Here’s our latest Naked Security Live talk, about how to avoid email scams that arrive under the guise of a well-known brand – in this case, global sandwich seller Subway.
Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.
Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.
We’re normally on air between 18:00 and 19:00 UK time (late morning/early afternoon in North America).
Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.
Bill Helm
I actually prefer type above talk. Could you also post transcriptions of the podcasts?
Paul Ducklin
Hi, Bill.
For the videos, you can get subtitles from YouTube by clicking on the cog. (You can also speed up the videos to 1.5x or 2x without pitch shifting.)
As for transcribing the podcasts, well, that’s a long-running story that comes up frequently, so here goes:
* We did an experiment where we published transcripts for a while a few years back, because a few people said they would be “better” than the spoken word. At best, these would pick up about 20 page views each, including from search engines. So they don’t seem to have been “better” after all.
* The work fell to me, heigh ho, and because I am not a stenographer the transcriptions took me absolutely ages – literally hours and hours – and nearly caused the defenstration of several laptops.
* We (almost always) discuss podscast topics we have already written about, and we provide links to the written versions for those who prefer to read than to listen.
* We make the podcasts and videos as an adjunct to our written articles at the request of many readers who like to consume content in other ways. So we quite purposefully make our podcasts to be listened to, not to be read.
* Written English and spoken English, especially when technical discussions are concerned, are essentially different languages, and transcribed podcasts just don’t make readable articles.
Which means, in the short term at least, that I am sorry to say that the answer is no. (We revisit this issue every couple of months, so you can never say “never”, but it’s a good first approximation, I’m afraid.)
HtH.
Bruce Grayson
Paul, great review on the latest scam. You say to just delete, but I try to forward these to uk-phishing, Sophos, Microsoft ( my email provider), and the company itself (eg PayPal or Amazon).
Am I being a good digital citzen, or is that a waste of time and effort?
Keep up the great work!
Paul Ducklin
If you are willing to forward the full emails (is-phish@sophos.com is a convenient “silent” email address to use if you just want to send it to us and get nothing in return but a sense of having tried), then please don’t let me discourage you!
I have to admit that the individual value of any one submission, at least for law enforcement, is often pretty small, which is why I no longer suggest that submitting phishing samples is “something people really *ought* to do every time”.
But whenever you have a phishing sample that you feel like submitting because you think you will maybe, just maybe, help the next person, then I would suggest that you are being an excellent digital citizen.
Indeed, if I could remember the Unicode value for a clapping emoji off the top of my head, I would enter it right now.
Ah, found it: Miscellaneous Symbols and Pictographs, CLAPPING HANDS SIGN (U+1F44F) 👏
Linda Brown
Would It also be appropriate for me to send txt messages that I get in abundance that are clearly trying to scam me everyday to
(is-phish@sophos.com) ?
I’m in Australia and daily I receive txt messages by the score saying things like…
“Linda you made it to the final selection, the job is yours…etc…$5,000 a week etc….”
Clearly a scam as I never even had a job interview!
Also the classic,
“Jessica has uploaded another album to Facebook check it out!”
No thank YOU!
I get THAT one every week & usually tell them what they can do with Jessica’s album but maybe that’s not a good thing either?
Then there’s the PRIZES!!!!!!
From JB-HI-Fi a well known company in Aust. Or Harvey Norman as in this case
Telling me ..,
Our results are published.
You came in 3rd place:
1. Ella (HAR943)
2. Adam (HAR948)
3. You (HAR935)
Your Harvey-Norman prise:
[LINK REDACTED]
Hmmmnn just noticed the dodgy spelling !
And this one that was sent on the 4/12/20
Your Name from last month was ACCEPTED Linda! Go to: [LINK REDACTED]
You have 24 hours!
Accepted for WHAT? Ok that I’m not so curious to find out
BUT if there was ANYWAY to stop these predators I’d be very very grateful. How do they get my number? Is it something I’m doing whilst on the net that’s wrong? I’m totally stumped by it all and very sick to death of it.
Sincerely
Linda
Paul Ducklin
Yes, by all means send through any scammy emails you receive – just be sure to include the entire original email as an attachment (in Outlook, for example, hit [New message] and then drag and drop the scam from your inbox into the new email – it should appear as a .EML attachment).
This means our team get to see the headers, the raw message content (including any HTML trickery that is invisible in a screenshot), any image links in there and all the dodgy links to scam sites.
I still get loads of Woolworths, Coles, Bunnings, Harvey Norman and other Aussie-specific scams even though I left the Sophos Sydney office more than seven years ago – seems I am on the scamming lists from way back and I am never going to get off them…