I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn’t make me bat an eye. So I responded expressing interest. Long story short, it was one of those “we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person” affairs.
Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of “look, I got fucked; it’s as simple as that.”
It took going through that experience to be able to look for clear tells (important, as once you’ve fallen for one scam, you’re flagged as an easy mark, so more come down the pike), and I agree that most people shouldn’t be expected to be able to spot that unless they’ve gone through it.
My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn’t provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.
I fell for an email scam about 15 years ago. I was job searching and got a message about a contract editing position looking for a native English speaker, which, given that I had my resume up for just such a role, didn’t make me bat an eye. So I responded expressing interest. Long story short, it was one of those “we FedEx you excessive checks and then you keep your portion and Western Union the rest to this other person” affairs.
Of course the first check bounced, my bank account was flagged for fraud, with a balance of -$999,999, and it took weeks to be made whole (thankfully I was) while I navigated the byzantine process of “look, I got fucked; it’s as simple as that.”
It took going through that experience to be able to look for clear tells (important, as once you’ve fallen for one scam, you’re flagged as an easy mark, so more come down the pike), and I agree that most people shouldn’t be expected to be able to spot that unless they’ve gone through it.
My point is, if you actively work in security, the bar is far higher. This writer basically gave someone his PIN because his phone didn’t provide full headers, and instead of verifying on desktop, just assumed it was legit, which is an amateur-level error for an authentication professional.