I received an impressive email scam recently. My response was to forward it to the email provider’s abuse contact (firstname.lastname@example.org) and file a complaint with the Internet Crime Complaint Center (ic3.gov). I’ll include the whole email later. The bottom line: Scammer has my password and will humiliate me if I don’t pay $1900 in bitcoin.
The scammer’s email landed in my spam folder. I was given a deadline of July 11. I didn’t clean out my spam folder till today (July 15).
In fact, the scammer does have one of my passwords: a throwaway password I use with throwaway accounts. When a web site makes me “register for an account” to retrieve information I want, this is the type of password I used to use. Now that I use password manager software (Lastpass specifically) I choose passwords more randomly and let the manager remember them.
Continue reading Interesting Email Scam I Received
There is no way to verify an email’s contents except through cryptography. Until every email client includes encryption and reliable authentication, we should always doubt an email’s source.
We can increase our confidence in an email a little, though, by tracing its path through the mail system. I use this technique more-or-less daily to look at potential phishing emails. If the final Received header didn’t come from my bank, then I know it’s fake.
Continue reading How to Trace an Email Message
I receive thousands of emails every month. I do a lot of (for me) critical activities online. I never receive legitimate emails demanding a suspicious online action any more.
Except from HR departments.
IT security people know this is a problem. The upper left image comes from the University of Minnesota’s phishing awareness blog. HR people as individuals also seem to know that phishing is a problem. But they still insist on sending suspicious-looking emails that demand personal information. No doubt it saves their department a few dollars.
Full disclosure: as noted at the end of this posting, Minnesota’s HR department has taken several steps to reduce these risks.
Continue reading HR and Phishing
The University of Minnesota’s HR department send me an email in January telling me that I had to submit to a background check. The good news: I do them all the time.
The bad news: the background check company can only complete the check if you follow a URL embedded in an email.
This is how phishing emails work. The email comes from a convincing-sounding source, like the University’s HR department, or some third-party on their behalf. You respond to it, only to find that it really wasn’t the HR department collecting the information.
Bottom line: you can’t trust email. No matter how many times it says “This isn’t a spam email,” or “This isn’t a phishing email,” you can’t trust email.
[Update 5 January 2018: The UMN HR department has sent me TWO possible phishes as I prepare to take up my reappointment. I passed this to the IT Security people. They have ‘spoken to’ the HR department, and they started a phishing blog.]
Continue reading University: Anti-phishing not really a “policy”
Phishing emails can be tiresome. Sometimes, though, they are classically bad. Even better, this one uses an old-school strategy to get you to click on a suspicious link.
The domain name is “nytijmes.com” which at first glance appears to go to a more-or-less legitimate news site. The extra “j” in “nytimes” is easy to overlook.
Continue reading My invitated – a classic phishing attack