[conspire] Fraudulent e-mail addresses (was: ...Straffic data breach)

Rick Moen rick at linuxmafia.com
Thu Feb 27 17:41:55 PST 2020


Quoting Paul Zander (paulz at ieee.org):

> Better was a story on this morning's television.  One of the rich
> people on Shark Tank got taken for $400,000.  Apparently somebody
> spoofed an email address that looked like a legitimate business
> connection and asked for payment.  The clerk thought it was legit,
> exchanged a couple of emails about the reason for the payment, etc,
> then sent it.  
> 
> Only later did someone catch the breach.  The bogus email address had
> substituted a "0" for an "O".

http://linuxmafia.com/~rick/lexicon.html#frogery

  Frogery

  Yet another new and fabulous Internet invention, a "frogery"
  (alternatively, "froggery") is a forged Usenet posting (or, by
  extension, e-mail or Web site) whose address was crafted to be visually
  as indistinguishable as possible from that of its intended victim —
  substituting, e.g., "1" for "l" or "0" for "O" — to either slur the
  victim by association or troll him/her into complaining to the froger's
  Internet provider or a public forum, and thereby look stupid.

  The term originated on the Usenet newsgroup news.admin.net-abuse.usenet
  in the late 1990s. The best known frogery episode was occasioned by an
  obscene January 13, 1997 soc.culture.thai post from "Lawrence Godfrey",
  leading the better-known Dr. Laurence Godfrey (whose e-mail address was
  used in the frogery) to file a defamation action against Demon Internet
  Ltd. for failing to remove it from the company's news spool when so
  requested.

In the case you cited, the victim is getting excused rather too easily
for extremely carelessness.  Consider:

1.  When is the last time you received a business invoice for $400,000 
with _no paper record_ of the debt or, for that matter, even of a
business relationship?

2.  Before paying a $400,000 alleged debt, wouldn't you at least vet
that the invoice cites a verifiable purchase number or project number? 


When my now-late mother was ailing and suffering short-term memory
deficiency, she was still wise in the way of such things and asked my
advice about how to deal with people contacting her out of the blue, via
either voice telephone or e-mail, claiming she owed them money.  I said:
'Simple:  If they're telephoning you, tell them to put it in USPS and 
you will not take seriously requests just over e-mail.  If you're
getting inquiries in e-mail, just assume they're fradulent and ignore
them.'

Con-artists tend to be extremely reluctant to use USPS mail for their
frauds because the postal inspectors and the mail fraud statutes are
serious matters with real teeth.  Moreover, any serious business is
going to primarily use the postal mail for communications about debts
owed, anyway.

(Companies that play brinksmanship with the mail fraud statutes, such as
certain domain registrars who attempt you to fool you to switching to
them, nonetheless are very careful to include disclaimer paragraphs
that, e.g., 'This is not a renewal invoice....'  They're hoping
recipients aren't paying attention and pay without reading.)

tl;dr:  There is absolutely _no_ reason to trust an e-mail address.
(What an idiot.)


FYI:  Until this moment, I had absolutely no idea what a 'Shark Tank'
is, and it appears I haven't missed a thing.
https://people.com/tv/barbara-corcoran-loses-almost-400000-in-phishing-scam/



More information about the conspire mailing list