT that happens before the SMS is sent to make sure it's you and the device we expect. SIM swap be damned. At least that's how we do it.
I'm actually on working on a "next-gen" architecture (if you will) for our OTP logic. So I have become way more familiar with all the various OTP options over the last 2 months that I've been assigned to this new project.
Upvote
12
(14
/
-2)
By coincidence, this happened to the same friend of mine that was the target of the phishing attack I described right above your post. And happened after that episode:
Many probably aren't, except the ones who are
It can be used to verify, "yes, this is really Elon Musk tweeting out these crazy things! lolwut?!" (previously: Donald Trump).
At any rate, a few years back I got sent an unexpected Amazon gift card. It took me a lot of staring at the email headers to become convinced it was real. I've implemented various email systems for a living for ten years, read most pf the RFCs from cover to cover (and implemented them!), and know about the details of email than most. And while everything *looked* real, I was convinced I must be missing something. Eventually I became convinced it was real, but it wasn't easy to determine. Then a few weeks later I recalled that I participated in an online study almost a year prior which involved a video interview, there was no mention of any compensation that I recall, so I wasn't expecting any, which explained why a random university from the other side of the world sent me a Amazon gift card in the first place.
You can correctly identify 99 scams and that's all fantastic, but make a mistake once because you're distracted because you have a cold and had a fight with your spouse this morning and you're out of a few thousand money units, your business is on its arse, or worse.
He gets a letter from his state’s treasury office telling him he has an abandoned account somewhere. He ignores it, since obviously that’s just some kind of scam.
Gets another similar letter a few months later. Ignores it.
Third letter. Figures what he can do is call the general phone number at the treasury office… sort of the equivalent of getting a weird email from Amazon and instead of clicking the link in the email, just open the browser and go to Amazon.com. Then if the email is real, [whatever] will show up related your account when you log in.
Calls treasury: Turns out he really did have a small financial account he hadn’t fully emptied when he closed it some years ago. (Probably some deposit cleared right after he took out all the money, but he’s not positive about that).
Yeah, sometimes these things are real. The trick is to use some out-of-band method to respond/verify. Don’t call the phone number that’s in the suspected letter. Look up the company/agency’s 800-number and call that phone number.
Upvote
94
(94
/
0)
I got a forced registration for lastpass through not that long ago. I ignored it believing it to be obvious garbage "hey click here and enter all your passwords". The fact it came with a second one saying "you shouldn't trust emails wanting passwords but this is the exception!" was mildly impressive but not unprecedented.
Colleague told me yesterday they checked with IT over the phone and it's real. They really do want all of us to click that email, install the browser extension, and let it have all our passwords without a second thought. What. The. Fuck.
You do not EVER communicate that kind of change through email, especially not the same-day as the change. Not the kind of behaviour I'd want to train users into. In person/video call announcements from the head of every department to their employees only.
But I guess that's why I'm not an overpaid CSO.
Upvote
72
(72
/
0)
I’ve never fallen victim to a phishing attack. Send me your social security number, a credit card number with expiration date and security code, and your home address and I’ll tell you my secret to success.
Upvote
42
(42
/
0)