You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
Nearly got caught out yesterday. Email arrives on phone from a "friend" oddly the short message is very similar, near word for word, to how he opens a conversation. I respond with offer to ring and talk.
The response is that he's in a meeting until late and he needs some Amazon vouchers.
I've actually fallen for it now and respond with "How many and for what value"
The answer is: "Total amount needed is £400 (£100 denomination) I need you to scratch the back of the card to reveal the pin, then take a snap shot of the back showing the pin and have them attach to me. How soon can you get the cards?"
That seems odd so I respond with "it'll be 6pm at the earliest" (actually true since I was out working in the middle of nowhere at the time) which gets the above message resent. I now ring my friend's home, he's not in so I wait half an hour and ring again and he answers so he most definitely isn't in a meeting! His email account hadn't been hacked - we are committee members of a club and my contact details but not nis are public so the scammers had taken his name and sent me the scam email. Two others also got the same email - their details are also public.
Since I use Gmail most spam, etc. gets filtered out before I ever see it so my guard was down. If they'd asked for £40 they might well have got away with it.
I've not used Amazon or similar gift cards so presumably the PIN is used at the checkout stage to pay for goods with delivery to some suitably anonymous address or the click and collect boxes.
Might be my lack of imagination but I can’t think of a single legit reason why a friend would urgently NEED Amazon vouchers? Did they give a reason?
No, he does do work with kids charities (but I doubt the scammers would know that) so I assumed that's what they were for - it was when the requested amount was revealed that I became suspicious.
It doesn't need much in the way of believable "facts" to hook you if you aren't prepared.
There was a programme about this exact scam on Radio 4 before Christmas! If I remember correctly, one person fell for it (I believe having received the message after a couple of brandys) while the immediate reaction of everyone else was 'why would anyone urgently need Amazon vouchers' and / or 'if the friend in question needed something they would call or message me, not send a vague email'.
Sounds like *your* email has been hacked, OP.
seems like you were caught out by a couple of coincidences! My default reaction to ANY email requesting money, etc that I wasn't expecting* would be one of suspicion - it's (for me anyway) an extremely unlikely scenario that someone legit would unexpectedly need money from me and request it via email... I don't think it has ever happened tbh! I agree though it is surprising this days when one of these makes it through the Gmail spam filter.It doesn’t need much in the way of believable “facts” to hook you if you aren’t prepared.
(*even when you are expecting one it's best to double check as there's a pretty common scam where e.g. your builder actually HAS had his email compromised and it will be monitored and then when payment is due the scammers will send an email with their payment details!)
There were two others who got the same email at the same time "from" the same person. All three email addresses and our names are on the same web page but our friend only has his name there. Possibly a bit of data scraping: look for a contact page; pull the text and a bit of parsing looking for something like "name: fred smith", etc. All scriptable.
Might be my lack of imagination but I can’t think of a single legit reason why a friend would urgently NEED Amazon vouchers? Did they give a reason?
"I'm travelling and my bag with my wallet got stolen so I need money for a hotel and to get home." All sorts of different variations on that scam.
Amazon vouchers though?! 🤣“I’m travelling and my bag with my wallet got stolen so I need money for a hotel and to get home.”
Although I wouldn't be surprised if Amazon branded hotels that DID take vouchers were a thing at some point in the future!
Yeah, don't be fixated on the Amazon bit, it's a social engineering attack.
is it? Doesn't that imply it's a sophisticated attack which has targeted you SPECIFICALLY? This is just a random scattergun approach which happens to have ticked a couple of your boxes?Yeah, don’t be fixated on the Amazon bit, it’s a social engineering attack
I think the Amazon bit [I]is[/I]relevant tbh because as I said, if they don't give a compelling reason, why WOULD anyone need Amazon vouchers in a hurry? (EDIT: as linked below, at least that is a semi-plausible excuse for needing them rather than just saying "send me vouchers". Still don't think I'd fall for it though!! 😃)
The take-home really should be, regard ALL emails requesting money/vouchers/etc with suspicion until proved otherwise!
Your e-mail has not been 'hacked', but someone has been able to link the two of you together, either by social media or other method, possibly from an access to your friends account.
Sigh, if you actually read what I've written you'll see that the three people who received this email have their contact details, including email addresses, on a web page. The name of the "sender" is also on that page but their email address is not. Other committee members named on that page don't have their email addresses listed and didn't receive the scam even though we all have each others addresses on our systems/email accounts so unlikely that the accounts have been hacked. Also the addresses on the page are "secretary@", "membership@" not our real email addresses then there's a redirect done behind the scenes. I received a "membership@" addressed email.
It's unlikely to be specific to that site. Previously you'd have scripts that trawl the web looking for registration forms (or indeed any form) and fill them in with seemingly random data in an attempt to get to the databases behind them. This is similar: search web sites looking for contact pages; scrape details; match names and email addresses and start the attack. The email addresses on the site are munged using a mixture of actual characters and html entities but really that's just a minor irritation to reverse engineer.
