I am being a prince and investing a great deal of money in the UK banks a few years back. But now they do not like my country no longer and they want let me remove my money. I need helpful UK person to retrieve $30,000,000 from my bank. Of course for help in this matter I let you keep 10% of this money as a gift for your great assistance please send you details to…”
You‘re not buying this, are you?
No? Good. You‘re one of the many millions of people who can spot a spam e-mail immediately. You know not to respond because it's just too good to be true. It's poorly written, badly spelled and the grammar is offensive to the eyes.
What you may not know is that this is a deliberate tactic. Attackers craft these e-mails intentionally poorly in order to only get replies from a certain percentage of the population, those not familiar with technology, for example. This ensures that the people that respond are likely to be vulnerable and fooled by further dubious calls to action.
This is Chris from IT.
We‘ve noticed that your computer is one of the ones running slower than it should be in the company and we‘re sending you the fix for it. It's just a little program attached to this e-mail; it‘ll show up as an icon at the bottom of the page. It's called fix.exe and if you can just click on it and if it asks you to allow it to run just click yes for me please; hopefully we can get your machine running faster and annoying you less.
How about now? Your name is Susan and you‘ve heard of Chris from IT.
The sending e-mail address matches your company e-mail address structure.
You‘re computer is running slow, right? (Everyone thinks their computer is running slow).
So it's a reasonable request. It all looks legitimate, hence you‘re going to click that fix.exe and say yes and install that Malware for that nice scammer, aren‘t you?
You‘ve just been Spear Phished.
Spear Phishing is the new wave of attacks perpetrated via e-mail. Rather than a poorly worded missive designed to attract the unwary, these e-mails are well written, well formed and personal. It comes to you in the name of your IT staff, your CEO, your boss. It spoofs their e-mail and it knows your name. It offers you a good reason for sending sensitive information or opening an attachment because it comes from the right person to be asking you to do that.
If you‘d have done what the above e-mail would have asked don‘t worry, you‘re not a bad person, you‘re not stupid. It is worth noting that although executive-level staff are more likely to be targeted, thanks to their more well known persona and greater likelihood of higher level access to company resources, everyone is vulnerable to this kind of attack.
People in security companies fall for these, people in government organisations fall for these. It's easy to do. Up until now you were just unaware of the possibilities. So now you are. Welcome to a more secure future.
Here are some tips to help avoid this problem:
Oh and by the way, if you said yes earlier, just send me a blank signed cheque to the below address.