I’m a security reporter and got fooled by a blatant phish
- Thread starter JournalBot
- Start date
Part of the issue is that "they" is truly they as in plural. InfoSec trains people about security best practices. A green IT staffer is hired that doesn't know much and does things against this training. HR onboards an app themselves and doesn't include IT or follow security requirements. I can't speak for non-American companies, but here everything is about productivity and deadlines of yesterday or new people coming on that don't know the normal processes in place.
That's how all this stuff happens.
Upvote
2
(2
/
0)
It's true, the "act now!" has caused me to jump a few times. Phone calls don't work, that IRS "we're coming to your house" I replied "I'll clean my gun, what time you coming?" [scammer told me to F off and hung up]
But I did get an email once that made my hair stand up. It was a scam, I even knew it was. They claimed to have something embarrassing on me (which I knew wasn't true). The hook was that they'd email everyone I knew if I didn't pay up. I knew they had nothing on me, but I didn't want to explain it to family & friends.
Then I took a breath and realized that 100+ people with names starting with R had been cc'd. They didn't know who I was, much less who I knew. But for a brief few minutes I was mildly panicked.
Sometimes you have fun. Be prepared, I actually practice my responses for real emergencies or scams. I love live calls. Once I received the "grandpa, I'm in trouble, help me" a) my children are under 10. So I replied, "call your no good father. I know he's in jail, but that no-good-such-n-such is the responsible party. And YOU, you need to get a legit job so you don't end up like him."
But I did get an email once that made my hair stand up. It was a scam, I even knew it was. They claimed to have something embarrassing on me (which I knew wasn't true). The hook was that they'd email everyone I knew if I didn't pay up. I knew they had nothing on me, but I didn't want to explain it to family & friends.
Then I took a breath and realized that 100+ people with names starting with R had been cc'd. They didn't know who I was, much less who I knew. But for a brief few minutes I was mildly panicked.
Sometimes you have fun. Be prepared, I actually practice my responses for real emergencies or scams. I love live calls. Once I received the "grandpa, I'm in trouble, help me" a) my children are under 10. So I replied, "call your no good father. I know he's in jail, but that no-good-such-n-such is the responsible party. And YOU, you need to get a legit job so you don't end up like him."
Upvote
7
(7
/
0)
A friend of mine got phished a number of years ago in such a specific way that I never expected the bad guys were doing.
Some black hat got his email login password from him having logged into webmail on a compromised computer in a hotel (his company switched to 2FA after this). Those credentials ended up sold/transferred someone smart/patient enough to do the following:
1) Notice that my friend was the CFO of his company.
2) Notice that he handled large invoices (hundreds of thousands of dollars) that were sent to him in email, and forwarded to his accounts payable through email.
3) Wait until my friend was out of town and in a meeting. Since it was an Exchange account, they had access to his email and calendar.
Then while he was in the meeting:
4) Set Exchange to automatically move new emails to a newly created folder, so that new emails would no longer show up on his phone. This stopped him from seeing any confirmation replies sent in response to emails going out from his account.
5) Doctored a real and unpaid invoice (hundreds of thousands of dollars) from his Inbox to change the wiring instructions to the bad guys’ account at a Mexican bank.
6) Sent the doctored invoice to the accounts payable guy who usually gets sent such invoices, with a note to pay it immediately, as the vendor had just called impatiently asking for payment. The note was worded similarly to previous notes he had sent with invoices.
7) With the following addition: “And don’t worry, I already checked with them about the Mexican bank account. It’s kosher.” (Not the actual quote, but something like that.)
8) Companies often have a setup process for a new vendors that might raise alarms if a fraudulent invoice were from a new vendor, so the attacker seems to have specifically made sure this was a repeat payee.
9) Accounts payable dutifully paid the invoice immediately.
Not much later:
10) My friend gets out of his meeting, calls his office to chat about something else. “Oh, just so you know, I paid that invoice you sent me” … pause … “What invoice?”
