Phishing is the email version of pretending to be someone you’re not. The end goal is to talk some dupe into clicking on your link, to either steal their information or otherwise break into their computer. I know a thing or two about what this is and how it works, and yet I clicked on the link last night. Let’s go straight to story mode, shall we?

I see an email in my inbox, from Admin PayPal. Subject line “Your account has been limited. (Code: E8 -s0me-malarky)” I open the email. I’ll screenshot the message for you to see it for yourself.

I click the link. It takes me to a login page, and I give them my login and my password. The captcha has a set of letters and numbers on a background of the PayPal logo repeated randomly. I screw up the captcha on the first try, it tells me to try again. I log in.

The next page is asking me for my address, and other information. At this point, my brain goes “Wait a minute…”. If this were legit they’d be asking me to confirm information they already had, not asking me to input it again from zero. I look up at the URL. It’s not to PayPal.com. This is a scam, and I fell for it. “Oh, crap.”

Let’s leave me hanging on that cliff for a bit and play a game. This game is not nearly as popular as I’d expect. It’s called “What did Hank do Wrong?” Let me give you a list of minor and major errors, from the top:

1. ‘Admin PayPal’ is as generic as a name comes. I could have recalled that I get my monthly statements from service@PayPal.com, which should have made me suspicious.
2. The subject line tells me they’re taking something away. That’s a cheap psychological trick to get you to want it more, as surely as Shamrock Shakes are here for a limited time only.
3. The body of the email has some suspect grammar in it. A great deal of the time these attacks are authored by people who don’t have English as a first language. Hey, if you’re a Russian hacker, are you going to scam other Russians, or go for the Yanks who have money? Bad grammar isn’t dispositive in this day and age, but I should have noticed and been suspicious.
4. Another cheap psychological trick, note how the email is worded subtly as “you have a problem, you need to fix it.” This puts you on the defensive and makes you eager to trust the scammer in order to prove that you’re not a bad person. The main thing I dislike about cheap psychological tricks is how well they work.
5. This is the big one, I didn’t check that the link in the text goes where it says it goes. If I had taken the time to hover over it, a destination tooltip would have shown up in the bottom left of the screen, telling me that this particular link will send me to mysp.ac/4ZhbF. There’s absolutely no reason why PayPal would use that address. You should always look at that tooltip before you follow a link, if only to avoid getting Rickrolled. Like a chump, I didn’t check.
6. Again, no reason to trust that link. If the email was legit I could have gone to a new browser window, gone to PayPal manually, and logged in like I normally do. The site would have given me whatever alert was necessary there and I wouldn’t be exposed to the risks of an email link.
7. Finally, I acted too quickly. “Problem with PayPal” translates to a problem with my money, which means I need to act quickly so no one gets access to my money. So to limit the damage I act rashly, giving people the ability to do exactly the sort of damage I’m looking to mitigate. I’ve made better decisions.

Okay, back to the story, what did I do next? I closed out of that window. I opened another window, went to PayPal.com in that window, logged in, and changed my password. There’s still a great deal more risk than I would like in the minute the bad guys had my active password. Still, locking them out helps mitigate damage. If they didn’t act immediately then they won’t get very far with a no-longer-useful password. Next, I reported a security issue to PayPal. They had a chat-bot which confirmed for me that the email didn’t originate with them. It also let me know that, thanks to the ‘rona, they’re understaffed and it’d be several hours before a real live person would be able to talk with me. Guess it’s a propitious time to go a-hackin’.

What happens next? I don’t know. If they managed to do something nefarious to my computer simply by my clicking the link (which is possible), then I’m going to run into more complications as time goes by. Next possibility, they had a program set up to take the credentials immediately and mess with my PayPal account. That would be pretty bad, but having alerted PayPal to an issue I can at least hope they shut down any fraudulent transactions with a vengeance. Financial institutions don’t like getting scammed any more than I do. What I think is most likely to happen is nothing at all. That’s the outcome I’m hoping for. That would mean that the hacker didn’t build a complex and automatic response to my stupidity; they’re just gathering information that will be used at a different time. In which case they’ve got my login, a password that’s no longer useful anywhere, and two attempts at a captcha. That ain’t much.

What can we learn from this sordid episode? One, it happened to me. I know how this stuff works; I flatter myself that I could craft a better phishing email than the dastard who hooked me. But they still got me. Anyone can fall for this stuff, so prepare your defenses in depth. I wrote out my mistakes and what I ought to have done so that you can see and be warned by them. And remember that the Good Lord has the last word on cybersecurity.

Two, don’t be afraid to talk about it. Phishers and con artists rely on marks who haven’t heard their line before. A sucker who knows that you don’t own the Brooklyn Bridge won’t buy it from you, now will he? So I’m admitting to getting stung, in detail, in the hopes that it’ll make this particular nogoodnik’s life of crime less profitable.

And three, a quick note about cybersecurity. The dirty secret of the whole profession is that you don’t have to outrun the bear. You just have to outrun the slowest hiker. In this case I’m pinning my hopes on the probability that this particular phisher has other suckers on the line who didn’t react quite as quickly as I did. If he can filet the other suckers than he can continue on fat and happy without giving me a second thought. If he has to deal with smart targets the hacker is going to get hungry, which means he’ll have to up his game into the more dangerous (but more difficult) automated responses I mentioned up above.

And that, ladies and gentlemen, is as far as I can take this story at the moment. Hopefully you’ll never hear about my bank account being drained, my secrets being published on an .onion site, and how Rick Astley is never gonna give you up. I’ll just have to wait and see.

Published in Science & Technology