How A Skeptical Approach to Email Phishing Turned Interesting
- Post by Janet Gehring
- May 29, 2019
Too much skepticism in life can be unhealthy. But when you’re working on your computer, it’s the smart approach.
Almost all breaches begin with an email phishing attempt, so be skeptical every day. That way, you’ll avoid clicking on emails you shouldn’t, turning over confidential information, or unintentionally giving up money.
There are broad statistics about how many breaches start with a phishing attempt (over 90%), how many people have had their personal information stolen due to a breach (millions), and how many dollars have been lost by businesses due to breaches (more millions).
Instead of focusing on big, generic numbers, let’s bring it down to one email phishing attempt. This one happened in our office. And, we decided to have some fun with it. Caution: please don’t try this yourself.
Here’s the story:
Gift card scams are a popular way for cybercriminals to make a quick buck.
Recently, Nick, a technician at CRU, received an email from “James Kerr” (CRU’s President, who goes by Jim) asking him to “get a purchase done today”. Nick decided to engage with the fraudster.
Here’s the initial phishing attempt …
From: James Kerr <firstname.lastname@example.org>
Subject: General Purchase
Are you currently in the office?
I need you to get a purchase done today, email me back once you get this.
Nick replied 2 days later …
OMG! Sorry I’m so late responding to this. Do you still need me to do something for you?
Within 3 minutes came the response (note the instructions) ….
Ok, I’m in the middle of something and looking forward to surprise some of the staffs with Walmart gift cards today and I want you to keep it between us pending when they get it. So, therefore, I need Walmart Gift card of $350 face value each. I need 15 pieces of it amounting to $5250. I need you to get the physical card, then you scratch the back out and scan them, attach the scanned pictures showing the pin and email it to me. Can you get it done in 1 hour?
4 minutes later, Nick replied ….
Ok, I can get them but I don’t have the company card at the moment. Any suggestions?
10 minutes later came this response …
Ok, Use your card to purchase the gift cards i will reimburse you later.
5 minutes later, Nick replied ….
I’m really strapped on cash. Will I be reimbursed by the end of the month? I’ll need the money back.
Can you guarantee that?
4 minutes later came the response, this time from an iPhone with the fake email address exposed:
From: James Kerr <email@example.com>
Subject: RE: General Purchase
Yes you will be reimbursed once am done with the gift surprise. Don’t forget not to discuss the surprise with any of the staffs yet.
Sent from my iPhone
From there, Nick replied that he would get them as quickly as he could. The fraudster stopped responding.
In the space of less than a half-hour, you can be tricked by an email phishing attempt. Never follow instructions to make an unusual purchase without confirming the request with a trusted person in your organization first.
To quote a cliché, if it sounds too good to be true, it is. To quote the belief of IT people worldwide, “the bad guys only have to get it right once. We have to get it right every time.”
The bad guys are good. We need to be better. Don’t click on suspicious emails, especially on your phone. Don’t give up your username and password. Walk down the hall or make an old-fashioned phone call if necessary to confirm that a request is legitimate.
If you’d like to know more about how CRU Solutions can help keep your business safer, contact us.