Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Getting Myself Phished, a Quick Yakking about Hacking
Phishing is the email version of pretending to be someone you’re not. The end goal is to talk some dupe into clicking on your link, to either steal their information or otherwise break into their computer. I know a thing or two about what this is and how it works, and yet I clicked on the link last night. Let’s go straight to story mode, shall we?
I see an email in my inbox, from Admin PayPal. Subject line “Your account has been limited. (Code: E8 -s0me-malarky)” I open the email. I’ll screenshot the message for you to see it for yourself.
![Email Text: Dear Client, Suspicious Activity on Your Account. Your Account Information has been changed. [ Billing or Shipping Address ] As our security precautions, we need more information from you. Your account will be limited until you provide some additional information. Please login into your Account and review your activity by clicking on the link below. paypal.com/login? Yor action is required to help us protect you PayPal account securely.](http://cdn.ricochet.com/app/uploads/2020/04/SuckerNote-600x438.png)
Wouldn’t you like to be a sucker too?
The next page is asking me for my address, and other information. At this point, my brain goes “Wait a minute…”. If this were legit they’d be asking me to confirm information they already had, not asking me to input it again from zero. I look up at the URL. It’s not to PayPal.com. This is a scam, and I fell for it. “Oh, crap.”
Let’s leave me hanging on that cliff for a bit and play a game. This game is not nearly as popular as I’d expect. It’s called “What did Hank do Wrong?” Let me give you a list of minor and major errors, from the top:
- ‘Admin PayPal’ is as generic as a name comes. I could have recalled that I get my monthly statements from service@PayPal.com, which should have made me suspicious.
- The subject line tells me they’re taking something away. That’s a cheap psychological trick to get you to want it more, as surely as Shamrock Shakes are here for a limited time only.
- The body of the email has some suspect grammar in it. A great deal of the time these attacks are authored by people who don’t have English as a first language. Hey, if you’re a Russian hacker, are you going to scam other Russians, or go for the Yanks who have money? Bad grammar isn’t dispositive in this day and age, but I should have noticed and been suspicious.
- Another cheap psychological trick, note how the email is worded subtly as “you have a problem, you need to fix it.” This puts you on the defensive and makes you eager to trust the scammer in order to prove that you’re not a bad person. The main thing I dislike about cheap psychological tricks is how well they work.
- This is the big one, I didn’t check that the link in the text goes where it says it goes. If I had taken the time to hover over it, a destination tooltip would have shown up in the bottom left of the screen, telling me that this particular link will send me to mysp.ac/4ZhbF. There’s absolutely no reason why PayPal would use that address. You should always look at that tooltip before you follow a link, if only to avoid getting Rickrolled. Like a chump, I didn’t check.
- Again, no reason to trust that link. If the email was legit I could have gone to a new browser window, gone to PayPal manually, and logged in like I normally do. The site would have given me whatever alert was necessary there and I wouldn’t be exposed to the risks of an email link.
- Finally, I acted too quickly. “Problem with PayPal” translates to a problem with my money, which means I need to act quickly so no one gets access to my money. So to limit the damage I act rashly, giving people the ability to do exactly the sort of damage I’m looking to mitigate. I’ve made better decisions.
Okay, back to the story, what did I do next? I closed out of that window. I opened another window, went to PayPal.com in that window, logged in, and changed my password. There’s still a great deal more risk than I would like in the minute the bad guys had my active password. Still, locking them out helps mitigate damage. If they didn’t act immediately then they won’t get very far with a no-longer-useful password. Next, I reported a security issue to PayPal. They had a chat-bot which confirmed for me that the email didn’t originate with them. It also let me know that, thanks to the ‘rona, they’re understaffed and it’d be several hours before a real live person would be able to talk with me. Guess it’s a propitious time to go a-hackin’.
