Catches of the month: Phishing scams for October 2019

Security experts often warn us about the threat of phishing, but how are we supposed to know what a scam looks like in practice? Our ‘catches of the month’ series provides real-life examples to help you understand how to spot malicious emails.

So, what do you need to look out for this month?

1. British Gas customers told they’re eligible for a refund

If it sounds too good to be true, it probably is. That’s the lesson for British Gas customers who recently received an email claiming they were eligible for a refund after being overcharged.

The email was in fact a scam designed to get people to hand over their personal and financial details, but you wouldn’t be able to tell at first glance. The scammers paid close attention to detail, phrasing the correspondence convincingly and even using the same font, logo and imagery as genuine British Gas communications.

Nonetheless, there are clear clues that it’s a fake. For one, energy suppliers almost certainly wouldn’t email customers to let them know they have been overcharged. This information would be made available on the next bill, where the customer’s account would be shown to be in credit. They would then have the option to apply for a refund.

Another clue is that the email doesn’t refer to the customer by name; it only uses their email address. This suggests that the scammers bought or stole a list of email addresses and used a simple script to insert the address into the message.

Genuine correspondence uses a similar script, but companies have more complete records and can therefore link the email address to the customer’s name.

For this to work, the rest of the message has to include generic information, because the same template is sent to everyone. However, in this case, the refund amount is listed in the email, meaning everyone who received the message is apparently eligible for the exact same refund.

It’s not clear how the scammers got hold of these email addresses. Perhaps they breached British Gas’s systems or simply dumped the email on as many people as possible, hoping that some of them had accounts with the provider.

If this was the case, it was a calculated move. British Gas has 12 million customers, which is just under half of all UK households.

Customers were quick to contact British Gas to alert it to the scam, and the organisation’s response has been sound. It has issued several warnings and has directed potentially affected customers to its phishing email information page.

See also:

2. Dog-sitting scam at Marquette University

Students at Marquette University in Milwaukee, Wisconsin, received an unusual phishing email last month that shows that not all scams imitate organisations. Some imitate their aunts.

The attack began when someone hacked into the account of a university librarian. Using her email address, the scammer sent emails to dozens of students, posing as an HR employee who was passing on important information in an attached link.

The link was infected with malware (presumably a keylogger) that gave the criminal access to the accounts of people who fell victim.

So far, so normal – at least as far as cyber crime goes. The student-cum-crook leveraged one breach to gain wider access to the systems.

What did they do with this access? They sent dozens of emails from various hacked accounts to other students, issuing the following message:

The scammer was offering students $350 (about £284) to dog-sit her aunt’s dog for three hours a day. That works out at about £16 an hour on a seven-day week, a very enticing offer for students looking to make a little extra cash.

The message contained an email address for students to contact, although it’s not clear whether anyone pursued the offer.

It’s also not clear exactly what the purpose of this scam was. One possible explanation is that once someone contacted the ‘aunt’, they’d be asked to provide their payment information in order to be reimbursed.

But that’s an awfully convoluted moneymaking scheme, particularly when you’re relying on victims not knowing the difference between the details needed to receive payments and those needed to make them.

Likewise, it seems ill-planned to target students, who are rarely cash-rich, as your profits will be minimal.

The other explanation is that it was a recreational attack, with the criminal hacker trying out techniques. That fits the motive of a student, possibly studying IT, with free time on their hands looking to entertain themselves and cause mischief among fellow classmates.

That doesn’t make the incident any less concerning, though. The university’s email system was still compromised and students’ data breached. The university agreed that it was a serious incident, and disabled all affected accounts, requiring victims to call the IT helpdesk or contact IT Services to reset their passwords.

3. Tax scams expected to hit UK universities

HMRC is asking universities across the UK to remind students about the threat of phishing emails imitating tax payments and rebates. These are possibly the most common type of phishing scam, with criminals coming back to it with great success each tax season.

That’s not to say students are the only – or even the prime – target for attacks. Everybody is a threat of emails that look like this:

However, HMRC has reportedly seen a spike in attacks targeting students, so it’s encouraging universities to spread awareness.

Part of the problem is that many students will be dealing with their council or income tax obligations for the first time. Perhaps unbeknown to them, they are exempt from council tax and will probably be earning below the income tax threshold (£11,850 per annum), which is the equivalent of about 37 hours a week on minimum wage.

Those who are unaware of this might ask their parents or guardians for advice if they are sent a bogus message requesting money, in which case they’ll discover the request is fraudulent.

But they’re less likely to speak to someone if they’re told they’re entitled to a refund. “What’s the scam if they’re giving you money?” they might ask. And if they keep quiet, there will be fewer questions to answer about running out of money and having to ask their parents for a handout.

Naturally, this strategy will backfire, as the student isn’t getting a refund but is actually handing their financial information over to crooks, at which point they really will need to ask for a bailout from their family.

Spot a scam before it’s too late

As we’ve shown here, phishing scams can be tough to spot if you’re not up to speed on the tactics cyber criminals use. This can be particularly dangerous in the workplace, because it’s not just your security that’s at stake but the entire organisation.

You can make sure your staff are equipped to defend against scam emails with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

Find out more