Greed, Fear, and Kindness: The Evolution of Phishing and Spam
By: Joel Anderson, Security Risk Analyst, University Information Security
Anyone with an email account has seen spam and other deceptive messages - it’s nothing new. We humans have always found ways to deceive and trick one another. It doesn’t even require computers; look up Charles Dickens’ 1850 diatribe against “Begging Letters,” a nineteenth century form of scam mail, promising fortune or seeking charity for bogus causes.
The University is an attractive target with a large population of targets, especially new members every year who may be unprepared for the varieties of scams that have appeared over the years. It’s good to consider the types of fraud that are aimed at our community: appeals using greed, fear, and even kindness to deceive.
These are some of the oldest scams—promising wealth from Nigerian princes (really!) or military personnel offering to share some stolen treasure. Sometimes it’s a wealthy widow dying of cancer, or a British solicitor delivering your share of an estate. The aim of these scams may be identity theft (they need you to give up personal information to participate) or access to your bank account to deliver your new wealth (more likely to extract it from you).
Scams that play on fear take many forms. Some are claims that your computer is infected and you need assistance cleaning up your computer. In recent years, blackmail attempts have used different stories to claim a user’s computer is infected and they’ve been spied upon. Those are attempts to extract money (sometimes in the form of bitcoin).
Other attempts to use fear may involve invoices for overdue payments. Usually the aim is not the payment but to trick you into downloading an infected document in order to compromise your computer. Or it might be an official notice “from” the University warning of loss of services (email? Library resources?) and you’re required to log in to fix the problem. These scams are directly aimed at stealing your login credentials: your ID and password. They may want it to change your financial info, or just to blast out spam from an official UMN address. While the advent of Duo limits the effectiveness of such attacks, they still have some success, especially if you use the same password on other sites where your UMN email is your login ID. That’s why it is vital that you use unique passwords on services.
Lately, there’s a rise in scams that appeal to kindness. Particularly popular is an attack that exploits public information, for example, a web page with a department email roster. A name on that roster is chosen, such as a professor or department head. A free email with that person’s name is created which is then used to send emails to the other people on the roster. The initial message is brief “Are you there?” If someone replies, a story is spun about needing help buying gift cards (often for someone’s birthday and it’s important and they don’t have time to do it themselves) and asking the respondent to take a picture of the card with the number scratched off. Unfortunately, this leads to the gift cards being redeemed and some recipients having fallen for this type of scam.
Most internet scams create a sense of urgency: you have to hurry to get that money, to pay the blackmail, to help that professor! Your best response to dubious mail is to take time. Take time to consider, time to ask questions, time to get a second opinion. University Information Security is always ready to look at a suspicious message, just send it to [email protected] and we’ll investigate.