They managed to get the money back, but only because they called their bank fast enough for them to call the Mexican bank and freeze the receiving account. But it took the whole rest of the day to get it straightened out and his bank told him that if he’d called much later enough time would have passed for the trail to that money to have essentially disappeared, with no recourse. Those kinds of moneys gets swept right away to another bank, to another bank, etc., in a process where following it eventually hits a dead-end.
My surprise at all that is that, besides the initial process of getting my friend’s login from a compromised computer, nothing about the attack was automated or even generic. Someone read through his emails/calendar to develop a specific attack targeting his workflow.
Is your friend Linus? Sounds very much like his story: https://www.youtube.com/watch?v=ITCohgBLLJM (edited with more relevant video update)
Upvote
3
(3
/
0)
I got an email once informing me they had captured video of me masturbating; in fact it was split-screen with the webcam footage of me on one side, and the pR0n I was watching on the other. If I didn't pay up they would inform all my contacts. I knew it was bogus because at the time I didn't even have a computer in my home, and I certainly don't masturbate at work. Also, the email account this was sent to was on a headless system, and so didn't even have a webcam.
Upvote
5
(5
/
0)
Just like noraar mentioned in the comments, I got so paranoid I almost ignored a real alert.
Mine was from American Express but their texts and phone messages felt off so I didn't respond for a few days. I finally called the number on the back of my credit card and they confirmed a real identity theft issue (they had thankfully already rejected the charge).
When the scammers start intercepting our outgoing calls then I'll be screwed...
Mine was from American Express but their texts and phone messages felt off so I didn't respond for a few days. I finally called the number on the back of my credit card and they confirmed a real identity theft issue (they had thankfully already rejected the charge).
When the scammers start intercepting our outgoing calls then I'll be screwed...
Upvote
3
(3
/
0)
Mine too - except, the emails contain a header clearly labeling them as a phishing threat simulation! It has pretty quickly become standard practice to set up inbox rules auto-deleting these, at least among the engineering types (which is a large portion of the total headcount)...
Upvote
2
(2
/
0)
IPunchCholla
Ars Scholae Palatinae
I got a version of that blackmail email. The first time I saw (because they have sent it literally hundreds of times at this point. At one point it was the vast majority of my inbox), the twist was the nickname had been changed to my own email and they claimed that, along with showing me an old password, proved they had hacked my email/computer. It was a password I hadn’t used for email for years but I was using a new client at the time and it took me a minute or two to find the email header so I could confirm it didn’t really come from my email. It was a worrying couple of minutes. I feel bad for anyone who feels they have something to hide ( my first thought was closeted gay people, but there are a plenty of others we sex shame or shame in other ways) and isn’t tech savvy. It kinda makes me think email clients should highlight the from address.
I’m pretty sure they got my email/passwordfrom the Dropbox hack.
Upvote
3
(3
/
0)
This is actually fairly common.A friend of mine got phished a number of years ago in such a specific way that I never expected the bad guys were doing.
Some black hat got his email login password from him having logged into webmail on a compromised computer in a hotel (his company switched to 2FA after this). Those credentials ended up sold/transferred someone smart/patient enough to do the following:
1) Notice that my friend was the CFO of his company.
2) Notice that he handled large invoices (hundreds of thousands of dollars) that were sent to him in email, and forwarded to his accounts payable through email.
3) Wait until my friend was out of town and in a meeting. Since it was an Exchange account, they had access to his email and calendar.
Then while he was in the meeting:
4) Set Exchange to automatically move new emails to a newly created folder, so that new emails would no longer show up on his phone. This stopped him from seeing any confirmation replies sent in response to emails going out from his account.
5) Doctored a real and unpaid invoice (hundreds of thousands of dollars) from his Inbox to change the wiring instructions to the bad guys’ account at a Mexican bank.
6) Sent the doctored invoice to the accounts payable guy who usually gets sent such invoices, with a note to pay it immediately, as the vendor had just called impatiently asking for payment. The note was worded similarly to previous notes he had sent with invoices.
7) With the following addition: “And don’t worry, I already checked with them about the Mexican bank account. It’s kosher.” (Not the actual quote, but something like that.
