Home » Phishing must catch a significant amount of prey

Comments

Phishing must catch a significant amount of prey — 25 Comments

  1. I get text messages telling me there is a problem with my account (Netflix, Venmo, etc.), that it is locked, and to click a link to fix it. Of course I always report these as spam. They arrive in mini-waves; 2 or 3 one day and then none for a few days or a week.

    People like my 91 year old mother in law are the target for these attacks. She is trusting and expects that someone is just trying to help her. We have convinced her that the services she subscribes to would never and will never communicate with her via text about problems with her account.

    They don’t need a large percentage of people (prey) to respond to be successful and generate a good return for their low cost efforts.

  2. This hits close to me because I actually just recovered from a phishing attack a few days ago. It was dumb on my part, though I think less dumb than this, since it happened on Discord and saw a true account I knew of but had not had contact with in a couple months approach me. They wrote in a similar style to the digital acquaintance and sent me a link to a “game”, spinning a Sob story about their friend who wanted to be a game designer. I now know this is a pretty cookie cutter scam, but it seemed more impactful because I have been pretty open about working as a game alpha and beta tester on the side.

    Likewise, they were able to respond organically to what I wrote (indicating either a live scammer or a very clever textbot). Though I was still stupid and naive for not checking online and for ignoring the vast gulf between the stated imagery of the “game” and the extremely small install.

    That led to basically a fresh install and clawing back my account. It can be done but it still sucks, and it certainly is a salutary reproach of my confidence. Fortunately it looks like the damage was fairly modest, but it is still a pita. And one made worse by going through the installation of new tech separate from all this.

  3. An elderly neighbor began corresponding with beautiful women a year or so after his wife died. Also sent money to “release millions of dollars” scammers.
    Constantly sending money for air fare, medical emergency, etc. Took a reverse mortgage, sent all that, had to sell his house.
    Now living in elder care facility and still getting scammed.

    Poor guy wired $700.00 to his estranged “stepson” a couple of months ago. He was unaware his stepson had actually died in 2021.

    Care facility has taken over his banking now, finally. He just never learned.

  4. I wonder what proportion of these are aimed at the elderly, or what the proportion of booty (that means lucre) that the scammers get is from elderly. Fullmoon, that story is scary.

  5. Turtler: Thank you for sharing your scam. Sorry it happened! 9
    In a familiar context, a targeted ploy is so easily very effective.
    That is a powerful lesson to me, too!
    .
    Full moon: Really, just so awful!
    I’ve known similar elder victims. It still breaks my heart!
    Scumbags are like roaches, sadly.

  6. I am glad that my “feel” for the correct expression of English is as good as it is, as I often only really recognize something about one of these phishing emails is “off” because of a wrong tense or other minor misstatement. Or of course when I don’t have any such account being presented for correction.

    Some of the emails purportedly from AT&T can be the most difficult to suss out, as we have several AT&T services with distinct accounts. So far I have been sufficiently cautious that if something from them is questionable or unexpected, I will call their help line separately to confirm I have received a spam email, that no account or email is being closed or cancelled, etc.

    And one of our widowed elderly neighbors was being scammed by someone claiming to be from Social Security, checking to confirm information, etc. She did not have her guard up because the caller “knew her SS number”. Even all of the government sponsored alerts indicating their agencies won’t call someone that way aren’t having the level of impact we might hope.

  7. Somewhat related to phishing are telemarketers. Many years ago I gave up trying to convince my elderly mother to “just hang up” because she thought that was rude.

    So, I finally convinced her to say “I don’t make any financial decisions until my son has reviewed them.” Well, she finally said that to one of them and she was shocked that THEY just hung up on her!

    Since that happened I knew that I wouldn’t have to worry about her being scammed by telemarketers.

  8. A number of years ago, the Fiancee and I were discussing our telephone policy at home. Being a CPA, I built a spreadsheet and we gathered data. Over a two-week period, we received an average of three phone calls per day. In the same two-week period, we received a total of ONE phone call from someone we might want to talk to — and that was the Fiancee’s sister doing a butt-dial. We have let all calls roll to voicemail since.

    Mind you, this can be taken to extremes — https://www.newsweek.com/hiker-lost-24-hours-ignored-rescuer-phone-calls-did-not-recognize-number-1642103 — if you’re calling for emergency assistance, you should answer calls afterward.

    As a side note, your blogroll for qando seems to go to a casino site.

  9. “…just trying to protect you.”

    Sounds like the FBI, actually.

  10. Apropos of Fullmoon’s account of an elderly neighbor who “began corresponding with beautiful women . . . after his wife died”– there was a case in Florida a few years back about a guy who got addicted (there is no other word) to a Bulgarian cam girl that he met online and with whom he thought he had a real “relationship.” He stole $200,000 from various family members. When they discovered the theft, they tried to intervene, and he killed both parents and one of his two brothers. The whole sordid story can be read here: https://people.com/crime/son-accused-of-killing-parents-brother-200k-online-chatting-up-bulgarian-cam-girl/

    It’s not exactly phishing, but it is a case of a different type of Internet gullibility, i.e. lonely men fooling themselves into thinking that a sex worker on an online porn site is a real live “girlfriend.” Lonely women are more likely to fall for romance scams peddled by men looking for targets with large incomes/bank accounts.