What happens next? I don’t know. If they managed to do something nefarious to my computer simply by my clicking the link (which is possible), then I’m going to run into more complications as time goes by. Next possibility, they had a program set up to take the credentials immediately and mess with my PayPal account. That would be pretty bad, but having alerted PayPal to an issue I can at least hope they shut down any fraudulent transactions with a vengeance. Financial institutions don’t like getting scammed any more than I do. What I think is most likely to happen is nothing at all. That’s the outcome I’m hoping for. That would mean that the hacker didn’t build a complex and automatic response to my stupidity; they’re just gathering information that will be used at a different time. In which case they’ve got my login, a password that’s no longer useful anywhere, and two attempts at a captcha. That ain’t much.
What can we learn from this sordid episode? One, it happened to me. I know how this stuff works; I flatter myself that I could craft a better phishing email than the dastard who hooked me. But they still got me. Anyone can fall for this stuff, so prepare your defenses in depth. I wrote out my mistakes and what I ought to have done so that you can see and be warned by them. And remember that the Good Lord has the last word on cybersecurity.
Two, don’t be afraid to talk about it. Phishers and con artists rely on marks who haven’t heard their line before. A sucker who knows that you don’t own the Brooklyn Bridge won’t buy it from you, now will he? So I’m admitting to getting stung, in detail, in the hopes that it’ll make this particular nogoodnik’s life of crime less profitable.
And three, a quick note about cybersecurity. The dirty secret of the whole profession is that you don’t have to outrun the bear. You just have to outrun the slowest hiker. In this case I’m pinning my hopes on the probability that this particular phisher has other suckers on the line who didn’t react quite as quickly as I did. If he can filet the other suckers than he can continue on fat and happy without giving me a second thought. If he has to deal with smart targets the hacker is going to get hungry, which means he’ll have to up his game into the more dangerous (but more difficult) automated responses I mentioned up above.
And that, ladies and gentlemen, is as far as I can take this story at the moment. Hopefully you’ll never hear about my bank account being drained, my secrets being published on an .onion site, and how Rick Astley is never gonna give you up. I’ll just have to wait and see.
Published in Science & Technology
Quick thinking, and good advice. I get lots of messages telling me my Apple and Paypal accounts have been shut down—they seem to be favorites. After reading one or two of these, I assumed they were all rotten. Without further evidence, I’ve decided that any email saying that an account has been shut down is phishing. Am I wrong? In any case, it’s easy enough to check to see where the email is actually coming from or maybe just to open the supposedly shut-down account. If I have time, I like to look at the details of the message to see where they made errors. There are always errors.
I got that email the other day, and you will be totally embarrassed when I tell you that this is what I did with it:
……………………………………………………
I bet it’s still more popular than you would like.
I got one of those too. I was with you up until between steps 3 and 5. I went into the email, read it and remembered to check the link. Apparently the tedious training they made us do paid off. So far at least.
I got one from Wells Fargo yesterday about problematic transactions on my account.
Which would have got my attention if I actually banked with Wells Fargo.
I’ve been getting e-mails supposedly from a couple of my old friends in Raleigh, but they deny sending them. For example, the subject line will be something like Fwd: From Joe Smith. When you open it, a line says something like From: <Joe Smith>, and the text below says, “I’ve been meaning to send you this: [with a link].
The link usually ends in something weird like “.INFO”. When you go into the e-mail properties, you see the return address is from some person @college name.edu – no doubt a fake person using a real college’s web address (or spoofing it).
No wonder one of my friends at work thinks identity thieves should get the death penalty . . .
I get those four or five times a week. I don’t use Wells Fargo either.
My general rule of thumb is to ignore *all* emails from any financial institution. Pretty much the only ones that are legitimate are the ones either trying to sell me something (which I don’t really care about), or telling me that my latest statement is available (which I don’t need an email to know about, since they’re on a schedule).
The one piece of advice that @hankrhody missed is to enable two-factor authentication (if available) on any financial accounts. That’ll get you a text message if anybody tries to log into your account from an unauthorized computer.
