Friday, January 28, 2011

Let's be safe out there

JayG got a desperate email from Ambulance Driver, who it appears was in the UK.  All his money had been stolen, see, and he couldn't come back unless he got 1800UKP to settle up his hotel bill.  And pretty please, could you help out?

Riiiight.

Of course, you have to get up pretty early to pull the wool over Jay's eyes.  It's a scam.  But what's interesting was that it was a personalized scam.  It didn't come from the son of the Nigerian Prime Minister, it came from one of Jay's friends.

The Bad Guys are spending a lot of time on Social Media sites (especially Facebook).  They can generally get lists of friends (Facebook's privacy is pretty horrible).  It's surprisingly easy to get real email addresses for people, and so you have a bona fide real sender and real recipient, who know each other.

The original email scam is called "phishing" (where the bad guys go trolling for dupes).  This is called "spear phishing" (targeted phishing) and is coming to an inbox near you.

So what do you do?

1. A healthy skepticism is a virtue.  Jay's B.S. detector started ringing, and yours should too.  Read Jay's post, and Ambulance Driver's comment to see why Jay thought this was, err, phishy.

2. If you want to follow up with your friend to make sure they're all right, do not (repeat, do not) reply to the email.  Here is an ordered list of ways to make contact, from most preferable to least preferable:
  • Call them on the phone to ask them if they're in the UK and in trouble.
  • Send them a SMS text message, asking them to call you if they're in trouble.
  • Leave a comment on their blog: "Hey, I need to talk.  Call me at the sooper sekret BatPhone number."
  • Forward the email to their email address - one you know is good.  The Facebook "send a message" feature is a good one here; just cut and paste the email into the Facebook message and ask if they sent this.
You'll notice that you don't really want to rely on (or trust) email.  After all, it's possible that their email account was compromised.  It probably wasn't, but Out Of Band communications is preferred.

It's best to actually talk to the person, because you'll recognize their voice (hey, this is a friend, right?  So why not gab away?).

The Web is getting personal, including the bad stuff.  Let's be careful out there.

4 comments:

perfidy said...

I got one of those messages from a close friend just earlier this month. I was a bit perplexed at the holiday in Wales in January idea. My friend's email account was hacked - but the email itself was clever in that it claimed that the phone had been stolen along with the wallet in the robbery that occasioned the need for USD $2200.

I called my friend and let him know that he was the star in a new Nigerian scam.

Bullshit detectors become more and more important, don't they?

Ken said...

Happened to my wife's account a few months back. The amusing part is, whomever it was hit me up on Yahoo! Chat about the terrible misfortune.

I asked "her" how she'd managed to get to London and get robbed in the hour since I'd seen her last (several thousands of miles from London).

TOTWTYTR said...

In AD's case, it appears his Gmail address book was compromised, although the email came (with an altered email address) from a Yahoo account.

The group of us that got his email got a good laugh out of this.

Toaster 802 said...

I got an email from the member of a group I am part of. It was really funny that on their trip, they had totally started using English style grammar and spellings in the email.

Silly Brit, write like a colonial next time...