The guy whose name was used said that the orienteering club he's a member of had had a similar scam. Just seems to be going the rounds at the mo.
i dont know if its a shame, or a scandal that the fact that someone will try to steal from you on a daily basis is somehow now normalised.
i dont know if its a shame, or a scandal that the fact that someone will try to steal from you on a daily basis is somehow now normalised.
I'm pretty sure that people have been locking their doors and keeping valuables locked away since the dawn of time. The internet has just made it easier for scammers to contact people.
you could set up a rule so these mails are directed to a separate folder, or flagged, etc, then it would be obvious that it hasn't arrived via your personal email address.Also the addresses on the page are “secretary@”, “membership@” not our real email addresses then there’s a redirect done behind the scenes.
yeah there's always been conmen, doorstep scammers, etc, the internet has just made this easier and massively increased the scale of the problem!I’m pretty sure that people have been locking their doors and keeping valuables locked away since the dawn of time. The internet has just made it easier for scammers to contact people.
you could set up a rule so these mails are directed to a separate folder, or flagged, etc, then it would be obvious that it hasn’t arrived via your personal email address.
I do, on my desktop, the email client on my phone doesn't - I rarely use my phone to do emails, I just happened to have the phone to hand when this one came in.
Edit: I typically get between 1000 & 2000 genuine emails through this redirected account every year.
A client of mine got caught by this scam on a much grander scale. An email was received from someone claiming to be a senior colleague that needed an invoice paying very urgently. It sounded credible enough for them to make the payment for about £20k IIRC.
My son got caught by this last year. text was from his boss (allegedly) - he had just started working at the company, had updated his LinkedIn profile and I suspect thats how they knew. He lost about £1400, but credit to Amazon they did give it back after a month or so.
hy WOULD anyone need Amazon vouchers in a hurry?
Reason givn was that he was in a meeting and wanted to give them as a gift to the people there. 'boss' got quite angry when questioned - was apparently quite convincing
This particular scam - or variations on it - are as old as the hills. Really though, it's the tip of a very large iceberg. Email addresses are trivial to forge and in any case why bother, most people aren't very good at eyeball-scanning URLs anyway. Is amazon.vouchers.com likely to be a legit Amazon site? How about AMAZ0N.COM, arnazon.co.uk, smile.amazon.co.uk or www-amazon.co.uk?
Over the years we've seen various reasons why computers get infected. There was a time (that some people can't move on from) when Windows was a vulnerable leaky mess. A few years ago the single biggest point of entry for malware was unpatched versions of Acrobat Reader and Java. Today the greatest threat facing an organisation by a country mile for both scams and malware is the index finger on your right hand.
We've been working at work (best place to do it) to raise awareness of cybersecurity, but it's difficult as you're essentially asking non-technical staff to be more technical. Should we expect people to reliably read email addresses, or is that just inviting trouble because they've just incorrectly reassured themselves? Then there's the usual shibbolths, some of which we see in the OP's mail: it's URGENT (don't stop and think, just react!); request for money in a non-reversible and probably unusual format such as Western Union (who urgently needs Amazon vouchers?); appeals to the heart (some sob story to make your emotions overrule your brain) and so forth.
But the best answer I've found so far is simply this: "were you expecting this communication?" A Director emails Finance instructing them to urgently write a cheque for £20k, is this a common scenario? Your mate emails out of the blue asking for Amazon vouchers, wouldn't you expect some sort of preamble? You can readily do your own manual 2FA, ring the director to confirm or ask your mate something only they would know, it takes seconds to check.
The answer to that question in the first paragraph, incidentally, is that one of them is valid and the rest I made up. Did you spot which one?
Coincidentally, whilst writing that post I received an email from ͏͏͏͏͏͏͏͏͏а̴c͏c͏o͏u͏n͏t͏-aler͏̴t͏@а̴mazo͏͏͏n᎐c͏͏͏͏͏͏͏o͏.uk (actual domain is a random 12-letter name).
obviously worked but putting up £1400 of his own money out of the blue for work expenses?! Think even if I did believe it I'd start a thread on here first moaning about the ****ing cheek of it 🤣Reason givn was that he was in a meeting and wanted to give them as a gift to the people there. ‘boss’ got quite angry when questioned – was apparently quite convincing
@Cougar - that's partly the point. I'm reasonably technical and did work in software for nearly twenty years but I let my guard down.
If I'd only tried to ring my friend the once and there was no reply there's that false positive feedback "Oh, he's in a meeting as the email stated". I actually tried to ring him three times and only got through on the third - he and his wife had been out for a walk. As soon as he answered the email was shown to be fake since he couldn't be at home (or on a walk) and "in a meeting till late".
One point raised in a blog post I read this morning about similar scams is that we've become accustomed to systems like Google's email scanning to filter these out for us so that when one does get through it catches us off-guard.
Yeah, it happens.
I used to hear of people getting taken in by these things and think "well then, you're a bloody idiot". But some modern phishing attempts are actually really sophisticated and convincing these days.
This one crops up quite regularly at work - our CEO gets her name in the papers not infrequently so it's easy to write an email "from" her and send it to various company email addresses. The usual angle is that the Amazon vouchers are surprise bonuses for 'all our hard work during lockdown' - makes more sense that way than a mate. Nearly succeeded with one attempt a year or two ago...
