Imprudence: lack of wisdom or care in the management of practical affairs; lack of discretion.
It’s business as usual for ransomware and email scammers. And some of them get better by the day. I had a very narrow escape this week, that could have cost me a lot of money.
Not ninja enough
Almost two years ago I wrote about being a smart phish. I regard myself as knowledgeable enough to usually spot the scams. OpenDNS has a phishing quiz, and my results say that I’m a phish-spotting ninja!
So what happened that caused my ninja skills to fail?
The embarrassingly true story
Some background, because I have to justify my stupidity.
There are international couriers, like DHL and UPS, that ship from door to door. But other couriers in the US, UK or China arrange with local couriers for the SA part of the delivery. In my experience, the tracking number will change when the parcel moves from one courier to the next.
I’ve had a Kindle for more than a decade, and it is one of my favourite devices. But mine has reached the end of its lifespan. So I ordered a new Kindle from Amazon. I’m so excited about this that I check the shipping status daily.
As I didn’t opt for expensive extra-fast shipping, the order shipped with Aramex in the US. That meant it would be handed over to some other courier in SA.
I was thrilled when the Aramex update showed the parcel was awaiting customs clearance in SA. A day later I received an email with both Fastway and Aramex logos on it. This required confirmation of the delivery address, and a small import fee of R34.99.
On any other day, I would have dismissed the email as a scam without a thought. But I’m waiting for the Aramex parcel. And there are extra import fees, although Amazon estimates this in its initial cost. But years ago, which was the last time I imported electronics, there was often a fee payable.
So it was plausible. I clicked on the link, and my phishing radar went on alert. The URL was strange, but almost too strange to be fake. After a few false starts, I decided to take the plunge and enter my credit card details for R34.99. (I can hear you sucking in your breath and saying “No, Jacqui! Don’t do it!”)
The site redirected, as normal, to a well-known credit card payment gateway that sends an OTP to my phone. Because my fraud radar was still pinging, I checked the SMS that contained the OTP. It was an OTP to authorise a transaction of 1,614.99 Euro! That’s almost 800 times more than the displayed charge!
I did not enter the OTP. I phoned Fastways – which I should have done first – and discovered that the “new” tracking number was the wrong format.
I haven’t lost any money, but I’ve stopped my card because it is compromised. Imprudence has a price, and I’m lucky it’s only the inconvenience of waiting for a new card.
The real question
Was it coincidence that the email arrived when I was expecting a parcel from this courier?
It’s possible, but the timing is just too good. My experience is that most email scams repeat. I’ve received a fake bank email about a SARS invoice at least 10 times in the last week. (If I block it, I won’t get my real bank statements.) And another scammer who tells me regularly that he is recording all my activities. He reminds me of the scam in I liked the old email scam better – threats, with a reminder to look after my passwords.
Could there be a data leak at Aramex or Amazon? It’s always possible. Could it be an insider? It’s possible an employee is involved. Or a third party contracted to carry the parcels at any of a dozen locations.
I logged a support query at Aramex, and I’ll do the same at Amazon.
The weakest link
The weakest spot in information security will always be people: the inside scammer, the user, my over-eagerness for my new device.
We make the mistake of thinking scammers only go after big companies. Or we think that there really isn’t that much of our data out there.
But for scammers, it’s about volume. The volume of records, because it only takes a tiny rate of success to produce money. And the volume of data sources, so that they can combine your information from many places to build a comprehensive profile.
Happy birthday to POPI
POPI’s commencement date is now just over a year old. But that doesn’t seem to have reduced the number of data breaches in South Africa. POPI is a huge burden for a small company. But we try hard, so it really annoys me when big companies get the basics wrong. Recently I dealt with the following:
- An international brand has still not removed me from their SMS marketing list. I’ve sent them opt-out messages for more than a year, messaged them on FaceBook, and emailed their headoffice. I posted on their FaceBook page as well, but they deleted that.
- Employees at a very large company sent out emails to their suppliers and CC‘ed everyone on the email. And one of those people replied, and CC’ed all. Aaagh!
Recently the Information Regulator stated that it will start taking action. Now we wait with baited breath to see how POPI will really work. But be prepared to hold your breath for a long time …
I’m still red-faced, but your comments will cheer me up.