  11. Don’t ever take part in a survey which appears to be legitimate. I did that and ended up on everybody’s spam list. I get emails from lonely Russian women, pillow case sales, airline promotions and you name it, I get it in my email.

  12. I’m looking for work.

    I had a job for 6hours or so.

    Got contacted about a job I’d applied to (actually had not, or at least, not with the spec’d company), and “got hired”.

    They purportedly set you up with a mac and a home office setup.

    Rather than sending me equipment, they sent me a check for $4800 and I was supposed to buy it from their vendor. I deposit the check, it “clears” and the money is in my account.

    So, I deposit the check, and now “ok, Zelle $2000 to this vendor”.

    Now, if you don’t have all kinds of red flags going up when you hear that, you SHOULD.

    Because:
    1 — that 4800 is there as a courtesy, it has “cleared the bank”, meaning the account was real and the check appeared to be valid. It does not mean that the company it was supposedly against was going to honor the check. YOU are still responsible for it if the check is repudiated.
    2 — If you Zelle someone money, it is the same as taking money out from the teller and giving them cash.
    3 — your usual protections against fraud don’t apply here, because YOU sent cash to someone voluntarily. The bank is not going to cover your ass on this one.

    Needless to say, it was a scam. About a week later, the $4800 was repudiated and taken back out of my account.

    I presume there are some people out there who lack knowledge of the above 3 points… or did, until they got ripped off.

    The kind of pond scum who do this should be lassoed by their genitalia and keelhauled using the rope. They’re taking advantage not just of someone’s greed, but of their actual decency and that they are in a tight spot, more than likely. People who get ripped off by con artists taking advantage of greed I don’t approve of, but feel far less ruth for them. These kinds of bastards are just very bad people.

  13. Also, you want bizarre/stupid — about 20y ago, the University of Florida Comptroller (I think it was him — a high ranking official with control over accounts) was found to have embezzled about 750 grand by writing fraudulent checks on UF accounts.

    The insane thing was that he bought a house with it and spent most of it on stuff like furniture.

    I mean, if you’re going to embezzle money, at least put it into things you can FLEE with, FFS. Not stuff that is fixed in place.

    You have to wonder wtf was going on in his head.

  14. Good point, cthulhu. My phone is set not to ring for callers not in my directory. If I call for help, I need to disable that. As it is, unknown callers can leave me a voice message.

  15. This is all annoying as hell.

    I don’t know how common our experience is, but over the decades we’ve been the target of any number of scam attempts, a couple of times found fraudulent purchases made in our name (once in France–ooh la la) on our statements, had a cable account opened up in my name, and another in my wife’s name, with a different campany—all of which required many hours of time and effort, each time, to straighten out–and we still receive various scam attempts fairly frequently.

    One fraudulent purchase, a decade ago, was for a bus ticket in Arkansas, and when I asked the fraud department person handling the case if they were going to try to find the perp they said no, apparently they were just going to fix the matter, and then let the matter drop.

    In the case of the cable account opened in my name, it was never paid, went to collections and, out of the blue, we got a notice from a collection agency alerting us to this scam.

    We found out that if you signed up for a low cost, basic cable account, the company involved just accepted your name, date of birth, and social security number as legit (the perp changed my name and DOB a little) and–as a matter of routine–didn’t check any further.

    Fixing this scam involved a lot of time on the phone with the collection agency and cable company, hours filing out police forms, and visits to the local police HQ to generate paperwork to send to the collection agency and to the cable company.

    We thought this was settled and then, a year or so later, this damn cable company send the supposedly settled, delinquent bill to yet another, different collection agency, and we had to go through the entire process all over again.

    First time around, after a lot of sleuthing and a lot of phone calls, we actually got the exact street address of the perp, in another state, where the account was opened up, but in what seemed like a pattern, no one in authority was apparently interested in actually tracking him down, knocking on his door, and taking any action against the thief.

    The most elaborate scam–apparently a classic one—was some twenty years ago, and started off with a large, expensive overnight letter, out of which fluttered two Postal Money Orders, each one made out to me in the amount of $750 dollars, to pay for me becoming a “Secret Shopper.”

    Those Postal Money Orders sure looked legit, silver strip and all, but when I called the supposedly crack U.S. Postal Inspection Service, they were not in the least bit interested in pursuing those behind the scam, and the phony Postal Money Orders.

    There certainly seems to be a pattern here, apparently low dollar amount scams are just not anything that the authorities want to put any effort into investigating and prosecuting.

    As for online scams, many of which can turn out to be high dollar scams, the only people apparently trying to shut some of these phony call centers—many of them in India–down are private individuals, vigalantees, some of whom post what they do on Youtube.

  16. P.S.–From what I’ve seen on Youtube, these call centers in India are legion, and each one can employ dozens of scammers working the phones, working off “sucker lists” containing many thousands of names, addresses, and telephone numbers; these centers sometimes pulling in hundreds of thousands of dollars in a very short period of time.