8) Companies often have a setup process for a new vendors that might raise alarms if a fraudulent invoice were from a new vendor, so the attacker seems to have specifically made sure this was a repeat payee.
9) Accounts payable dutifully paid the invoice immediately.
Not much later:
10) My friend gets out of his meeting, calls his office to chat about something else. “Oh, just so you know, I paid that invoice you sent me” … pause … “What invoice?”
They managed to get the money back, but only because they called their bank fast enough for them to call the Mexican bank and freeze the receiving account. But it took the whole rest of the day to get it straightened out and his bank told him that if he’d called much later enough time would have passed for the trail to that money to have essentially disappeared, with no recourse. Those kinds of moneys gets swept right away to another bank, to another bank, etc., in a process where following it eventually hits a dead-end.
My surprise at all that is that, besides the initial process of getting my friend’s login from a compromised computer, nothing about the attack was automated or even generic. Someone read through his emails/calendar to develop a specific attack targeting his workflow.
Upvote
4
(4
/
0)
since I've stopped using social media sites, phishing attempts have plummeted to near zero.
Upvote
-1
(3
/
-4)
We all slip every now and then even the best of us. I work at a MSP and our company sends out the simulated phishing attacks randomly. Until recently I would pass them with flying colors but that one morning when I was under caffeinated I fell for the trap like an idiot. Spent the first hour of the next day doing the required security training to get internal IT off my back.
Upvote
3
(3
/
0)
The big thing for me is even if they HAD video of me flogging the bishop, I'd be vastly less embarrassed about people seeing that than I would be embarrassed about people finding out I gave such an attacker money. So that grift is a complete no-op for me.
The first one I got, I shared on Facebook and Twitter and joked "if you don't wanna see that video, I guess you better give this guy some Bitcoin, cause I'm not gonna."
Upvote
8
(8
/
0)
I'm a chair of a Computer Science department. The university recently deployed a phishing training exercise, and two of my faculty failed. The CIO started to make fun of my faculty for failing (all good-natured) when I interjected and said, "you mean we are all human?"
We all need to realize that we have different triggers and the criminals know this. You should be most cautious of a email, phone call, text, etc when you feel your anxiety kick in!
We all need to realize that we have different triggers and the criminals know this. You should be most cautious of a email, phone call, text, etc when you feel your anxiety kick in!
Upvote
8
(8
/
0)
And I think this is the right attitude. You were phished because you acted on something you thought was legitimate before analyzing it enough to catch all the signs that it was fake. It ultimately was pretty harmless because you didn't reveal any information or do anything harmful but you still fell for it for a short period of time.
Dismissing it because you basically got lucky this time and the phishing attempt was tied to something you weren't interested in and wouldn't have done even if it was legit just breeds the arrogance that will allow this to happen again sometime and might actually hurt.
My personal I accidentally clicked the phishing email is similar. Work does phishing tests and I almost always spot them easily and report them. For some reason one time I didn't report or delete the message so it was left sitting in my inbox and sometime later I was searching for a link HR had sent out and the phishing message came up. It looked close enough to what I was looking for and I wasn't being skeptical of the message so I clicked the link and Boom "You failed your phishing test" popped up. I didn't fall for it initially but when I wasn't in the right frame of mind I did click on the link and yeah maybe I wouldn't have logged into anything if it had be a real phish but it could also have easily just been a 1 click exploit and my machine got owned.
Upvote
5
(5
/
0)
I think Dan's explanation is more plausible, that scammers are monitoring new verified accounts and trying to scam all of them. Applying for a verified account is a pain and approval is uncertain.. It's easier to just monitor all the new accounts and try to hit them all..
Upvote
2
(2
/
0)
Sometimes the stars align just right for a phisher. I had a very near miss recently. I was on the phone with my spouse while we were trying to work out an online subscription (purchased from a verified legit foreign vendor) as a gift. We were having trouble getting the foreign site to accept a credit card and were trying things and getting frustrated and distracted by both of us trying things when I got a text: "Attempted foreign charge on your Bank Of America credit card. {shortened link} for more information."
