A Deal Too Good to Pass Up: How Phishing Emails Trick Us

NCSAM Cybersecurity Series - Phishing: What it is and how you can protect yourself with Security & Operations Engineer Sara Sofia

This blog is the second in a series of cyber security insights for National Cyber Security Awareness Month, recognized each October. In this second blog, MediSked Security & Operations Engineer Sara Sofia shares a first-hand experience with phishing, how you can identify it, and ways to protect yourself.

It was the early 2000s and eBay was on the rise. I was home from college working in the family business, an auto service facility, and we were enjoying our lunch in the conference room. We heard my uncle’s office door burst open as he rushed to the conference room exhilarated. He was on his way to Western Union and would be back in half an hour. All other staff and family at the table shrugged and continued enjoying their lunch conversation as he dashed to the front door. Meanwhile, I nearly choked trying to yell out and chew my food at the same time which resulted in random loud noises and frantically waving my arms.

“What the heck is wrong with you?” He asked, annoyed and clearly wishing to run out the door. 

“Where did you say you were going again?” Please don’t say Western Union again, I thought.  No good really comes from going to a Western Union.

“Western Union!” 

“Why on earth would you be going to Western Union? I didn’t even know that was a thing anymore.”

“I just bid on a Frame machine on eBay and won it for less than half of what it would cost us to buy it!”

Well, that certainly explained why my extremely frugal uncle was excited to actually spend money. This man had once scolded me for using too many stamps on an envelope.

“You just pay online with a credit card on eBay. You don’t have to go to Western Union. Do you want my help?” I was just a nice girl who liked to help my family members with the technology they so despised. 

Now he was clearly aggravated. The conversation continued with him talking about a special program for large purchases. It was called “eBay escrow.” This was nothing I had ever heard of before and continued to ask questions about it and how it worked and why did it involve Western Union? Frustrated, he told me to come back to his office so he could show me the email he received from the seller.

There were no immediate red flags… besides Western Union. The email appeared to be from eBay.  The logos and font looked like eBay’s. The content was well written with no grammatical errors or weird punctuation. It was a program where the purchaser could send money from Western Union to eBay, where they would hold it in escrow. Once eBay had the money, they would confirm to the seller that the money was in place and the seller would ship the item. Once the buyer received and confirmed that the product was in working order and the condition advertised, eBay would release the funds from the escrow to the seller. Sounds good, right? 

Something didn’t feel right. I scoured the email for something that would prove this wasn’t real. Finally, I found it. The email display said eBay, but the actual email address itself was not eBay’s. I proudly pointed out the issue to my uncle and proclaimed that it was fake and puffed up my chest. I was right! It’s a fake! But this was too good of a deal to pass up. He didn’t believe me. Finally, we compromised and contacted eBay by phone (yes, you could still contact people by phone in the early 2000s). We waited on hold for a very long time.

Meanwhile, he received an email from the seller. The seller was upset. My uncle had told him he was heading to Western Union immediately and the seller was waiting for the funds transfer notification. He was upset at how cheaply my uncle had won the item for and he desperately needed the money, and now that he was losing even more, he needed it quickly. He was going to report my uncle to eBay for non-payment and ask to be able to go to the next bidder who would actually pay. 

I tried to take the keyboard but my uncle was insistent on not upsetting them since this was a really good deal. He chose to respond. “My niece says you are a scam artist and we are contacting eBay. I’ll go to Western Union as soon as this is cleared up.” 

The seller responded. “You are letting your niece tell you how to handle your money and going against your agreement with me? If I don’t get the notification that the funds are processing in the next half an hour, I’m contacting eBay and telling them that you are refusing to pay.”

Thankfully, my uncle called eBay’s customer service and asked to speak to someone about the eBay escrow program. The customer service rep was clearly at a loss to direct him as this was not a program they had heard of before. It was probably 20 minutes of being transferred before we finally reached a manager who broke the news. The program didn’t exist. He asked us to forward the email to him for him to review. My uncle eagerly awaited him to review it and realize what an idiot he was for not knowing about his own company’s payment programs. Alas, it was fake. 

Don’t these people have anything better to do?

Phishing, vishing, phushing, and all the other fun attacks out there — can’t these people get a real job and leave us alone? What is the point? 

