Yonks ago, one of the people I used to work with would order goods by phone instead of the Internet. He figured that the Internet was not safe when it came to ordering, and would rather read out his long card number, expiry date and the three-digit number on the back over the phone instead. Over the phone, with the rest of us listening…
Falling for a phishing scam always seems to be something that happens to other people but it’s easy to do if you’re not paying attention. And why should you be, if the request comes from a trusted source?
Back in November 2016 I was CIPR Y&L’s Treasurer as well as that year’s PRide Awards Coordinator (yeah… sorry). On the morning of the Awards Dinner I got an email from Chairman Paul asking me to make a payment. It read like a Paul email and the sender name was Paul’s so I asked him for more details. After the third or fourth email, me wondering why we had to pay someone listed as a sponsor, I realised we were going round in circles.
There’s a perfectly legitimate thing in email called Reply-to. I can send you an email in my name but the replies go somewhere else. When you get that invitation to a garden party from HM The Queen, your response is going to someone else to handle. In this case, every time I replied to Paul my email was going somewhere else.
Technology fail #1
Modern email clients, of course, don’t allow you to see Reply-to fields, they ‘protect’ you from seeing the underlying workings of the Internet. It wasn’t until I switched on my laptop and looked at the message in Thunderbird that I realised what was going on. Potential crisis averted. Plus, as everyone knows, I’m a very tight-fisted Treasurer.
If I had made a payment I shouldn’t have it would be difficult-to-impossible to get that money back as I had clearly authorised the payment. Blaming Apple, Microsoft or anyone else for their poor-quality email clients would be neither here nor there.
And yet, it almost happened again, yesterday.
I called Virgin Media to see what rates they’d offer me as I wanted to downgrade my TV package. I don’t watch that much these days (despite my call handler suggesting that, actually, I did), and I can still watch Bundesliga and MotoGP on BT Sport through my EE account. Not being happy with what they offered I had a whinge on Twitter and thought nothing more of it.
Not unreasonably they called me out on this. I was about to respond when I noticed that they’d also sent me a Direct Message.
Technology fail #2
Except, they hadn’t. It was a phishing account, set up to look like Virgin Media’s but with a slightly different handle.
Unfortunately for me I was responding via the Twitter app on my iPad Mini, which means you don’t get to see the full username and handle, just the first dozen or so characters. And the blue tick is to the right of that, so you don’t see that either. Look at the messages on the website though and you can clearly see the handle is wrong. We got as far as giving them my name and address and my account number. They only got the account number because they asked for the credit card used on the account (there isn’t one), the expiry date and the ‘CSC’ – which is when the alarm bells started ringing.
And this, for me, is the really annoying thing (apart from them having my name and address, of course). Twitter is a sensible way for companies and customers to connect. There’s just no reliable method of authentication. If the phisher hadn’t slipped up (both in their language and the information they asked for) who knows how this would have ended?
What we really need is some sort of customer service app that companies can sign up to and through which you can contact them, safe in the knowledge that only the real ones can join. Never going to happen.
One good thing to possibly come out of this is that I – and we, if you saw my Twitter conversation with them – now know that Virgin Media don’t do DMs to ensure account security. They might yet add that to their Twitter description, it’s a help.
One thing I’d like to see is Twitter changing the layout of the app so that it’s obvious to see who you’re DMing with. This being Twitter, they won’t make such a helpful change, but if any of my readers have any influence…