After a lovely Labor Day weekend spent grilling, eating and celebrating with friends, I received an email early Tuesday morning from a worried client who was sent a very upsetting email over the weekend. It greeted them by name and opened with a single sentence, “I know that visiting [client’s address] would be a more convenient way to reach if you don’t cooperate,” and followed with another partial sentence, “Beautiful neighborhood btw,” and included a picture of my client’s home and then a PDF attachment that supposedly included further instructions. Despite missing a word, this email was threatening and clearly menacing. It was also fake.
What this means for you
At first glance, my gut reaction was to tell my client to report this email to the local authorities and maybe look into getting out of town for a few days. As written this was a very thinly veiled threat – if someone were to receive this email in a movie or TV show, it would most certainly be a prelude to some good ole-fashioned Hollywood violence and terror. On a hunch, I opened up Google Maps Street View and punched in my client’s address. A quick flick of my wrist on the camera angle revealed the exact picture used in the email, cropped to remove the various overlays that would have otherwise significantly detracted from the implied threat. Clearly the sender (most likely just another bot powered script) was trying to pull a fast one by getting the recipient to open the PDF, which would most likely lead to a phishing prompt. “It’s fake,” I typed in a quick email to the client, and then went about my day, where, within the hour, I encountered the same type of email received by another colleague over the same weekend. The scammers have a new toy, and I’m betting it’s a money-maker for them.
Here’s my thinking on this: regardless of the contents of the email, or who it’s from, you should NEVER open an unexpected attachment (or link) unless you can confirm the contents in some other way than opening the actual attachment. It is beyond common for email accounts to get compromised and the first thing hackers do when they bag an email account is to immediately spread to that account’s contacts within minutes of gaining access. Their success counts on rapid, undetected spread and rely on the built-in trust that emails sent by a known contact inherit. Even the best email filters available are always playing catchup to the latest scam techniques like the fake extortion email from above, so there will always be ill-intentioned emails that will get through despite your mailbox being protected by “enterprise-grade” security. As always, anything built and maintained by humans will be fallible, and as the threats on the internet get increasingly dangerous, even fake extortion phishing emails can end up doing real damage. Stay vigilant and always ask for a second opinion on things like this. While it can be exhausting sometimes to be on the receiving end of the countless questions people have, every time I keep someone safe for even one more day makes it all worth it.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net