And if I'd had a Bank Of America credit card, I'd have tapped that link in a moment of frustration. If the spam had randomly chosen my nationwide bank chain instead of BofA, I'd have tapped the link.
They hadn't targeted me, they didn't know I was frustrated with a foreign transaction, I just caught a bit of spray that happened to almost match my reality and nearly got me. That's all they need for success.
And if I'd had a Bank Of America credit card, I'd have tapped that link in a moment of frustration. If the spam had randomly chosen my nationwide bank chain instead of BofA, I'd have tapped the link.
They hadn't targeted me, they didn't know I was frustrated with a foreign transaction, I just caught a bit of spray that happened to almost match my reality and nearly got me. That's all they need for success.
Upvote
4
(4
/
0)
IPunchCholla
Ars Scholae Palatinae
Yeah, I’m the same way. I wouldn’t care. But I work with trans people, as well as people who are still working out who they are, sexually. Many times they have been disowned by their families and have lost friends. And this is what happened to them when they made the choice to be public.
This same email being sent to a non-tech savvy 14 year old working through their sexuality living with an unsupportive family terrifies me. Makes me glad I was 14 in 1986. It was hard enough then, though.
Upvote
10
(10
/
0)
Only one? I've gotten 20, at least. But, there must be some people who does video sex stuff, and fall for it. Otherwise, why would they continue sending them out..
Upvote
1
(1
/
0)
moosemaimer
Ars Scholae Palatinae
I got an email from my bank yesterday that I had been bumped up to a new rewards tier, with a link button... I expected it to take me to a generic landing page, but what came up was a login screen. My brain completely locked up for a few seconds, until I checked that it had opened the app instead of a browser. Probably should've waited until I could get to a desktop email client and inspect the link.
Upvote
0
(0
/
0)
Lots of confusion about whether my account really was verified and if yes, why. I just added the following paragraph:
Upvote
4
(4
/
0)
The cold hard truth where I work is the attack vector that is being successfully utilized in spear phishing attacks and impersonation scams is information being freely shared on LinkedIn.
Want to know who is the payroll administrator for the Southeast? It's on there. She gets bombarded with so much garbage that she routinely misses or ignores legitimate requests.
Want to know is responsible to assessing donation requests? Yep, it's there too.
We "donated" five $100 giftcards to somebody impersonating a non-profit who knew exactly who to impersonate and exactly who to contact.
Of course that scheme fell apart when we sent physical gift cards to the real person who was grateful but confused.
Even within the security group there are people with needlessly verbose job descriptions online.
Want to know who is the payroll administrator for the Southeast? It's on there. She gets bombarded with so much garbage that she routinely misses or ignores legitimate requests.
Want to know is responsible to assessing donation requests? Yep, it's there too.
We "donated" five $100 giftcards to somebody impersonating a non-profit who knew exactly who to impersonate and exactly who to contact.
Of course that scheme fell apart when we sent physical gift cards to the real person who was grateful but confused.
Even within the security group there are people with needlessly verbose job descriptions online.
Upvote
3
(3
/
0)
PatternWeaver
Seniorius Lurkius
In Feb of 2015 I was targeted in a phishing attack by, I assume, Russian hackers. I'm guessing they were targeting the Clinton Global Initiative since the attack took the form of an email supposedly sent by someone I knew who knows Bill Clinton fairly well.
The phishing consisted of two almost identical emails from my acquaintance (lets call him Fred) : 1 to my work account and 1 to my personal gmail account. Both asked me to sign-in to a server using my gmail password to view a "confidential document" supposedly sent by Fred. There were several red flags:
1) while it was conceivable that Fred might ask for my opinion on something related to one of his business ventures, our interactions were infrequent (~ 2 times a year) so it seemed unlikely he would send a request like this out of the blue without first calling me.
2) Fred's email address at the time was something like xyz1@gmail.com but this email came from xyz55@gmail.com. In the time I had known him he had changed his email address a couple times so it was possible that this was a legit address.
