Regulatory Reality

Mar 2 2010   8:18PM GMT

Something smells phishy

David Schneier David Schneier Profile: David Schneier

I received an email from Rebecca Keen this morning asking for help.  You see, Rebecca took an unexpected trip to the UK and while there lost her wallet and all of her financial resources and was hoping I could help.  She asked if I could float her a temporary loan of $1,540 so she could settle her hotel bill and make it back home safely.  It turns out that all of her other possible avenues for assistance have failed her and I’m something of a last resort.

Of course I don’t know anyone by the name Rebecca Keen and knew instantly that it was a phishing scam. It’s not the email by itself that made this a blog-worthy item.  What made Rebecca’s email this week’s topic was the reaction of someone close to me and their attitude about how to handle it.

At the risk of embarrassing anyone, I won’t go into specifics as to who the person is, but when I told them about the email as a way of educating them on how to identify and manage phishing attempts, they asked me how I knew it wasn’t legitimate.  Beyond the obvious fact that I don’t know now and have never known anyone by that name I’m not sure what else I’d need as proof this was a scam.

Here was the ensuing exchange:

“That may be true but what if they sent you the email by accident?  What if they misspelled the email address?”

To which I replied, “Still not my problem and I won’t respond because that establishes a dialogue which will only encourage the person further.”

“But shouldn’t you at least let the person know they reached the wrong person,” I was asked with a tinge of real concern.

“If I reply, that will send the message that they reached the right person. They’ll think I care, which will only open me up to additional pressures from the scammer”.

“People are so mistrusting these days.  I’d at least want to make sure this wasn’t someone who needed my help”.

And therein lies the problem: Despite this being a very obvious phishing attempt, it was only obvious to me. Despite the endless stories about people being exploited and robbed by an endless array of online and email scams, there are still people who respond favorably to these sort of things because of their basic decency. The person to whom I was talking wasn’t lacking in intelligence and isn’t typically naive, but when presented with these situations uses a different set of rules.

To make matters worse, the email from Rebecca Keen was properly formatted without spelling errors and actually looked like something I might receive from a legitimate source.  As a matter of fact, it presented itself so well that I actually opened it, which is a step further along than these things usually get.  But of course I knew instantly that it was just the latest example of how people are using the Internet to try and steal money.  And while the scam was obvious to me, there is at least one person I know who might actually have taken action upon receiving something similar.

You know what occurred to me today?  The reason that scammers continue to send out phishing emails is because they still generate the desired results.  Despite the endless marketing campaigns by a wide range of financial institutions to educate online users, there are still a large enough number of people who are victims waiting to happen.   And as long as even one person responds favorably to a phishing campaign, it’s considered a success.

I’m thinking that as a former New Yawker I should create a program for the FDIC based on my experiences growing up in New York City.

  • Do not engage in any dialogue with anyone you don’t know about money in an unusual or inappropriate setting e.g. street corners, subway platforms, etc.
  • If someone is selling something, offering to buy something or trying to distract you somehow when in an unusual or inappropriate setting (e.g. stopping you on the street, walking up to your table at a restaurant, etc.) immediately disengage and continue on your way or return to what you were doing without allowing the conversation to develop and/or continue.
  • And if at any time your instincts tell you that something is wrong, amiss, out of place or odd err on the side of caution and do everything and anything to remove yourself from that situation.

P.T. Barnum was often credited with having said that “There’s a sucker born every minute” and apparently online there are somewhere between two and too many scammers waiting to take ’em.

P.S. As I was about to publish this post I received an email update from Rebecca Keen letting me know that someone temporarily stole her email account and that there’s no emergency whatsoever.   Glad to hear it but I still have no clue who she is.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • ComplianceGuy1
    Having received a similar email, but from a friend of mine, I called their house to see what was going on. Here's where the phishing took an interesting angle. She had first received an email, seemingly from Yahoo, asking her to verify her email address and password which she promptly did. There was no request for bank account info nor SSN so she thought it was legit. That was part 1 of the scam. Then came Part 2 of the scam. Once the phisher had that info it reset her password so that she couldn't get into her account and sent emails from her to tens of thousands of email addresses, which it apparently hacked, claiming to be stranded in the UK and please send money etc. etc. She followed with an email to the friends addresses that she could remember (she couldn't get into her Yahoo email to look everyone up since her password was changed) to let them know it was a scam. My friend is a very intelligent infectious disease physician but never thought twice about responding to Yahoo's request. Many people think that phishing is about duping the unsuspecting elderly or the uneducated but it affects everyone in all walks of life. However, it does affect the uneducated...uneducated about identity theft, the variety of forms that it takes and the damage that it causes to those who get caught in the scam food chain. Perhaps we should all learn a lesson from the late Ronald Reagan who, in a time prior to the internet as a way of life, said "Trust but Verify".
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: