On Thursday, I received two email messages from American Express that arrived within seconds of one another; as one might expect, the two appeared sequentially in my Inbox’s list of unread messages, one listed immediately above the other.
But the two messages, quite similar in appearance, were not cut from the same cloth. The first of the pair to arrive was a legitimate email sent by American Express informing me of some new terms and conditions applicable to one of my accounts with the company, and the second was a bogus message sent by a crook seeking to scam me; the latter correspondence apparently made it through the multiple email filtering technologies that I use to protect my email account.
While it is unlikely that any party sending phishing emails can consistently time his or her messages to be delivered immediately after legitimate counterparts, it is certainly possible that a crook can piggyback on the trust created by legitimate messages, by sending out phishing emails immediately after seeing that the impersonated party just sent out a real message. Such timing – intended to achieve scenarios such as the one that occurred on my machine – likely both increase the odds that some email filters will not interfere with the delivery of the bogus messages, as well as grow the chances that recipients will trust and open the illegitimate messages. (In the case of American Express, keep in mind that many people have more than one American Express account, and may be accustomed to regularly receiving two or more similar legitimate email messages from American Express.)
While I did not fall for the scam, the incident did highlight for me the need to remind folks that scammers often exploit timing; besides crafting scam emails based on current events in general, criminals can also time communications with would-be victims to occur in close proximity to the real transmissions of the legitimate parties being impersonated – and, at some point, you are likely to find yourself in a situation similar to the one that I experienced a few days ago. In fact, some evildoers may even open accounts and watch when the associated firms send out customer emails – and time the transmissions of bogus messages to their targets accordingly. And, in the case of targeted spear phishing, criminals are likely to exploit knowledge from multiple pieces of reconnaissance when timing their attacks.
Of course, Thursday’s experience should also serve as a reminder that even the best email filtering products on the market are imperfect; no matter what security countermeasures are in place, some phishing emails are likely to eventually reach users. As such, people need to be aware of the threat, and of how to stay safe.
• Always treat each individual message as a potential bearer of danger – even if you have three accounts with a firm and receive three emails from that firm, for example, be sure to properly consider each message on its own. The fact that you determined that one or more of the messages is legitimate does not mean that the others are as well.
• Use email filtering technology – but, never rely on it.
• If you receive an email that asks you to login to a system, or to take any other action that you would not do if you knew that the message was actually sent to you by a criminal, do not follow the instructions in the email. Instead directly contact the party that allegedly sent the message – via a previously known legitimate website, phone number, email address, or social media account.