3) it asked me to provide my Google password.
4) link for the "confidential document" was http://bennenoda.com/fund/note/index.html. No clue who/what "bennenoda.com" is but I had never heard Fred mention it.
Being cautious I sent back an email asking Fred to call me on my cell phone to confirm. Two minutes later I received two reply emails. The first read I did send the email to you Fred and will give you a call later in the day as I am currently swamped. (note the misplaced "Fred") then two minutes later I rcvd
I sent the email and will call you later in the day as I am currently swamped.
No surprise, I never got a call back. I sent Fred an email at his last known legit email address I had for him warning him he had probably been hacked. Never heard anything back from Fred on what, if anything, he did to follow-up on my warning ( figured he was knee-deep at the time in Hillary's campaign) and I lost touch with him around then.
What strikes me about this is the two emails responding to my confirmation request. Given the fast correction to the initial typo I'm assuming that they were sent by a person and not generated by a script. It also implies to me a well-staffed operation (e.g., a state operator?).
[EDIT] Clarification: the two email addresses for "Fred" are, obviously fake but the link to the supposed confidential doc is copied from the actual email.
The phishing consisted of two almost identical emails from my acquaintance (lets call him Fred) : 1 to my work account and 1 to my personal gmail account. Both asked me to sign-in to a server using my gmail password to view a "confidential document" supposedly sent by Fred. There were several red flags:
1) while it was conceivable that Fred might ask for my opinion on something related to one of his business ventures, our interactions were infrequent (~ 2 times a year) so it seemed unlikely he would send a request like this out of the blue without first calling me.
2) Fred's email address at the time was something like xyz1@gmail.com but this email came from xyz55@gmail.com. In the time I had known him he had changed his email address a couple times so it was possible that this was a legit address.
3) it asked me to provide my Google password.
4) link for the "confidential document" was http://bennenoda.com/fund/note/index.html. No clue who/what "bennenoda.com" is but I had never heard Fred mention it.
Being cautious I sent back an email asking Fred to call me on my cell phone to confirm. Two minutes later I received two reply emails. The first read I did send the email to you Fred and will give you a call later in the day as I am currently swamped. (note the misplaced "Fred") then two minutes later I rcvd
I sent the email and will call you later in the day as I am currently swamped.
No surprise, I never got a call back. I sent Fred an email at his last known legit email address I had for him warning him he had probably been hacked. Never heard anything back from Fred on what, if anything, he did to follow-up on my warning ( figured he was knee-deep at the time in Hillary's campaign) and I lost touch with him around then.
What strikes me about this is the two emails responding to my confirmation request. Given the fast correction to the initial typo I'm assuming that they were sent by a person and not generated by a script. It also implies to me a well-staffed operation (e.g., a state operator?).
[EDIT] Clarification: the two email addresses for "Fred" are, obviously fake but the link to the supposed confidential doc is copied from the actual email.
Upvote
1
(2
/
-1)
At my company, it is a button added into Outlook. If you click the button and it was one of the test emails, you'll get an instant notification that you passed. If you clicked on the link, I assume you get some instant notification of failure.
If I click the button and it wasn't a test email, I'll get a message that the email has been forwarded to some group in IT and that they'll review it.
If it turns out to be OK (like a link to a valid company sponsored survey), I imagine I'd eventually get a reply to go ahead and follow the link.
Upvote
2
(2
/
0)
My last one did that too. Although the company they engaged to send the notes did a good job of creating different type of phishing / scam emails, they did use a single domain to send them from. So it was easy enough, in Outlook, to just create a rule that looked at the internet headers and flagged any from that domain to be colored red and to have a flag reading "fake phishing" on them. This made sure I couldn't goof up - as we had the same deal. The first time a class, the second time they turn off your internet access (which would have ended my job).
