The Gift (card) That Keeps on Taking

So, let me tell you a story.  This is a true story.  A personal story about a request I got from someone who is near and dear to me.

These kinds of requests are becoming more and more common and so I wanted to share what happened so that you can recognize it when somebody comes knocking on your door (or email) with a similar ask.  Who would suspect that a gift card could be the tool of a phishing attack?  You should.

Here’s what happened.   I received an email from a relative of mine, seemingly asking me for a ‘favor’.  Now the email itself seemed benign but the ask was a bit off and it was easy to suspect that something was amiss – but since I had time that afternoon, I was willing to play along for a bit. 

SO, I responded and asked what favor was needed. That’s the anticipated next step one should take when somebody you care about asks for a favor; because you care and you want to help, right?

They quickly responded back to me and explained that they were trying to buy an Amazon gift card for a friend, but couldn’t complete the transaction because they were having a problem with the bank. They asked if I would purchase the card and they’d pay me back. 
 

Let’s pause here. 

See the thing is, in some ways this could be a normal series of events. I don’t know about you but when somebody I care about asks for a favor I try and help..... but there was something about this exchange that was not normal.  It did not actually come from the person that I care about. It came from an impostor and it was part of a phishing attempt. 

I could see right away that the email address of the person I was communicating with was slightly different than the near and dear person.  The email address was similar … but it wasn’t right.   This style of phishing attack is successful because people miss the difference in something as simple as the actual email address and only pay attention to the label/name that the impostor has assigned to the account.

What did I do next?  I moved into action.  I was able to stop the attack and protect this individually by doing a few things:

1. I had my ACTUAL “person” change their password.
2. I removed a sneaky little forwarding email address that they inserted to mirror all the incoming emails and send them to the attacker’s account.
3. I removed an equally sneaky setting that put all incoming emails in the archive rather than the inbox.

Technical fixes aside, the more important message here is to help continue to educate and inform so that people stop falling for these attacks. 

Here’s the real message.  With electronic communication persona – DON’T TRUST ANYONE!  As humans, we really do want to trust each other but we must handle electronic communication differently than how we handle face-to-face communication.  If you and I are talking in person, I can be certain that what I hear is what you are saying.   Electronic communications are so different.  You REALLY have no way of confirming who you are communicating with.  So, stop being so trusting!

Here are seven points to consider for protecting yourself against some more common consumer scams:

1. In the in-person interaction world, we take a ‘trust but verify’ stance.  In the electronic communications world, we need to take a ‘don’t trust until you verify’ approach.  The bad guys are feeding off of your ‘good intents’.
   
   
2. If you receive a communication that sounds a little off (it’s OK to be a little paranoid here), stop and think about it for a minute to make sure it passes the ‘normal’ test (come on, how many people in real life ask you to buy a gift card on their behalf).
   
   
3. This also goes for phone calls where scammers are constantly trying to bilk senior citizens out of money.  Don’t give these attackers any valid information until you’ve had time to do your homework.
   
   
4. If you’re not sure of the request, respond to the person OUT OF BAND.  That means, do not just reply to their email – keep in mind that if they have a compromised email account that you will be playing into their hand.  Rather, text them or even use this application on your device that enables you talk to people real time!
   
   
5. For those of you in the business world – the CEO or CFO does not need you to wire a bunch of money to help close a secret deal.  Unless it’s to buy a new turnip truck because you just fell off of one. 
   
   
6. Stop clicking on links!  The IRS is not going to arrest you.  Your FEDEX package that you never ordered but got an email about is not real.  No reputable company sends you coupons or links via email that you can’t get to on their own site.  If you are unsure of the purposes of any of these communications, go directly to the site or call the business directly. These emails are just trying to trick you into doing things that the attackers want you to do.
   
   
7. Passwords – make sure that you don’t use the same password everywhere.  If an attacker gets your email password, they may try to use that same password on your bank account.

Luckily in this case, no one that we are aware of fell for this scam.  The unanticipated upside of this experience was that the person who is near and dear to me received a plethora of phone calls from people who they hadn’t spoken with in months!  And… my response to the attacker was ‘ I just purchased a gift card for you LAST month and you never paid me back!’ (which promptly ended that discussion).  Just like you would be a bit on your toes if you were walking in a dark alley, you should ALWAYS be on your toes in the cybersecurity world.

So, to summarize these ways to protect yourself against phishing attempts, use these 3 points to help identify if something is a potential threat:

1. STOP: It could be FAKE if:
   1. F   Feeling: it triggers an emotion
   2. A   Action: you are asked to action something
   3. K   Know: do you know the sender?
   4. E   Expect: were you expecting this?

2. THINK
   1. Hover over links and watch for:
      192. Numbers: https://192.45.26.72-bank.co.za
      193. Hyphens: “-“ infront of domain names secure-bank.co.za

• Strange names or country codes https://BANK3.co.za

3. VERIFY
   1. Does it look like its from someone you know?
      1. Even if you now the sender, but something about it seems suspicious, CALL them to verify.

If you have any questions about more security topics, please click here!