Column: Deciphering the anatomy of a phishing expedition

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

As netizens get wiser to online scams, so too do the scammers get cleverer. So called “attacks spoofing individuals” (ASI) are becoming an increasingly common method to which folks are falling prey. This type of attack is more reliant upon social engineering than any technological tomfoolery, which makes it even harder to detect and prevent.

This type of attack relies upon some knowledge of a business’s or government agency’s organizational structure, typically a boss- underling relationship. A scammer posing as the boss, using a fake email address, instructs the underling to conduct a financial transaction, sometimes a wire transfer, but increasingly purchase of gift cards.

While a wire transfer is used for higher criminal gain in the tens of thousands of dollars, if not more, gift card purchases are usually around a thousand dollars, if not less. Execution of a wire transfer necessarily involves several people to be involved, thereby increasing chances of the scam being exposed. Gift card purchases, however, can be executed by a single person.

ASI’s generally follow a similar pattern. The boss inquires, innocuously enough, how the underling is doing or if he/she has some time. If the underling is fooled by the fake email address and responds, it is game on. “Can you go to Longs and get me five $200 gift cards to show appreciation to a client?” This leads to “to make it easy, scratch off the back of the cards, take a pic and reply to me here with the pics.” Which then leads to, “Charge it on your own card. I’ll reimburse you right away.”

Now each of these steps along the way should trigger some kind of warning, but it’s amazing that this type of scam works all the time. The bad guys seem to have done some research, knowing, for example, that there is a Longs or Safeway nearby. A simple phone call or text to confirm would head this off at the pass. But in today’s fast-paced, immediate-response environment, many folks simply want to get things done quickly.

A contributing factor to this type of scam is the heavy reliance on smartphones for email. One of the great upsides of smartphones is the ability to read and respond to emails all the time, anytime.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

Typical smartphone- based email apps, however, have one glaring weakness when compared with full-size (or laptop) PCs or Macs. In the interest of conserving limited screen real estate, the senders’ email address typically just shows the name, as opposed to the entire email address. And anyone who’s ever set up their own email knows that you can use any name you want; it is never checked. On a full-size computer, the actual email address is usually displayed, thus easily exposing the scam.

John Agsalud is an information technology expert with more than 25 years of IT experience in Hawaii and around the world. He can be reached at jagsalud@live.com.