Upvote
0
(0
/
0)
My employer does this, but they take the trouble to send out a company email saying "survey email in-coming from external source example.com relating to $Subject" first. Not 100% bullet-proof, but much better than the first notice about it coming from the survey company and flagged as "External email - you do not usually get emails from this address"
Upvote
3
(3
/
0)
No, that's not phishing, that's a "survey" to find out which character you are from Finding Nemo (or whatever....)
However, you may have fallen victim to phishing. Just log in on myfreshphish[.]fake and find out...
Upvote
0
(0
/
0)
It can happen to anyone, but we don't have to use those online cloudy services. Perhaps you do, but then that is just another vector for attacks. What mitigation strategies are there?
I see phishing attempts all the time, partially because I do admin work for an NGO that a huge state known for hacking people, businesses, and govts really dislikes. I don't use text messages. I don't do 99% of my business over the internet. Snail mail, and POTS phone calls. Seldom email, if ever.
I also set calendar reminders for when things are going to end/expire or need to be checked. The calendar server is one I run, not a cloudy service.
Almost every external contact who has an email address for me gets a unique one. IF that email address is used for the wrong contact, it is clearly a phishing attempt OR the company has lost my trust by selling my contact info (or having it stolen).
I get that cloudy services can make life more convenient.
I get that these cloudy websites can make you feel "more connected".
As we age, those things matter less. You know your friends and might be slightly interested in acquaintances, but not really. It has gotten to the point that family members emails are being used in attempts to phish. I can call them and ask. Then I provide a new email address for them to use and ask that they never share it. Sadly, most of them use one of the free email providers who don't really care about our privacy. I've tried to get them to switch to better providers, but that has never worked. Can't say that I blame them. Technology is a mystery to them. One uses an android tablet for everything and doesn't own a computer.
Any email that claims I have less than 3 days to do something and it is the first contact about it, I ignore.
Of course, there are ways to prevent phishing from any social media cloudy companies. Don't use them. Just block access at your network layer and you'll find a more peaceful life. Remember all the calls to cancel your bookface account? Did you? If not, why not?
If you can't get there, you won't use it and phishing becomes a non-issue.
I see phishing attempts all the time, partially because I do admin work for an NGO that a huge state known for hacking people, businesses, and govts really dislikes. I don't use text messages. I don't do 99% of my business over the internet. Snail mail, and POTS phone calls. Seldom email, if ever.
I also set calendar reminders for when things are going to end/expire or need to be checked. The calendar server is one I run, not a cloudy service.
Almost every external contact who has an email address for me gets a unique one. IF that email address is used for the wrong contact, it is clearly a phishing attempt OR the company has lost my trust by selling my contact info (or having it stolen).
I get that cloudy services can make life more convenient.
I get that these cloudy websites can make you feel "more connected".
As we age, those things matter less. You know your friends and might be slightly interested in acquaintances, but not really. It has gotten to the point that family members emails are being used in attempts to phish. I can call them and ask. Then I provide a new email address for them to use and ask that they never share it. Sadly, most of them use one of the free email providers who don't really care about our privacy. I've tried to get them to switch to better providers, but that has never worked. Can't say that I blame them. Technology is a mystery to them. One uses an android tablet for everything and doesn't own a computer.
Any email that claims I have less than 3 days to do something and it is the first contact about it, I ignore.
Of course, there are ways to prevent phishing from any social media cloudy companies. Don't use them. Just block access at your network layer and you'll find a more peaceful life. Remember all the calls to cancel your bookface account? Did you? If not, why not?
Code:
$ ping twitter.com
PING twitter.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.032 ms
$ ping facebook.com
PING facebook.com (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.018 ms
Upvote
1
(4
/
-3)
I think every company needs to find the right compromise between never having any negative results from failing the tests and too severe punishment causing people to be afraid to report things/ask questions. Obviously, having someone repeatedly fail every test with no interest in improving because there is no consequence for not doing so it not safe for the company. They will get phished eventually. It's not a matter of if it happens if they fail every phishing test. It's just a matter of when and how much damage it causes.
