May 142016

Phishing for your information (and money) is becoming more sophisticated

PhishingWe’ve all received phishing emails that pretend they are from trusted sources such as banks. They want us to hand over information that will let them steal money from us. And who among us hasn’t made their fortune by partaking of a Nigerian businessman’s plan to move money from his own country?

When they first started, such email scams were a bit of a joke. The spelling, grammar, and use of English were poor. Over the years they’ve become a lot more realistic, but they all share a big flaw in that they are not personally addressed to the recipient. Anyone asking for personal information or money in an email that begins with “Dear Valued Customer” is a fraud. Just delete it, or, if any doubt remains, phone the person it purports to come from.

But what if you receive an email (asking for money) that you are expecting? Suppose you’ve just spent £5,000 on a conservatory and you get an email with an invoice asking you to pay the money into a specific bank account. This is a perfectly normal way of doing business. I, myself, am being paid more and more often by my computer support clients in exactly this way. The email appears to come from the correct supplier, the recipient’s name and address are correct, and nothing at all appears to be suspicious.

Spear FishingThis is an example of spear phishing. Instead of sending gerzillions of rubbish scam emails to all and sundry (phishing), the bad guy is homing in on a particular individual because he has some information about that individual that may allay that individual’s suspicions about his bona fides.

In this instance, what may have happened is that the supplier’s email has been hacked and the hacker has been watching the correspondence between the supplier and his customers (including you). So, he KNOWS who you are, what you bought, how much, and so on. He just has to jump in at the right time and ask you to pay money into his own bank account.

The above is a very specific form of spear phishing. There are more general kinds whereby someone emails you asking for something confidential from you, posing as a “friend” or a “friend of a friend”. Now, people who know me know how I loathe Facebook and other social media, and their avowed intention to share as much personal information as possible among as many people as possible. This is my chance for a mega-gloat and a smug “told you so”. Remember that thingy you bought on Amazon and Amazon asked you to “like” it on Facebook? You did, and now someone’s emailing you knowing you’ve recently bought it and they could use information such as this to start trying to gain your trust and get you to reveal information they can use to your disadvantage.

Spear PhishingAnother variation of spear phishing is that a bad guy hacks into a database containing customers’ names, email addresses and postal addresses, and then uses that information to convince them (in an email) that their demands for money are genuine even if no credible sale is mentioned. After all, previous rubbish scams asking for money didn’t have any personal information, so could be safely ignored, whereas if someone knows your postal address then they must really know you, right? They needn’t even be expecting you to pay the invoice. The supposed “invoice” attached to the email could be a link that downloads ransomware to your computer and then you really are in trouble.

So, there are lots of ways that the bad guys can lull you into a false sense of security by quoting information that is personal to you in emails that they send you.

I hope that knowing of this increased sophistication of the scammers helps to encourage you to be a little more careful than I am sure you already are when any email sender asks you to part with personal/confidential information or even money.

What do you do (and not do) if an email asking you for information or money arouses your suspicions in any way?

  • Contact the sender, but NOT by replying to the suspicious email.
  • Do not find the sender’s phone number or email address from the suspicious email. Find the contact details from a previous email, your address book, or phone history.
  • Do not open any attachment in the suspicious email.
  • Do not click on any link in the suspicious email.

For a more complete (and authoritative!) exposition, have a look at this article from Norton on Spear Phishing

And for recent examples, have a look at this blog post from Tripwire on spear phishing.

By the way, if you ever suspect that an email message with an invoice sent by me to you is not genuine, then just phone or text me on 07961 387564.

© 2011-2018 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha