Monthly Archives: August 2020

Scam detector tuneup

Posted on by
Reply

As hinted in Phish with no smell , some scams are hard to detect. How hard?

False confidence

Let’s try 7 Ways to Recognize a Phishing Email (published on Security Metrics).

Assertion Real world
Legit companies don’t request your sensitive information via email Actually, they do. Many accountants and lawyers ask for sensitive documents be sent to them by email.
Legit companies usually call you by your name So do scammers. I regularly receive spam containing my name
Legit companies have domain emails So do scammers. See the Salvation Army example above.
Legit companies know how to spell So do scammers. See the Salvation Army example.
Legit companies don’t force you to their website Actually, they do. Paypal, banks and airlines require you to visit their website to get even routine information. Software vendors commonly send whitepapers as individualised links to their website. Training organisations commonly send tokenised links to webinars or videoconferenced meetings that nonetheless require sign-in through a portal.
Legit companies don’t send unsolicited attachments Actually, they do. Many include a banner or footer which are detected by email readers as attachments or embedded images. Outsourced services, such as our voicemail system, may deliver unexpected attachments.
Legit company links match legitimate URLs So do scammers. Some scammers use realistic substitute URLS (as in the Salvation Army example above) and some use real links, to cheaply add authenticity.

The danger with the rules above is that they are such strong assertions.

A better guide

Take precautions. (See Scamwatch)

  • Do not click links or attachments (or add apps or extensions) that you did not expect.
  • Google the wording of a message to find out whether others have reported it.
  • Expect a secure (https) site – a closed padlock on the address bar.
  • Never provide personal details to a caller. Call the organisation through its official channels yourself.

Diversity of Fish

Phish with no smell

Posted on by
Reply

We’re catching a better class of Phish.

I’ll be honest: this one was detected by a machine, not a human. (It was flagged as possible spam by a mail-server, but still delivered.) This example was –

  • Plausible because it very accurately mimics the email and website of a legitimate, trustworthy organisation.
  • Confirmed as fraudulent because the Reply address, buttons and links point to salvationarmyeast.com which is not the usual domain of the real Salvation Army and does not have a website. (Right-click a button and read the domain after the @ or the https://)
  • Risky because attempting to donate may lead you to disclose credentials, identity and/or financial details which could be cross-referenced with data harvested in other scams.

Sample phishing message

Unreasonable lengths

What would it take to avoid this trap?

  1. Be skeptical of the first message – or any unusual message – from everyone.
  2. Get contact details from a more trustworthy source: a mutual contact is good, but Google is better than nothing.
  3. Whitelist the trusted contact details, and block unverified senders that look similar.

But this mindset is not discriminating enough for school. While a student probably could use these rules, they are impractical for anyone who needs new customers – most small business and freelancers. To equip students for entry to an increasingly casualised workforce, we need to better understand and convey how trust can be established between strangers.

Man holding fish