On the other hand training once to No internet access on second failure seems pretty harsh. I could theoretically do my job without internet access (edit assuming no internet doesn't block our cloud bases tools like our time card) but not being able to access online documentation or resources would be pretty inconvenient. AFAIK SSMS doesn't even have any local help. If you don't have internet access tough luck getting anything out of the help.
I don't recall what my companies policy is offhand but it is more gradual than that. You will end up in training and your manager notified with it showing up on your annual performance review and eventually termination but I don't think they even specify a threshold for termination just that repeated failures will result in termination. Assuming it would only happen after all the other levels it would have to be several failures, like 4 or more failures.
Upvote
0
(0
/
0)
Constant vigilance is the key to avoiding social engineering attacks. None of us are immune, no matter how often we deal with them.
Upvote
2
(2
/
0)
Hooo boy, my company used to do this. Our own IT dept did the pen testing. The first few were obvious phish emails. Then they decided to make one that looked exactly how our receiving dock delivery notifications. They had access to past shipments, so they populated the email with one of those. And they didn’t spoof they email address, they sent it directly from there. Honestly, you couldn’t tell. Everyone had to retake the course.
We also have a system where you can mark emails for phishing and it flags them. After that, everyone was flagging and ignoring real emails from the shipping dept. Shipping was soooo peeved! They had just spent most of their budget developing a new s&h system with a third party just because IT refused to help them and support it, then IT tanked it with this test!! Those meetings were so juicy and I looked forward to attending them for some time.
Upvote
4
(4
/
0)
I've had a few directed attacks back when I was more public and teaching and attending conferences, never felt like I could be phished. As a consultant, I've run many spear phishing and social engineering campaigns against companies and specific individuals, I just feel I'm going to see it. I do wonder after reading this article, is it more because I refuse to use an online 2FA and absolutely never an online password keeper? That I have so many different email accounts and user accounts names differ every time? I feel like there are certain conveniences that to enjoy, require dropping your guard more than I'm comfortable with. I asked some of the staff I used to work with years ago to attack me, the resorted to dox'ing me when they couldn't get very far, which was honestly disconcerting. So much of your information is out there on government sites such as land records. But everyone was impressed with how little I give out on social media and that no account helped them find another account.
Upvote
1
(1
/
0)
KnowBe4? Your description sound very similar to the service we use. It's effective, except for one issue:
The most frequent failure comes from our CEO/owner. And when it happens, in lieu of training, he makes several excuses for why he was justified falling for it and eventually gets IT to dismiss those annoying "you have pending training" emails.
Sets a great example.
He doubles-down by refusing to allow filters or rules on his email to lessen the amount of spam he receives because he doesn't want to miss a genuine message from someone peddling a new product.
We've found ways to block some of the volume without his knowledge. But again, most of the company is aware that he's the weak link and it does wonder for morale.
Upvote
4
(4
/
0)
Oh, I would definitely care. I'd care more about the proof I'd been pwnt than the exposure of my junk, but I'd care about both, and I'd care even more about the fact that my own fuckups had caused people to get exposed to things they didn't want to see.
I'd still care less about all of those things put together than I'd care about evidence that I was funding malware by paying the assholes off, though, so it's still a no-op. Not to mention the fact that (no offense, Danish folks) you don't get rid of the Dane by paying the Danegeld—you just ensure another, more expensive visit from him down the line.
Upvote
1
(1
/
0)
It is somewhat clever to send automated 'verification' DMs to accounts as soon as they get verified or tweet about verification (shouldn't really be too surprising to anyone familiar with Twitter; there are tons of services that monitor all accounts for changes or tweets, etc.).
However, both the fact that the verification request came via a DM and that it came from a random "@support########" account are dead giveaways that the DM was fake/a phishing attempt, let alone the horrible formatting/grammar of the message itself.
However, both the fact that the verification request came via a DM and that it came from a random "@support########" account are dead giveaways that the DM was fake/a phishing attempt, let alone the horrible formatting/grammar of the message itself.
Upvote
0
(0
/
0)
Well, that's not really fair. If they are in the role of a bad actor who has control over the actual email account, that's hacking, not phishing. Which is why trying to do such testing from actual email accounts/official sources is damn stupid. "Gotcha! You did everything right. Therefore you fail."
