Email fraudsters foiled by a smiley

Annie Giles is a grapegrower in Marlborough, New Zealand, located at the top of the South Island, famous for winemaking and home of world-renowned Sauvignon Blanc. No matter what time of year, as the New Zealand marketers enthuse, there’s always something going on in Marlborough: wine tastings, tours, cycling, loads of wine cellars to explore.

No wonder grapegrower Annie Giles’ emails are always peppered with smiley faces!

…except, that is, when they’re not.

That situation came to pass when hackers took over her email account and, pretending to be Giles, wrote to the vintner that she sells her grapes to, Marlborough Vintners. They were looking for a payment due to Annie for about $90,000. “Annie” said that her bank account had been “put under review.” Hence, the payment needed to be deposited into a different account, the fraudsters explained.

Uh-huh. OK. The thing was, that email from “Annie” sure didn’t look like it was from Annie, mused Kathryn Walker, the general manager at Marlborough Vintners.

There were a number of things wrong with it, as Walker told Stuff New Zealand.

First, the language was formal. It wasn’t typical of Giles’ typical bubbly correspondence. Walker was familiar with the grapegrower’s communiques, so she could tell. Besides that, Annie Giles’ partner, her husband Graeme, hadn’t been cc’ed. Hmmm. Odd.

But the anomaly that really snatched that potential $90,000 payout out of the crooks grubby cyber paws: no smiley face at the end of the email.

No smiley face?!?! Red flag!!!

According to Stuff, it was about a month ago that Annie and Graeme Giles found themselves victimized by international email hackers.

The publication quoted Graeme:

Over the space of five days there were four or five emails… It wasn’t my wife at all.

The Giles lucked out: before she went to work for the vintner, Kathryn Walker says she’d had a 12-year career in commercial banking. Besides being good at spotting emails that give off subtle clues that they’re from imposters who’ve hijacked an account, she’s also aware that whatever type of “review” the account was purportedly under “is not something that would happen.”

She smelled a rat, so Walker contacted the couple before paying the money into the fraudsters’ account. Her guess is that the crooks had intercepted talk of a large sum that the Giles had emailed each other about in the prior month.

Bank staff told Graeme Giles that the account number controlled by the crooks had been subjected to “genuine infiltration” by offshore hackers. As of Tuesday, police were reportedly still investigating the attempted theft.

Graeme Giles called this a “cautionary tale” and suggests business owners routinely update passwords.

Should you regularly update a good, gnarly, tough to guess, unique password? One that’s only used for one account, not copy-pasted all over multiple accounts? Well, if somebody’s managed to get their hands on the password, the answer is obviously yes. It doesn’t matter if it’s a 8-character head-desk-thumper or a 50-character beast stuffed with special characters and correcthorsebatterstaple pass phrasery: breached is breached.

Unfortunately, people often reuse their passwords on multiple sites, and hackers are well aware of it. If the password gets stolen from one site, they’ll try it on other sites to see if they can break into wherever else it’s used.

For me, the lesson learned from this stopped-by-the-smiley story isn’t so much that we should regularly change our passwords. After all, people are already suffering from security fatigue as it is. They’re bombarded by warnings of new threats to the point that they basically give up, and that’s when they start acting recklessly.

Exhausted from all the finger-wagging about not reusing passwords or changing passwords frequently, they go right ahead and reuse passwords or come up with sequential passwords that aren’t really new at all, from a cracking perspective: Here’sMyPassword1, Here’sMyPassword2, and on and on.

So, Naked Security respectfully disagrees with Giles on this, as do US standards body NIST and the UK’s National Cyber Security Centre, amongst others.

Perhaps a better lesson to learn is to use two-factor authentication (2FA) whenever it’s available. Granted, it’s not foolproof: there are good reasons why the US National Institute for Standards and Technology (NIST) recently published new guideliness forbidding SMS-based authentication. It can be hacked.

But codes generated by an authenticator app are a pretty decent defense against people taking over your accounts. Using them means that the crooks have to steal your phone and figure out your lock code in order to access the app that generates your unique sequence of logon codes.

But even those aren’t a cure-all. As Naked Security’s Paul Ducklin says:

Malware on your phone may be able to coerce the authenticator app into generating the next token without you realising it – and canny scammers may even phone you up and try to trick you into reading out your next logon code, often pretending they’re doing some sort of “fraud check”.

If in doubt, don’t give it out!

Don’t give it out, don’t pass up 2FA (it’s not invincible, but it’s good!), and pray for a savvy ex-banking pro like Kathryn Walker to be your guardian angel.

Speaking of which, while we’re at it, brush up on the type of insight that Ms. Walker has in spades. A lack of errors doesn’t mean an email is genuine but the presence of errors might, so familiarize yourself with what to watch out for to spot fraudulent emails, be it spelling errors, tone, or the gaping hole where a smiley face usually sits.