A good friend of mine has asked for my technical help, and I just want to know if I am advising her correctly. Let’s call her “Agent X.”
Her professional acquaintances (we’re both in the real estate brokerage business) have been getting emails, supposedly from her, with wording like this:
This is classic Spear Phishing. The return address is a random gmail account, not her true email account. The recipients have been wise enough to know that this didn’t come from her, and some have forwarded the bogus messages to her real account so she can see what is happening.
So far, so good, right? But she wants to know if there is anything that can be done to stop this fraudulent activity. I’m afraid I don’t know the answer, other than just keep your eyes open and your guard up.
IMHO, I don’t think her email account has been hacked. I think someone has pulled Agent X’s email addy and the recipient’s email (probably from a public agent list), composed this message, and sent it; I don’t think anyone’s personal email account needs to be compromised to explain this. Am I right?
Yes, you are correct.
Digitally signing the email would prevent this, but most people can barely use email as it is - asking them to install GPG would be a bridge too far…
There’s really no solution. You can try to filter, but it will just come from another account. It’s also hard to filter the language, since it can vary, and the words are too common. The only solution is to be alert to the scam.
We get these at work. One person even fell for it whole hog – buying the iTunes gift cards as asked (he was a new hire, but really, anyone should think that request was fishy). He then came to ITS and insisted we reimburse him for them. I was dumbfounded by the request and called in the head of IT networking/security to deal with it. If I had spoken my thoughts it would not have defused the situation, and once he left the room, the other helpdesk people burst into laughter.
What they’ve done is send out an e-mail to EVERYBODY they know saying so, so that all (or at least a bunch) of the potential recipients would be warned to watch out for it.
Office 365 has a feature called Advanced Threat Protection that will flag email coming from copycat senders. For example, if I send an email to one of my staff from my personal email, it will add a disclaimer to the email. As an admin, I can add an exception to allow the sender without the disclaimer.
It is using AI to compare who you usually get email from and flag to it if varies. If I typically email you from “FinsToTheLeft FTL@MyBiz.com” and an email comes in from “FinsToTheLeft@gmail.com” you will see the warning. It may be a different Fins or my personal email (a false positive) or it could be a spear. If you don’t usually email with that person, there is no baseline to compare to but spear phishing relies on the familiarity with the person to work,
I imagine that automated spammish-filters like that also look at the header lines that you usually don’t see to decide if a mail is spam or fraudulent.
Most e-mail readers will have a thingy you can click that will show all the headers. It may be labeled “Show headers” or “Show original” or something like that. You see probably a full page of cryptic header lines like:
Received: by 2002:a7b:cb18:0:0:0:0:0 with SMTP id u24csp4713618wmj;
Tue, 28 Apr 2020 09:54:42 -0700 (PDT)
and piles of other mostly-cryptic stuff. But programs can read all that and parse a lot of information about the source and provenance of messages.
Happened to someone in my office. We all got an email from “her” requesting that we buy some gift cards - she was “stuck in traffic” and really needed to get these.
What the scammer does, is go to a webpage (our department web page) and look for the name of the Administrative Assistant. Then sends this bogus email to everyone in the department from "her’. With a gmail address that was not hers
Her email was not hacked. All information was gathered from a public site. We were told that nothing could be done.
Personally I would like the ability to transport myself to the scammers home, where I would gently explain the error of their ways to them personally. Quite personally.