Phishing email messages that get you to enter sensitive information such as login ID and password, birth date, account or credit card numbers (and then steal them) have been around for 20 years. They are so common now that the bad guys have had to change their tactics. So, what does a phish look like in the third decade of the 21st century?
The bad guys aren’t overly creative. If one scammer tries something, you can expect others to follow suit, only changing minor details. A good example is the recent rash of “invoice” scams. The message has a subject line much like “Order #17APL-YT-924019 Confirmed” and the body thanks you for ordering something, mentioning a random dollar amount has been billed to your credit card. The twist here is that there isn’t a link to click on, the usual phishing link where you enter sensitive information. These invoice scams instead have an 800 number to call. Fall for it, call the number and the scammers will either get your credit card number over the phone (“So we can issue you a refund.”) and ask for permission to log onto your computer to “find the error.” The former method is less subtle, but the latter may be more destructive. Once logged on to your computer, the scammers will install malware. This allows them access not only to your data and accounts, but to use your computer to send out more spam and phishing.
Another comparatively new scheme is the gift card scam. You get a message that seems to come from your boss or a friend, asking for a quick favor. They’re in a meeting and can’t talk on the phone. Could you go buy some gift cards (iTunes, Amazon, etc.), send them the numbers, and they will reimburse you later? Of course, once you buy them and send the scammer the numbers, you’re out of luck. The original message is “spoofed” meaning the scammer inserted the name of someone you work with or know, while keeping their actual address cloaked. E-mail and text messages allow this, which makes this kind of fraud very easy to do.
A slightly older scam is “sextortion.” Here you get an email that looks like it came from your own account. The scammer says they not only hacked your email, but also your webcam. They purport to have evidence of you visiting illicit web sites. Unless you pay them in Bitcoin, they will release the “evidence” to your contacts list. First off, they almost certainly didn’t hack your email account; it’s just spoofed (as with the gift card scam). Secondly, they are counting on your embarrassment to just pay up, without bothering to verify their “evidence” (which is almost certainly false).
If it’s too late and you entered some personal information, bought gift cards or sent Bitcoin, do two things immediately. First, file a police report to report the fraud. Second, change your passwords for the accounts you think might be hacked.
As always, paranoia is your ally here. If a message is even slightly out of the ordinary, don’t respond or act on it; just delete it.
