Friday Phish Fry

Phishing Email Alerts

Catch of the Day:  Amazon Fighting Phish
Chef’s Special: LLM Phishing

Examples of clever phish that made it past my spam filters and into my inbox. Some are sent by clients or readers like you, and other reliable sources on the Internet.

You can send phishing samples to me at phish@wyzguys.com.

My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.


Amazon:  Together We Can Fight Scammers

This is not a phish.  I got this email from Amazon recently, and thought I would share it with my readers.  Lots of good avice on avoiding email scams, especially Amazon related scams.

Hello Bob Weiss,

Our customers helped us take the fight to scammers last year by reporting suspicious emails, texts, and phone calls. Each report matters. In 2022, we made significant strides to protect our customers:

We initiated takedowns of more than 20,000 phishing websites and 10,000 phone numbers that were used as part of impersonation scams.

We referred 100s of bad actors across the globe to law enforcement to help them ensure these scammers are held accountable.

PROTECT YOURSELF FROM SCAMMERS

Be careful installing apps or software
Amazon will not ask you to install an app or download software in order to receive a refund or to get help from customer service.

Never pay over the phone
Amazon will not ask you to provide payment information, including gift cards (or “verification cards,” as some scammers call them), for products or services over the phone.

Always verify orders directly with Amazon
Amazon will not include purchased product information in order confirmation and shipping confirmation emails we send to customers. For any questions related to an order, always check Your Orders on Amazon.com or via the “Amazon Shopping” app.

Be wary of false urgency
Amazon will not pressure you to act now. Scammers may try to create a sense of urgency to persuade you to do what they’re asking.

If you receive communication — a call, text, or email — that you think may not be from Amazon, please report it to us at amazon.com/reportascam

Visit the Message Center on our website to review emails from Amazon. For more information on how to stay safe online, visit Security & Privacy on the Amazon Customer Service page.


Large Language Models and Phishing

By Bruce Schneier

[Bob says:  The following article appeared in Schneier on Security on April 10, and discusses how ChatGPT is being used to write phishing emails.  The article is on the long side, and not all of it is republished here.  If you want all the details you can link over to his blog.]

Here’s an experiment being run by undergraduate computer science students everywhere: Ask ChatGPT to generate phishing emails, and test whether these are better at persuading victims to respond or click on the link than the usual spam. It’s an interesting experiment, and the results are likely to vary wildly based on the details of the experiment.

But while it’s an easy experiment to run, it misses the real risk of large language models (LLMs) writing scam emails. Today’s human-run scams aren’t limited by the number of people who respond to the initial email contact. They’re limited by the labor-intensive process of persuading those people to send the scammer money. LLMs are about to change that. A decade ago, one type of spam email had become a punchline on every late-night show: “I am the son of the late king of Nigeria in need of your assistance….” Nearly everyone had gotten one or a thousand of those emails, to the point that it seemed everyone must have known they were scams.

So why were scammers still sending such obviously dubious emails? In 2012, researcher Cormac Herley offered an answer: It weeded out all but the most gullible. A smart scammer doesn’t want to waste their time with people who reply and then realize it’s a scam when asked to wire money. By using an obvious scam email, the scammer can focus on the most potentially profitable people. It takes time and effort to engage in the back-and-forth communications that nudge marks, step by step, from interlocutor to trusted acquaintance to pauper.

Long-running financial scams are now known as pig butchering, growing the potential mark up until their ultimate and sudden demise. Such scams, which require gaining trust and infiltrating a target’s personal finances, take weeks or even months of personal time and repeated interactions. It’s a high stakes and low probability game that the scammer is playing.  More…


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.