Posted by: David Schneier
email, fraud, GLBA, phish, phishing, Regulatory Compliance, scam, scammer, Security, spam, theft
I received an email from Rebecca Keen this morning asking for help. You see, Rebecca took an unexpected trip to the UK and while there lost her wallet and all of her financial resources and was hoping I could help. She asked if I could float her a temporary loan of $1,540 so she could settle her hotel bill and make it back home safely. It turns out that all of her other possible avenues for assistance have failed her and I’m something of a last resort.
Of course I don’t know anyone by the name Rebecca Keen and knew instantly that it was a phishing scam. It’s not the email by itself that made this a blog-worthy item. What made Rebecca’s email this week’s topic was the reaction of someone close to me and their attitude about how to handle it.
At the risk of embarrassing anyone, I won’t go into specifics as to who the person is, but when I told them about the email as a way of educating them on how to identify and manage phishing attempts, they asked me how I knew it wasn’t legitimate. Beyond the obvious fact that I don’t know now and have never known anyone by that name I’m not sure what else I’d need as proof this was a scam.
Here was the ensuing exchange:
“That may be true but what if they sent you the email by accident? What if they misspelled the email address?”
To which I replied, “Still not my problem and I won’t respond because that establishes a dialogue which will only encourage the person further.”
“But shouldn’t you at least let the person know they reached the wrong person,” I was asked with a tinge of real concern.
“If I reply, that will send the message that they reached the right person. They’ll think I care, which will only open me up to additional pressures from the scammer”.
“People are so mistrusting these days. I’d at least want to make sure this wasn’t someone who needed my help”.
And therein lies the problem: Despite this being a very obvious phishing attempt, it was only obvious to me. Despite the endless stories about people being exploited and robbed by an endless array of online and email scams, there are still people who respond favorably to these sort of things because of their basic decency. The person to whom I was talking wasn’t lacking in intelligence and isn’t typically naive, but when presented with these situations uses a different set of rules.
To make matters worse, the email from Rebecca Keen was properly formatted without spelling errors and actually looked like something I might receive from a legitimate source. As a matter of fact, it presented itself so well that I actually opened it, which is a step further along than these things usually get. But of course I knew instantly that it was just the latest example of how people are using the Internet to try and steal money. And while the scam was obvious to me, there is at least one person I know who might actually have taken action upon receiving something similar.
You know what occurred to me today? The reason that scammers continue to send out phishing emails is because they still generate the desired results. Despite the endless marketing campaigns by a wide range of financial institutions to educate online users, there are still a large enough number of people who are victims waiting to happen. And as long as even one person responds favorably to a phishing campaign, it’s considered a success.
I’m thinking that as a former New Yawker I should create a program for the FDIC based on my experiences growing up in New York City.
- Do not engage in any dialogue with anyone you don’t know about money in an unusual or inappropriate setting e.g. street corners, subway platforms, etc.
- If someone is selling something, offering to buy something or trying to distract you somehow when in an unusual or inappropriate setting (e.g. stopping you on the street, walking up to your table at a restaurant, etc.) immediately disengage and continue on your way or return to what you were doing without allowing the conversation to develop and/or continue.
- And if at any time your instincts tell you that something is wrong, amiss, out of place or odd err on the side of caution and do everything and anything to remove yourself from that situation.
P.T. Barnum was often credited with having said that “There’s a sucker born every minute” and apparently online there are somewhere between two and too many scammers waiting to take ‘em.
P.S. As I was about to publish this post I received an email update from Rebecca Keen letting me know that someone temporarily stole her email account and that there’s no emergency whatsoever. Glad to hear it but I still have no clue who she is.