Of all the ways cybercriminals can mess with you, phishing scams are the most preventable… in theory. Sometimes, a perfect storm arises in the form of an email from a trusted friend’s hacked account at a time when you’re distracted or vulnerable. That’s what happened to a good friend of give IT. get IT. who got caught in a phishing scam and sent five $100 Amazon gift cards to someone he THOUGHT was the friend of a trusted colleague.
Fortunately, our friend figured out he was being scammed, called his credit card company and got the charge voided by their fraud prevention team. This person was also kind enough to let us share screenshots of his email exchange so we can use it as a case study to avoid one of the most common cyber security threats out there.
A play on the word “fishing,” phishing is the term to describe a cybercriminal posing as someone who is either in need of money or needs you to help them transfer money. Chances are, at one point or another you’ve received an email from someone representing a wealthy individual or royal family member who “needs help transferring $10,000 to the U.S. and will pay you $1,000 for your help.” That’s a classic “too good to be true” phishing scam that’s easy to identify and avoid.
Just like this poorly written, bordering on incomprehensible message one of our employees received on LinkedIn:
You can imagine where this conversation with “LinkedIn Member” would have gone, can’t you?
Unfortunately, some thieves are infinitely more sophisticated. They hack the Facebook identities or email addresses of someone we know and make us THINK they are a friend in need.
Here’s how our friend, AKA the victim, got sucked into a phishing scam:
Some of you may be rolling your eyes and wondering how the victim responded to such a strange question. Keep in mind the email came from the email address of an older friend of the victim who could very well ask a question like this.
After the victim responded that he regularly ordered items online for both his business and himself, he received this message from the imposter:
Let’s break this down. The imposter starts by tugging the victim’s heartstrings by talking about a “friend” with stage 4 mesothelioma cancer. Because it’s the “friend’s” birthday, the imposter wants to send her an Amazon Email-Gift Card, but “i got no luck on that.” In theory, that grammatical error should have been a red (phishing) flag, but you must remember that the victim THINKS this email is from someone he truly respects and regularly helps.
This email also arrived at the height of the work day when the victim was busily trying to catch up from the Christmas holiday while tying up loose ends before New Year’s.
He was stressed and in full “let’s get things done mode.” As a result, he responded that he’d be happy to help and received the instructions below:
If you didn’t roll your eyes after reading the imposter’s first email, you probably are now. Why did the imposter’s friend need FIVE $100 Amazon gift cards instead of a single $500 gift card? While some thieves like to purchase merchandise with stolen electronic gift cards, others prefer to sell them at a discount for cash. In theory, the victim should have picked up his phone and called his friend to ask why he needed these extra steps.
Another sign that something is amiss is the sense of urgency “I want her to receive it today” and “Please let me know once it goes through.” Thieves know that the more time passes, the greater the chances of their victim figuring things out and ending the conversation.
After the victim emailed the imposter to say that he’d purchased the gift cards and sent them to the email address, he received this response a few minutes later:
Once the imposter got greedy (something the victim’s friend would NEVER do), the victim knew something was amiss. He immediately called his credit card company and explained the situation. Fortunately, he got the $500 credited back to his account after wasting a lot of time and feeling a lot of embarrassment and regret.
Most phishing scams are relatively easy to detect. They are typically littered with grammatical errors, typos, and inconsistent punctuation, or don’t match the personality of the friend or loved one the imposter is impersonating. Still, as our victim learned, sometimes a busy day and your innate desire to help can blind you to the evidence that’s staring you right in the face.
Whether you are receiving an unusual request for money like our victim did or an email from someone you know saying your nephew is in jail and needs money for bail, STOP. Take a moment to assess the situation and then call the person who allegedly needs your help. If that person has no idea what you’re talking about, delete the email and file a report with the Federal Trade Commission or call them at 1-877-382-4357.
NEVER give your bank information, credit card information or social security number to anyone who contacts you via email or phone.
NEVER click on links in emails sent to you by people or businesses you don’t know or that sound off.
NEVER use the same password on multiple websites, ESPECIALLY websites with your payment information on file.
ALWAYS change your passwords regularly.
If you learned something from this blog post or you experienced something similar, please leave us a comment and tell us what you think!