Honestly, the email record eventually shared screams scam. It’s not quite fluent English, has urgency and requests the information not be shared with anyone else. That’s a pretty damning trifecta and should have been a red flag for someone who literally works in an authentication role.
should have been a red flag for someone who literally works in an authentication role.
Maybe. But the point he was making is that the typical person out there is probably at least as vulnerable to falling prey to a scam like that, and that that’s an issue, and that sounds plausible to me. I mean, we can’t have everyone in society (a) be a security expert or (b) get scammed.
I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn’t make me bat an eye. So I responded expressing interest. Long story short, it was one of those “we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person” affairs.
Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of “look, I got fucked; it’s as simple as that.”
It took going through that experience to be able to look for clear tells (important, as once you’ve fallen for one scam, you’re flagged as an easy mark, so more come down the pike), and I agree that most people shouldn’t be expected to be able to spot that unless they’ve gone through it.
My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn’t provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.
Honestly, the email record eventually shared screams scam. It’s not quite fluent English, has urgency and requests the information not be shared with anyone else. That’s a pretty damning trifecta and should have been a red flag for someone who literally works in an authentication role.
Maybe. But the point he was making is that the typical person out there is probably at least as vulnerable to falling prey to a scam like that, and that that’s an issue, and that sounds plausible to me. I mean, we can’t have everyone in society (a) be a security expert or (b) get scammed.
I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn’t make me bat an eye. So I responded expressing interest. Long story short, it was one of those “we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person” affairs.
Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of “look, I got fucked; it’s as simple as that.”
It took going through that experience to be able to look for clear tells (important, as once you’ve fallen for one scam, you’re flagged as an easy mark, so more come down the pike), and I agree that most people shouldn’t be expected to be able to spot that unless they’ve gone through it.
My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn’t provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.