Upvote
3
(3
/
0)
Indeed. Which is why most of the clients I work for don't record individual pass/fails for fake phishing tests, if you open the link in or document attached to the test email you see a message informing you that this was a phishing test and telling you what the warning signs would have been. That's it.
Referring people for HR for failing to spot fake phishing emails is silly and only creates an environment where people who got caught out by a real phishing email to come forward, which is critical to mitigate the potential fallout from the attack.
Upvote
3
(3
/
0)
I just got hit with a new SMS scam, where the number is pretending to be CVS Pharmacy. The message even comes from a number that's similar to most of the CVS numbers (287287, or CVS-CVS going by keypad letters and CVS's own naming scheme). It told me I had an Rx waiting by the name of FL, and I could respond with NAME to get the name of it. Intrigued, I responded (since I have used CVS, and it's entirely possible my doctor picked the wrong pharmacy again), and they asked for my birthday's month/day to verify my identity. I fell for it and the response said it was a COVID test kit. At that point, I figured it was probably a phish, checked with CVS's messaging FAQ, and couldn't find 287-287 listed as any of their SMS numbers. While I don't think there's much they could do with CVS, it does open me up to many more attack vectors with accounts where birthdays are used as verification questions. Just the birthday info and a search of my phone number would tell you my age, name, address, birthday, etc. All of that's way more info than I want in the hands of a nefarious entity.
Upvote
1
(1
/
0)
Thank you for saying that, because my company has done the same thing and that was my response as well. "If the attackers made it as far as controlling our email, then the security problem is not me, it's you."
Similarly, our HR department legitimately sends stupid crap all the time. The one internal phishing test that I fell for was an email from HR asking us to click through to our company's (third-party hosted) merch store to claim a t-shirt. I immediately got a follow-up from IT saying, "Ha ha, gotcha!" And I said, "You do realize that those idiots have been sending us that exact email every year for 10 years, and employees are required to claim the t-shirt as a 'perk'?! Maybe HR should work on making their legitimate emails not look like phishing scams."
The one silver lining is that now the pointless HR emails are getting regularly flagged as phishing attempts, and the HR managers keep having to follow-up and say, "No, that was actually a legitimate email". Amusingly, even the required training course reminders are now sometimes being flagged as phishing attempts, which has to be some sort of poetic justice.
Upvote
2
(2
/
0)
Yep, the best protection against phishing & malware is to always be paranoid. Even if you truly are boring, you may still be targeted. Phishing/malware/spam is often a numbers game, they target huge amounts of people hoping a tiny fraction will fall for it and make them money. They absolutely target boring people as well.
Besides, even if you're paranoid as hell and do everything right, you may still fall victim to something. I've had my debit card number stolen twice. The first time was in 2002, and to this day I have no clue how it happened. I've been incredibly paranoid and careful since then, but it happened again last month. This time there were three $3 charges from a counseling service in Spain, which had refunded them by the time I saw it. I was only down $0.18 from the international usage fees, but I still contested the charges and had my card cancelled.
How it was stolen is a complete mystery. I'd only had that card since October (the replacement for my expiring card never arrived, so I had to have it cancelled and get a new card), I'd never swiped it anywhere, I'd only used the chip+PIN (and didn't use it at Walmart, since they stupidly don't require a PIN on purchases under $50), and the only online places that had it were Amazon, Comcast, Google & Walmart. I kind of doubt those four got hacked, but maybe one did and we haven't heard about it yet. ┐(゚ ペ)┌
So even though I've never stopped assuming my card could be stolen or swiped and acted accordingly, it still happened.
Upvote
1
(1
/
0)
Celery Man
Ars Legatus Legionis
Wow, the broken English in that screenshot is the equivalent of a big flashing sign that says "PHISHING ATTEMPT HERE"... it sounds like the real answer here is, "spend two seconds reading messages you weren't expecting".
Upvote
-3
(0
/
-3)