Two weeks ago was Cybersecurity Awareness Month’s “Fight the Phish” week, a theme that the #Cybermonth organisers chose because this age-old cybercrime is still a huge problem.
Even though lots of us receive many phishing scams that are obvious when we look at them ourselves…
…it’s easy to forget that the “obviousness” of many scam emails comes from the fact that the crooks never intended those scams for us in the first place.
The crooks simply sent them to everyone as a crude way of sending them to someone.
So most scams might be obvious to most people, but some scams are believable to some people, and, once in a while, “some people” might just include you!
When 0.1% is more than enough
For example, we received a phish this morning that specifically targeted one of the main South African banks.
(We won’t say which bank by name, as a way of reminding you that it could have been any brand that was targeted, but you will recognise the bank’s own website background image if you are a customer yourself.)
There’s no possible reason for any crook to associate Sophos Naked Security with that bank, let alone with an account in South Africa.
So, this was obviously a widely-spammed out global phishing campaign, with the cybercriminals using quantity instead of quality to “target” their victims.
Let’s do some power-of-ten approximations to show what we mean.
Assume the population of South Africa is 100 million – it’s short of that, but we are just doing order-of-magnitude estimations here.
Assume there are 10 billion people in the world, so that South Africans make up about 1% of the people on the planet.
And assume that 10% of South Africans bank with this particular bank and use its website for their online transactions.
At a quick guess, we can therefore say that this phish was believable to at most 1-in-1000 (10% of 1%) of everyone on earth.
It’s tempting, from there, to extrapolate that 99.9% of all phishing emails will give themselves away immediately.
Then, you might wonder to yourself, perhaps with just a touch of smugness, “If 99.9% of them are utterly trivial to detect, how hard can the other 0.1% be?”
On the other hand, the crooks knew all along that 999 people in every 1000 who received this email would know at once that it was bogus and delete it without a second thought…
To read the original article:
https://nakedsecurity.sophos.com/2021/10/26/banking-scam-uses-docusign-phish-to-thieve-2fa-codes/