As I wear the general cybersecurity hat, I regularly send internal emails reminding people of a checklist of suspicious signs - the From address (though this can also be faked to be correct...), any kind of 'hurry up and do this now' language that encourages you to rush through normal processes, especially for payment of any kind, poor English, links to random URLs on the 'Click here' button. It helps that our CEO also has a very personal and personable style so it's usually quite easy to tell if something doesn't sound like she wrote it.
The flipside now is that I have a very suspicious team who send me 'Is this a scam?' questions on legit emails occasionally, but the occasional false positive is fine!
most people aren’t very good at eyeball-scanning URLs anyway. Is amazon.vouchers.com likely to be a legit Amazon site? How about AMAZ0N.COM, arnazon.co.uk, smile.amazon.co.uk or www-amazon.co.uk?
I thought that Instagram one was a good example - my eyes saw the logo in the posted image, the word following looks like it should.. (not that it's the type of scam many would fall for in this case!)
. https://singletrackmag.com/forum/topic/jono-jones-instagram/#post-11688746.
We had a new guy at work fall this in a fairly big way. Several hundred pounds worth of Amazon vouchers were e-mailed to a senior partner, who was in a meeting and needed them to give out as a thank you to people in the meeting.
Only they weren't e-mailed to her, but another spoof e-mail.
Because he was new he didn't realise this was very out of the ordinary, and as he was new he was eager to please.
Now every e-mail that originates outside our organisation has a warning on it. This was such an easy step to do that I'm surprised we (I) didn't do it sooner. Haven't had the need before as it's been drilled into people here to be super careful and if even the slightest thing feels odd to let me know and I'll check it out.
I'm not 100% sure, but I think as a secret santa present he got amazon vouchers...!
A client of mine got caught by this scam on a much grander scale. An email was received from someone claiming to be a senior colleague that needed an invoice paying very urgently. It sounded credible enough for them to make the payment for about £20k IIRC.
£20K? Pfft. 42 million euros on that...
https://www.reuters.com/article/us-facc-ceo-idUSKCN0YG0ZF
As a Finance Director / Head of Finance I've seen plenty of these. Mostly pretty obvious, occasionally more credible looking (and regardless none should work in a business with decent basic financial controls by the way).
True story: last dodgy looking one I saw we all (my Finance people and some friendly IT types) thought was a scam, from the urgently required advance payment to a firm we've got credit with, to the generic, stilted and very impersonal tone and wording of the email text, to the whole "requesting a payment via email when everyone knows the required process and it's not that" scenario. Turns out that..
It helps that our CEO also has a very personal and personable style so it’s usually quite easy to tell if something doesn’t sound like she wrote it.
.. is not a suitable control at our place, the email was genuine.
Funny story if you're an accountant maybe but it shows how staggering that story from Austria is: we won't send £42 out without the correct process being followed and a proper authorization. That reminds me of that (Korean, I think?) plane crash where a big factor was more junior crew being culturally programmed to be deferential to authority and not questioning the captain when he did something stupid. And lethal. Led to more focus on crew resource management. Anyway, a big factor in effectiveness of financial controls is not allowing anyone to be above them. The reason those spoofs are normally from the CEO is that's the most likely chance of controls being overridden.
It helps that our CEO also has a very personal and personable style so it’s usually quite easy to tell if something doesn’t sound like she wrote it.
We had one last week where the scammer had set up a ceo.companyname@gmail.com address, used the CEO's full name as the account name and included a company logo from our website below the signature line. They then sent it to about half our staff - asking for a reply as they had an urgent issue that needed some help.
Thankfully the first person who got the email was switched on, so within a few minutes we had it blocked and word out to all staff.
Our IT company were impressed at the level of research and effort put in by the scammers - but said they have seen a couple like that before.
The answer to that question in the first paragraph, incidentally, is that one of them is valid and the rest I made up. Did you spot which one?
Yeah, well I'd got as far as failing to figure out what was wrong with the smile one. Is there a prize?
A work colleague got scammed a few years ago, with someone pretenting to be the Head of Department. Same scam.
It's worth knowing how to read full email headers - if I'm even slightly suspicious I'll view the source text of the email and see if it looks as if it was sent by the person in the 'from' address.
Also, on Cougar's example, that amazon.vouchers.com belongs to vouchers.com, never amazon, always start from the top level domain (.com, .co.uk, etc).
Yeah, well I’d got as far as failing to figure out what was wrong with the smile one. Is there a prize?
Yeah, £20 in Amazon vouchers. Email me your password and I'll add them to your account.
that amazon.vouchers.com belongs to vouchers.com
Uh-huh. Aside from the actually legitimate smile.etc, I made those examples up off the top of my head. I checked the vouchers one thinking 'surely that exists?' and it does, it's a cybersquatter holding page trying to sell the domain name.
Utterly unrelated to the conversation but smile.amazon.co.uk is worth shining a light on and it wasn't a random choice of example on my part. If you use smile... instead of www... when buying stuff then Amazon will donate a few pence to a charity of your choice at no cost to yourself. (It'd be nice if they just did it rather than requiring a seekrit URL, but still.)