In Thanks FedEx, This is Why We Keep Getting Phished (discussion on Hacker News) the author is playing the game we are probably all used to playing these days upon receiving a text or e-mail asking us to urgently do something or pay: scam or real. I highly recommend reading the article in full, as it has numerous screenshots of actual scams, and tells a hilarious (if your humor is dark enough) story of FedEx’s own texts looking more dodgy than actual scams.
Scams are a massive problem today, and people commonly fall for them:
[…] Aussies alone are losing north of AU$3B annually to scams, and that’s obviously only a drop in the ocean compared to the global scale of this problem. Our Australian Communications and Media Authority body (ACMA) recently reported 336M blocked scam SMSs and technical controls like these are obviously great, but absent from their reporting was the number of scam messages they didn’t block. There’s an easy explanation for this omission: they simply don’t know how many are sent. But if I were to take a guess, they’ve merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that’s a bit off, odd looking URLs.
Worse still, some scam and phishing attempts are actually rather sophisticated, and it may be difficult even for a security expert to identify them. Now that AI and deepfakes are a thing, this is just going to get worse… ah, who am I kidding, it already is: Finance worker pays out $25M after video call call with deepfake CFO (discussion on Hacker News).
With scams being such a problem, you’d hope that companies are doing their best to make their official communications be easily identifiable and distinguishable. Unfortunately, reality is proving that hope a naive one, as the linked article shows:
What makes this situation so ridiculous is that while we’re all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like “here, hold my beer” as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.
The sad and unfortunate reality is that these companies are usually not the ones who end up paying the cost of scams: it is the customers and clients. Regular people. So companies just shrug, and they keep using terrible security practices like storing passwords (!!), using SMS as 2-Factor Authentication, having ridiculous and unsafe rules for passwords (e.g. max length 8, cannot contain special characters or spaces), and people keep getting scammed.
Banks are some of the worst offenders, as a commenter on the Hacker News discussion relates:
A while ago my wife applied for a home equity loan. At some point I got a call from someone claiming to be from the bank she had applied through (I forget which one), calling to make sure I approved the loan since the home is in both our names. He asked for my name, which I gave him, and then the last four digits of my social security number, which I also gave him. He then proceeded to ask for my full social security number, at which point alarms started going off in my head and I started sweating about even giving the last four digits to a stranger who had called me out of the blue. I told him I wouldn’t do that, and was there a number on the bank’s website I could call in order to get back to him, in order to verify that he actually worked for the bank. The guy started acting really annoyed, and said he didn’t think there was any number on the bank’s website that could reach him, and that if I didn’t give him my full social security number he would be forced to reject the loan application. I told him I didn’t feel comfortable giving that information to someone who had phoned me, and if there was no way for me to call him back through an official bank phone number then the call was over. He hung up angrily.
Turns out he actually was from the bank and he did cancel the loan application.
The situation is not going to get better until regulators start to punish companies for this kind of shit. Unfortunately, that’s also not likely to happen, as the regulators themselves have no idea what good security practices even are…