Thursday, November 4, 2021

I lost on Jeopardy! A cybersecurity lesson on phishing scams

It started innocently enough, with a tweet: "Please share your best strategies for finding a PS5 before Christmas that do not involve me sleeping outside of a store or paying through the nose on eBay. Thanks."

Almost too coincidentally, a few minutes later I saw this tweet from Sarah Whitcomb Foss, a member of the Jeopardy! Clue Crew and one of the show's assistant directors: "Hello Twitter family! I am proud to announce that I have partnered with #Sony to supply you guys with some brand new #PS5 consoles for retail pricing! Just RT and like this and send me a DM if you need help!"

With my curiosity piqued (and her Twitter account blue-checkmark verified and looking legitimate), I followed her instructions by retweeting and liking her tweet, and sending her this DM: "Looking to purchase a PS5. Is this legit?"

Here's our conversation.

Sarah: "Yes it is, I'm partnered with Sony."

Me: "So how do we make this happen? We've been trying for months to get one for my son."

Sarah: "Ok cool i'd be glad to help you out! we have the disc version in stock for $500, with shipping and handling it will come out to $550 if you are interested"

Me: "Very interested. Is there a URL I need to go to?"

Sarah: "No website. We can take payment through payment apps like Zelle, Apple Pay, Cashapp, etc. You will supply your shipping information and afterwards you will get a confirmation of order email from Sony and then a tracking number."

Me: "Who do I Apple Pay (and you understand this sounds 🐟y)

Sarah: "What is your number we can text you, and yes I can understand your concern but this is how Sony wants the process to be done with their affiliate and partners."

Still curious, but definitely suspicious, I DMed her my mobile number. This is the message I received in response.

At this point, my Spidey sense was on fire. 

Me: "Is there someone at Sony or Jeopardy who can verify? I can't just Apple Pay $550 to a complete stranger without some independent verification that you are who you say you are."

Sarah: "No sir, I am verifying this purchase though it runs through me and I will forward this to my Sony affiliates. The blue checkmark is verification from Twitter itself. It's not false claiming because I am backed by Twitter."

Me: "If this is legit, you have to have something you can show me other than a blue checkmark. A letter from Sony. Mayim Bialik vouching for you. Something…"

Sarah: "All of that stuff is NDA. I can't show you any personal things that weren't meant to be seen public. I'm sure you can understand but you can simply google my name and see who I am."

Me: "Put yourself in my shoes. Would you send me a PS5 based on my word that I'd Apple Pay the money upon receipt (which I would absolutely do, btw). Would you at least give me the name of your contact at Sony?"
In response, she sent a screenshot of the email that she said she received from Sony. It didn't assuage my concerns.


Sarah then added: "I only have access to 20 consoles." She tweeted a few minutes later, "ONLY A FEW LEFT !!!! Dms Are Open"

Unwilling to send a stranger $550, our conversation ended without a PS5 transacted.

Is Sarah Whitcomb Foss who she says she is? Probably. Twitter verifies her. Her account dates back to 2014 with lots of tweets related to her work on Jeopardy!. She likely is who she says she is. And because Sony Pictures Entertainment produces Jeopardy!, she probably has PS5s to sell to people. But something about the whole transaction just felt off, and that was enough for me to walk away.

Here's the employment law lesson. Your employees receive phishing emails every day. It is the top form of attack cybercriminals use to target your systems. It's not even close, and it has soared during the pandemic.

Phishing is the crafting of a message (typically via email, but also via text message or other communication) designed to influence one to "take the bait" via a simple mouse click, sometimes a malicious attachment, but also a link to a  webpage that will request logins and passwords or install malware or ransomware.

According to Phishing.org, there are five key attributes of most phishing attempts:

  1. Too Good To Be True — Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people's attention immediately. For instance, it may claim that you have won an iPhone, a lottery, a PS5, or some other lavish prize. Just don't click on any suspicious emails. Remember that if it seems too good to be true, it probably is!

  2. Sense of Urgency — A favorite tactic among cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it's best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.

  3. Hyperlinks — A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance, www.bankofarnerica.com — the 'm' is actually an 'r' and an 'n', so look carefully.

  4. Attachments — If you see an attachment in an email you weren't expecting or that doesn't make sense, don't open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.

  5. Unusual Sender — Whether it looks like it's from someone you don't know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don't click on it!

The internet is full of people looking to do you and your business harm. My advice? Trust your gut. If something seems off it likely is. But, even if it's not, what's the harm in hitting the pause button to confirm one way or the other. If your employees, who are the targets of these phishing attacks, don't understand how to spot a potential attack and how to respond (or, more accurately, how not to respond) they need training so that they understand before it's too late. Their lack of knowledge is leaving your systems dangerously vulnerable. 

Finally, if you know how I can legitimately score a PS5 for my son before Christmas without having to sleep outside of Gamestop, pay an online scalper 2x or 3x its value, or buy it out of the back of someone's car, I'd really, really appreciate it.