Unfortunately, this is a profitable business. Cybercrime costs the world between $3–8 trillion annually with individual attackers profiting anywhere from $2 million for an expert to $75 thousand for a novice annually. North Korea generated $2 billion for its weapons program with cyberattacks. 

Cyber attackers profit by tricking people into giving them the money by pretending to be a legitimate company or cause like what occurred to my uncle in the above story. Ransomware! They gain access to a company or individual, lock up all your data, and hold it for ransom. Once upon a time, they used to export it and sell it, but have since discovered they don’t even have to go through those efforts. They can just force the companies and/or individuals to pay for it by threatening to destroy it all. 

There has been a significant increase and disturbing change in tactics since the pandemic began. Cybercriminals have even started targeting attacks on companies that host our country’s infrastructure and food supplies.

How does that impact me?

Just because it’s the most profitable for cybercriminals to attack large companies and governments doesn’t mean they don’t attack the regular individual. Attacks on large entities take a lot of planning, skill, and preparation. A popular method for gaining access is using a phishing campaign against current employees… you

Image of a sign at Home Depot that reads: "Consumer Alert: You may be a target of fraud if someone has contacted you and requested that you purchase Home Depot gift cards. Don't be fooled by scammers!" and information on how to take action.

Phishing campaigns also attack individuals on a personal level by tricking them into giving them smaller amounts quickly, in methods that aren’t easily tracked. This picture was taken at a Home Depot where they had many consumers purchasing gift cards to pay bail, the IRS, utilities, and medical payments. Think about this: Home Depot cashiers are now a line of defense against cyber attackers.  I asked the cashier about the sign, and she said that they had talked four people that day out of purchasing gift cards because they were being scammed. They simply asked who the gift was for and when people would get uncomfortable, they would show them the sign and get a manager. These are less likely to be reported as most don’t know where to report them and are embarrassed that they have been tricked. 

How can I stop this from happening to me?

Anyone can protect themselves by just questioning a little:

  • If the email was unexpected because you don’t know the sender or they’re asking for unexpected information or for you to perform an action such as download a document or click a link, DON’T DO IT!
  • Does their offer sound too good to be true? It probably is. Question it.
  • Attackers like to create urgency in their emails/calls in order to trigger your fear and stop you from thinking too hard about the situation. One way to fight against this is to change the tactic and give yourself time.
    • Is it your utility company threatening to shut off your heat? Either go to the company website directly (not from the link in the email) or call them. If someone called you threatening to shut off your heat, hang up and call the number on the company’s website. Is the IRS going to give you giant fines? Call them or email them from the IRS site. Any real agent of these companies would not be opposed to you calling the agency back directly and any customer service representative should be able to look at your account and see if it is past due.
  • If someone is asking you for payment in the form of a gift card, automatically consider that a red flag, even if it’s at work and it’s the CEO of the company!  (A word to the wise: the CEO normally has a company credit card and can buy their own gift cards.)
  • Don’t accept unsolicited advice from a phone call or email, and certainly don’t give them access to your computer or give them any of your personal information. 

Use technology to protect yourself as well:

  • Turn on MFA or 2FA, multi-factor authentication or two factor authentication, anywhere you can, especially all your bank accounts. This makes it so even if an attacker manages to get your password, they then need to come up with a way to get the second code as well. Make it difficult for them.
  • If MFA is turned on, don’t give anyone the code for any reason. Also, try to use authenticators instead of receiving a code by email or text.
  • Use an online password management system to store your passwords. Most browsers come equipped with them and they are much safer than a word document on your desktop labeled Passwords, a notepad next to your desk, or the sticky note frame of passwords around your monitor.
  • Use different passwords for different sites. If for some reason you do fall for one, it will limit the damage they can do. Password managers also help to make this easier to do.

If you do fall for a phishing campaign or any other scam, report it to either your internal IT Security team if at work or go to https://www.usa.gov/scams-and-frauds to report any personal attacks.  While it may feel embarrassing, remember that these people work very hard to trick users, and not reporting them just lets them get away with it. 

Bridgey icon which is MediSked's logo

Sara Sofia

Sara has worked at MediSked for over four years and specializes in cybersecurity.

Related Topics