Tweet
every once in a while i am surprised and impressed with the psychology employed by those who perpetrate phishing scams. i see this junk less often now that i've fine tuned my spamassassin install, but every so often something slips through that's way above and beyond the "i am nigerian royalty and i need you to send me money. please ignore the fact that i can't spell 'nigerian' or 'royalty'."*
most of us are familiar with the old and busted "please verify your paypal account details" scams... in which a person is directed to a look-alike site, asked to login, and then told to enter an assload of personal data (including info that paypal has never used in the past for any reason)
the new hotness? aparently, it's to generate authentic-looking receipts for big-ticket transactions that have allegedly taken place. (keep in mind, real receipt emails are often very sparse... sometimes even being just plain text depending on your settings.) the one i just received stated i bought a nokia cel phone for $400+ and that it was being shipped to a "bill chang" somewhere in maine. the brilliance of this is that none of the details have to be real... the more fake it seems the more likely a person might think "damn! someone pinched my info! a dirty hacker is going to clone cel phones in the new england area using my paypal account to get equipment."
there's of course a helpful "dispute this transaction" link in the email which in this case took me to a very well-crafte phony paypal page (which actually loaded elements directly from paypal's own web servers)...
... still nothing that wouldn't fool a half-awake person, but i see the scammers' increasing craftiness becoming more and more of a risk for the unaware sheeple. i get asked more often than ever before by employees at client sites about "how do i dispute this? are you sure it's not real? maybe i should call them and make sure" etc etc.
* free drink to the first person who identifies that reference.
most of us are familiar with the old and busted "please verify your paypal account details" scams... in which a person is directed to a look-alike site, asked to login, and then told to enter an assload of personal data (including info that paypal has never used in the past for any reason)
the new hotness? aparently, it's to generate authentic-looking receipts for big-ticket transactions that have allegedly taken place. (keep in mind, real receipt emails are often very sparse... sometimes even being just plain text depending on your settings.) the one i just received stated i bought a nokia cel phone for $400+ and that it was being shipped to a "bill chang" somewhere in maine. the brilliance of this is that none of the details have to be real... the more fake it seems the more likely a person might think "damn! someone pinched my info! a dirty hacker is going to clone cel phones in the new england area using my paypal account to get equipment."
there's of course a helpful "dispute this transaction" link in the email which in this case took me to a very well-crafte phony paypal page (which actually loaded elements directly from paypal's own web servers)...
... still nothing that wouldn't fool a half-awake person, but i see the scammers' increasing craftiness becoming more and more of a risk for the unaware sheeple. i get asked more often than ever before by employees at client sites about "how do i dispute this? are you sure it's not real? maybe i should call them and make sure" etc etc.
* free drink to the first person who identifies that reference.
Comment