My wife just got one hell of a targeted scam. Spearphishing level.

She’s a sociology grad student. She got email apparently from her department head, but a faked addr (name.org@my.com)

“I am in a meeting right now working on the study of the development of children of same-sex couples, based on data from the US Census. That is why I am contacting you through mail. I should have called you, but calls are restricted during the meeting. I don’t know when the meeting will be rounding up, And i want you to help me out on something very important right away”

That’s an amazingly plausible and targeted message. But she’s in the field right now.

So she sends back a message asking if he meant that for her. That’s before she notices the email address.

She gets back this:

"need you to help me get a Itunes gift card from the store,i will reimburse you back when i get to the office.

I need to send it to someone and it is very important cause i’m still in a meeting and i need to get it sent Asap.

Thanks"

At that point she notices the email address.

That’s one hell of a targeted scam. Soc. grad students from their dept head. Totally plausible intro. And you can’t say no when the dept chair asks a favor.

She’s a plausible target for government spearphishing because of her work. So I ask her to see if other students got it.

And lo and behold, she manages to stop someone who was just about to buy two $100 iTunes gift certificates for the scammer. Lot of money for a grad student. Three other thank you’s in minutes. Almost certainly other people have fallen for it.

That’s a frightenly specific and targeted attack for something that apparently was just aimed at making a few thousand bucks. But I guess the return on investment is likely to be really high.

Lesson: Never think you don’t have to worry because nobody would bother targeting you.