My wife just got one hell of a targeted scam. Spearphishing level.
My wife just got one hell of a targeted scam. Spearphishing level.
She’s a sociology grad student. She got email apparently from her department head, but a faked addr (name.org@my.com)
“I am in a meeting right now working on the study of the development of children of same-sex couples, based on data from the US Census. That is why I am contacting you through mail. I should have called you, but calls are restricted during the meeting. I don’t know when the meeting will be rounding up, And i want you to help me out on something very important right away”
That’s an amazingly plausible and targeted message. But she’s in the field right now.
So she sends back a message asking if he meant that for her. That’s before she notices the email address.
She gets back this:
“need you to help me get a Itunes gift card from the store,i will reimburse you back when i get to the office.
I need to send it to someone and it is very important cause i’m still in a meeting and i need to get it sent Asap.
Thanks”
At that point she notices the email address.
That’s one hell of a targeted scam. Soc. grad students from their dept head. Totally plausible intro. And you can’t say no when the dept chair asks a favor.
She’s a plausible target for government spearphishing because of her work. So I ask her to see if other students got it.
And lo and behold, she manages to stop someone who was just about to buy two $100 iTunes gift certificates for the scammer. Lot of money for a grad student. Three other thank you’s in minutes. Almost certainly other people have fallen for it.
That’s a frightenly specific and targeted attack for something that apparently was just aimed at making a few thousand bucks. But I guess the return on investment is likely to be really high.
Lesson: Never think you don’t have to worry because nobody would bother targeting you.
I’m Kee Hinckley (he/his). That’s my wife 
I’ve seen emails like that and I have NOTHING to do with that field. They go out scattershot by the millions.
Can’t those gift cards just as easily be ordered online?…
Lauren Weinstein Presumably yours weren’t from her department chair. But the formula is certainly used elsewhere.
Filip H.F. Slagter I think the theory is that he’s too busy to do it himself.
Where I work the scammers got ahold of the org charts of the company and were doing skip level email scams like this. We had to institute a policy of non PO disbursements needing written approval and signatures. We were small enough that it was possible but big enough that it was a pain.
I’ve seen scammers hijack an active thread in a compromised account to insert an “encrypted document” cred harvester.
I decided to not use pretty layout for my emails ages ago, because I can usually see immediately when someone is scamming. Always check the emails and the links when someone asks for money!
They’re quite common in academia these days. People in my department receive several per week – same template (head of department in a meeting, needs to buy an iTunes card).
I also have seen a spearphish ostensibly from a company c-level. Payload was a cred harvester. What was really interesting was that they dressed it up with all these nifty little graphics flourishes the internal messaging uses – company logos, etc. Even the c-level’s signature image.
Even more fun thing. The elements were URLs from the Google proxy used when gmail gets embedded images in an email.
Even had pretty decent English.
Really spiff work.
I see “iTunes gift cards” and the alarm goes off. The brother of a friend of ours had to sell his condo in Toronto after getting hit with the tax fraud/imminent arrest scam. He was forced to pay the criminals with $9000 in iTunes gift cards, which cleaned him out. A mentally and emotionally vulnerable person, a perfect target.
This is a common scam in academic circles. I’ve seen even more targeted ones though, shared files from “Dean” addresses saying, “Hey, take a look at this, and get back to me with your thoughts. I’ll be out of the office until after lunch, but let’s set up a time to meet.”
There is now a G Suite (enterprise) filter that can automatically flag mails that have the expected display name but not the expected e-mail address. It can compare to your G Suite org account list. E.g. if you have User A but the mail comes from User A it’ll auto-flag it as “suspicios” and add a banner. I think we found that it only works with exact display name spellings.
Alex Chekholko Ooh. That’s a very nice feature. I should talk to the MailMate developer about adding that to their app.
I mean, you ought to be reading the email anyway, but every clue helps.
I got something similar: a “you’ve been assigned this online diversity training” from someone in HR. The signature block had the name of someone in HR at the college, but the email didn’t come from a college domain, and on a second re-read had nothing in the message that was directed toward me personally or go beyond publicly available information on the college website.