Thursday, January 31, 2019

Phish Before Turkey

The Chronicle of Higher Education recently published a story Phishing Scheme Targets Professors’ Desire to Please Their Deans — All for $500 in Gift Cards. The same thing happened to me last fall.

Twas the day before Thanksgiving and an email went out to most of the faculty in my department.
From: Lance Fortnow <lancefortnow@yahoo.com>
Sent: Wednesday, November 21, 2018 1:45 PM
To: [name deleted]
Subject: 
Hello,are you available?
At the time I was in New Jersey visiting family. lancefortnow@yahoo.com is not my email. I do own fortnow@yahoo.com but don't email there, I rarely check it.

Some faculty checked with me to see if this is real. One faculty called me to see what I wanted. Once I found out what was happening I sent a message to my entire faculty to ignore those emails.

Some faculty did reply to see what I want. The response:
i need you to help me get an Amazon gifts card from the store,i will reimburse you back when i get to the office.
One of our security faculty decided to follow up and replied "Sure! Let me get them for you. Could you provide more more information? e.g., amount and #cards. I can bring them on Monday." The reply:
The amount i want is $100 each in two (2) piece so that will make it a total of $200 l'll be reimbursing back to you.i need physical cards which you are going to get from the store. When you get them,just scratch it and take a picture of them and attach it to the email then send it to me here ok
He went a few more rounds before the phisher just stopped responding.

A week later, a different faculty member came to my office and said I wanted to see him but he's been out of town. I said it was nice to see him but I didn't ask to talk to him and we figured out the confusion was the phishing email.

Someone went through the trouble of creating a fake email address in my name, looking up the email addresses of the faculty in the department and individually emailing each of them, without realizing computer science professors won't fall for a gift card phishing attack. Or at least none of them admitted falling for it.

No comments:

Post a Comment