    Perhaps I’m naive, but I don’t know why anyone in authority never apparently makes a major, concerted effort to shut these operations down, they’re just not a priority.

  17. There are sites that will tell you if an email is a scam or not. There’s probably a lag between the first emails being sent and them being reported, though.

    I clicked on a bad link and got deluged with spam. It got through my spam filters, and it goes on for a while. It could have been much worse I guess.

  18. @Fullmoon: My next door neighbor suffered a fall and brain damage and is almost incapable of saying “No.” We have to make sure he doesn’t make friends with low-lifes that only come around on the 1st.

    @Charles: I miss getting phone scams, especially foreign ones. I love to play along or rather, bait them. I use two tactics. First is for voices with a normal English accent. I force an ‘elderly’ accent and walk down their chosen path, delaying to “go get” something, slipping in false numbers, etc. At the end I switch to my normal voice and mock them directly. Second is for foreign accents. They find themselves talking to Apu. The Indian scammers immediately go ballistic.

    (Go figure: “scammers” isn’t in the auto-correct dictionary.)

    @Snow: payola is why

  19. So far, I have been safe. I rarely answer the phone if the number isn’t in my directory. I never do for several exchanges (775, 623, 970, 303) because I have or have had phone numbers there. I am suspicious of 480 and 602 (Phoenix), but so far, no problems with 406 (MT). Everything else is suspicious. I have a canned text message asking them to text me with their business, and only have gotten a couple responses over the years. Interestingly, my wife doesn’t get very many spam calls (maybe once a months), possibly because I do all the business for us.

    I haven’t been caught in an e-mail scam, but do check many of them out for their sophistication. One key is URLs. Big companies always have their own domains. But make sure that you look at them right to left (backwards), since that is how they are parsed. There are ways to append what look like legitimate addresses to the left. Usually, I first check out the sending email address. It had better match the domain name for the business. Very often, I find a gmail account, which get forwarded to their spam address, as a public service. Even that though can be faked, and if I am still suspicious, I open up the email header, and check it out. It’s possible to fake some of it, but that is a lot more sophisticated than most spammers can get. (Eliminating the hidden header information was why Crooked Hillary’s attorneys provided the FBI with printed emails, making automatic deduplication with the emails found on Huma’s laptop impossible – which is what was going on during 10/2016 with Peter Strzok and his team).

    One important thing to keep in mind is that most large business, and all government agencies, will not send you email asking you to click on a link to change passwords or pay them money. If in doubt, access their web site normally, and change your password, or pay your bill, that way. And there are services that can review emails for being spam, scams, etc. I do so for my brother and a couple of friends.

  20. The cost in time and money to send these phishing attacks is minute. The shear volume is large. Even at a 1/10 of 1% can be a very large number.

    At which point the phisher can hoover up the victim’s contact list and get addresses of people who may be more likely to fall prey because they “know” the person and are less suspicious.

    This guy causes havoc and tries to claw back or prevent scams from succeeding. IIRC, he’s fluent in Hindi, but it might one of the other major languages of India.

    https://www.youtube.com/@ScammerPayback

  21. Scammers prey especially on the sometimes uninformed, naive, or often cognitively impaired elderly, and can wreck their “golden years,” as they drain the money from their accounts that was supposed to support them in retirement, or perhaps to be left as an inheritance for their remaining family members.

    Yet, from what I can gather, it is rare for anyone in authority to try to track down, much less to prosecute these cruel scammers.

    (I understand, though, that such scammers are very slippery creatures, move around a lot and, even if caught, prosecuted, sentenced, and ordered to pay “restitution,” have hidden, or spent the money, and quite often don’t even have “a pot to piss in.”)

  22. P.S.–The “pot” situation apparently applies in a lot of cases where lots of money may have been stolen, so that while a victim may have the satisfaction of seeing the guilty perp sentenced to have to make restitution of many thousands, or hundreds of thousands of dollars, or even more, the perp has no realistic chance of making enough money to make a full restitution and, in fact, some perps deliberately take a very low paying job, so that they cannot possibly make any meaningful restitution.

    See, for instance, the case of the young woman sentenced two days ago to an 11 year prison term, plus ordered to make restitution of $452 million dollars.*

    * See https://www.nbcnews.com/news/us-news/elizabeth-holmes-loses-bid-avoid-prison-ordered-pay-452m-restitution-rcna84837

  23. Statistically it is a good game. The messages cost almost nothing to send. We know next to nothing about how things work, so a suspicious note delivered to a safe, personal space just might be legitimate. On the other hand, when I get an email in which I am one of a hundred addressees, all listed in alphabetical order, my paranoia is activated.

    Currently, I have no active email service. The agents typically don’t want to deal with account numbers, email addresses, “real” names, etc., so that “off” email might be legit. Maybe. Paranoia gets you only so far in a world of incompetents.

    No one is going to tell me how a “master list” of email addresses got into the hands of a “fraudster” or what other personal information has been “hidden” on my machines. The system is opaque. I keep personal info in a little notebook, but after I visit a site, is something left on my machine somewhere? There are lots of games in “phishing”.

Leave a Reply

Your email address will not be published. Required fields are marked *

HTML tags allowed in your comment: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>