I love the ones from the “Windows Team” telling me my Windows 10 is corrupted. I want to e-mail back and say, “Of course it’s corrupted – it’s from Microsoft!”
You’re right, and that worries me. Note that paragraph about being the second slowest runner. When the phisher can’t make a living with bad spelling and worse grammar then he’ll have to improve. and these will be harder to spot.
My address book contains about 30 entries beginning ”Abuse @ . . . “ & I always report these things. I have even tried to contact college IT groups when the link or origin ends in”.edu”, which is fairly common (3-8%), and more difficult than you might think.
I can handle that, it’s just difficult when they’re playing the team sport variant.
Yeah. I usually spot these too. It’s just that some times you end up winning the Spanish National Lottery.
It’s good advice, with the caveat that you don’t want to use your phone as a second factor if you’re also banking over your phone. That leaves you in a pretty sour position if someone gets ahold of your cellphone.
That must be my $400 now!
One other suggestion. Make it a habit of never clicking on a link from a ‘notification’ email, even if it’s from a legitimate source. Go to the company’s website directly and use their logon. If the email is legitimate, you can take care of it from there. If not, you’ll figure out that they’re scamming you.
By changing your password, you’re probably okay. But if you use that, or a similar password for any other service, change it there as well. Once the scammer gets your logon credentials for one service, they’ll try a bunch of other services just to see if they can get in those as well.
This was a randomized password saved in a password manager. It’s plenty unique.
They’re the best.
In this day and age, any good email provider should have caught it in their spam filter.
I also got one from Wells Fargo, and due to all the publicity they are getting lately, they are the last bank I would ever consider doing business with. I have never in all my 71 years had anything to do with Wells Fargo.
I’ve listened to many tales of Wells Fargo.
You would not believe what just hit my inbox at a separate email address I use for my business survey. This is about as funny as it gets! Ooooh, I’m just quaking in my boots!
Seems legit.
Hey, I’ve never chosen to bank with Wells Fargo. Yet somehow I still ended up with a checking account there in 1996.
Another cybersecurity tip: Sign up for alerts at https://haveibeenpwned.com/ to see if your email or account information has shown up in any recent data breaches. Sometimes companies aren’t very forthcoming about when they’ve been hacked (I can’t imagine why) so you might not know that you need to be changing your passwords.
OMG Hahahaha!
I got the most generous email from an actual princess! In Nigeria! She said her husband (the Prince) had to flee the country in haste, and that she will wire his entire $3 million fortune to me tomorrow! All she needs is for me to wire her $3,000 today so that she can flee and join him in hiding so they won’t be killed.
People are so nice!
Clearly a phony e-mail scam. If it was real the Princess would say, “Wire me $3000 today so I can flee into hiding so only my husband gets killed.”
Related to tip (“error”) #5 in the OP, I have often noticed that in a phishing or scam email, an entire block of text plus the logo is an active link, rather than just the specific blue underlined text as though to get the logo to look legitimate the scammers had to make the logo and the text as a single graphic. Or they do it because even if the reader is trying to avoid the apparent link in the text the reader may still click somewhere else on the page and accomplish the scammer’s objective.
I’ve never had an account there, but have dealt with them when one of their customers wrote some bad checks to my parents’ company. Talk about difficult to deal with. I have never hated a bank before, but they taught me to hate Wells Fargo. My parents’ business now has a sign over the front desk saying we won’t accept checks drawn from Wells Fargo. Every customer who has asked about the sign has their own stories about Wells Fargo.
Great post, Hank. I think you hit all the points, and in particular #5: whenever anything of value is involved, check the website link before clicking on it.
I also have received the Nigerian Prince email. It’s a scam: the last one I got promised me 20% of 18 million, but by the time it was all said and done I got less than $800,000 deposited to my account. I considered complaining about it to the Better Business Bureau, but I’m a soft touch, and they told me such a sob story that I completely caved: now half the late Prince’s family is sleeping on my sofa.
Also, I have been assured by my grand daughter that real princesses sign off with ‘MWAH!’