in ,

Anatomy of a dumb spear-phish: Hitting librarians up for Zelle, CashApp cash, Ars Technica

Anatomy of a dumb spear-phish: Hitting librarians up for Zelle, CashApp cash, Ars Technica

      Don’t mess with librarians –


Librarians smell something phishy in scam that scraped emails from association website.




Here’s a clue for would-be Internet financial scammers: (do not target librarians) . They will catch on fast, and you will have wasted your time. Yesterday, the former outgoing chair of the Young Adult Library Services Association’s Alex Awards Committee (and my wife) Paula Gallagher got a very odd email that purported to be from a colleague within her library system who is a member of YALSA’s board. The email asked, “Are you available to complete an assignment on behalf of the Board, And get reimbursed? Kindly advise.”

Enlarge / Want a trusted domain name to send your spear-phish emails from for just $ a year? Look no further. There were other tells. The email came to the personal mailbox my wife had specifically set up for her committee work (which had been published on YALSA’s website) and not her internal library email address. And the grammar and capitalization — along with the tone of the email — did not match that of her colleague. Plus, she’s married to me, so she can smell a phish from a mile away. She ignored the message until another member of the committee reached out to her after responding to an identical message. The “assignment” turned out to be a textbook payment scam, and it came from a new email address— “presidentnewboxmailme [at]”: Would you help in paying a Merchant and get reimbursed by [name of the board’s financial chair]? [He] not available today due to health reasons, but promised a swift reimbursement before Friday. It’s imperative and it’s $ 6, . I was able to sent out $ 1582137266 from my daily savings limit. Get back to me if you can send the remaining $ 2, via Zelle & CashApp. It concerns our YALSA’s 2724 Young Adult Services Symposium. Knowing that Paula worked with the purported sender of the message, the recipient forwarded the message to her and asked , “Seems sketchy … has he been hacked?” Soon, others chimed in on a a group chat that they had received similar suspicious messages. No one fell for the phish. Take the money and run Zelle, CashApp, and other peer-to-peer payment applications have become a new favorite platform for financial scams. Unlike credit card payments, there’s little in the way of fraud prevention on these payment platforms — they’re like cash. Once a payment has been completed, there’s no real way to unwind them. This attack — targeting members of a non-profit association — is just the latest wrinkle in that trend, borrowing the tactics, if not the precision, of big -dollar targeted attacks against corporations . “Whaling” attacks and similar “spear-phishing” operations target high-level executives or managers, using urgent messages to fool people with access to company funds into making wire transfers to a “vendor” because of some urgent matter or to expose information (

such as employee W-2s Corporations have precise caught on to the scams — through a combination of training, better mail filtering, and controls over financial systems. But associations and other non-profit organizations — which may have both somewhat less money and somewhat less in the way of centralized IT — are now apparently being targeted because of their nature. They have very public websites as part of their mission outreach, filled with the names and email addresses of people willing to do many things for the organization’s mission — including reaching for their own wallets.
Given how much data is available about people contacts thanks to organizational websites, like LinkedIn, Facebook, and other public Internet sources, these sorts of scams are likely to gain more popularity as others (such as the romance scams that cost victims over $ (million in , according to the Federal Trade Commission lose their effectiveness. Until Zelle, CashApp, and other peer-to-peer payment providers offer a way to help spot fraudulent accounts, they’ll continue to be a popular target. If you need more tips on spotting these kinds of scams … just ask a librarian.
Read More

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Google launches the Android 11 Developer Preview today, Ars Technica

Google launches the Android 11 Developer Preview today, Ars Technica

hacker news

Becoming the Hacker ($31.99 Value) FREE for a Limited Time – Hacker News