Tag: phishing

You wouldn’t fall for that, would you?

A barometer from 1810.
Wheel Barometer, also known as Banjo Barometer, Barnasconi, Leeds, c. 1810 – Museum of Science and Industry (Chicago), via Wikimedia Commons under a CC0 licence.

There’s an old science joke about a physics professor who gives, as weekend homework, the task to use a barometer* to measure the height of the physics building. Back in class on Monday the professor invites the students to share their working. The class discuss how they measured the pressure at the base of the building, climbed to the top and measured it again then used a mathematical formula to work out the height. One of the students admitted that he’d saved a bit of time, measurements and calculations by simply knocking on the door of the janitor’s office and saying “If you will tell me the height of this building, I will give you this beautiful barometer.

Social engineering

One of the simplest and often quickest ways to ‘hack’ into someone’s account doesn’t involve any hacking (or cracking) at all. People lose lots of money, time and anxious sleep to mistakes made because they were distracted and fell for something which was cleverly designed to fool them. Most cyberattacks happen not because someone guessed a password but because someone willingly handed it over.

Phishing attempts can involve little more than making a fake website look like a real one and hoping people don’t notice that the address doesn’t look right. Someone clicks on the link, perhaps in an email or a text message telling them that there’s something wrong with their account that they need to deal with urgently, and enters their email address and password – handing their account details to the scammer. Worse, when people re-use an email address with the same password on multiple sites the scammers suddenly have access to a great deal more of their private information and perhaps even access to their money (e.g. if they have stored payment details with their account).

Back in the 1980s ‘Claire’ managed to hack into a computer network with incredible ease as her son explained in a series of posts. Claire, known as someone who was ‘good with computers’, was invited to a meeting by the CEO of a company that made security systems. She visited his office, taking the lift all the way up to the penthouse office, where he offered her “an eye-watering sum” if she was able to break into his system within a week.

Offer accepted she took the lift all the way down to the building’s basement where the computer lab was. She found a stack of papers and stood outside the lab door looking busy and needing to get on with her work but struggling to get in with all the papers. One of the lab technicians helps her into the room (how kind! she’s ever so grateful!) where she makes her way to an unused computer, sits down and calls out “What’s today’s password?”. And someone tells her. It took her less than 20 minutes!

It is easy to be tricked

I (PC) was at a workshop about security. As part of it we were shown a website that could tell you how safe your password was. It gave an estimate of how long any password could be cracked in. If you typed in 1234 then it would tell you that was cracked in fractions of seconds. A word in any dictionary (even a Tolkien one) likewise. Longer passwords would take longer than shorter ones. Mix in capitals and it would take longer still, and so on. Everyone was told to type in their passwords to find out how good they were at thinking up a password. Virtually everyone did so and many found out that their passwords were not very good… others celebrated the fact that they were good at choosing a password. However, perhaps it didn’t matter either way! Everyone who typed in an actual password had just given away their password to a website that may or may not have been secure…

Never give up your password to anyone and certainly not to a computer program. Don’t even tell others the rules you use to create one!

How easy are you to scam?

Try Google’s phishing quiz and see how you do.

How do you decide a website is safe? You do not judge it by looking at the website itself. You look elsewhere to a trusted source and find information that way! Either way do not ever enter personal data and passwords into a source unless you are absolutely sure.

You can also try Take Five‘s quiz to see how ‘Scamsceptible’ (susceptible to scams) you are based on how well you slept last night and if you have lots of things on your mind distracting you. Take Five is a campaign to encourage people to pause (and take five minutes) when they get a message they’re not sure about and double-check that it’s genuine.

– Jo Brodie and Paul Curzon, Queen Mary University of London

Part of a series of ‘whimsical fun in computing’ to celebrate April Fool’s (all month long!).

Find out about some of the rather surprising things computer scientists have got up to when they're in a playful mood.

Subscribe to be notified whenever we publish a new post to the CS4FN blog.

This blog is funded by EPSRC on research agreement EP/W033615/1.

QMUL CS4FN EPSRC logos

CS4FN Advent 2023 – Day 19: jingle bells or warning bells? Avoiding computer scams

It’s Day 19 of the CS4FN Christmas Computing Advent Calendar. Every day throughout Advent we’ll be doing our best to publish a computing-themed post that relates to the picture on the advent calendar’s door. If you’d like to judge how well we’ve done please scroll to the end of this post where we have a full list of our attempts on Days 1 to 18 in the panel with the Christmas tree.

Jingle bells, warning you of festive scams. Image drawn and digitised by Jo Brodie.

Gone Phishing

Fake emails or text messages asking for bank details including passwords is known in the trade as ‘Phishing‘ – it’s an example of social engineering, in which someone tries to manipulate someone else into giving away information. Like fishing the criminals scatter lots of bait and once in a while someone bites on the hook and replies. Criminals have even created fake Internet banking sites, direct copies of the real sites, in an attempt to scam customers’ details. This type of crime would never have been possible before computers. Few criminals would have the ability or funds to build a fake copy of your bank in the high street, but they can write programs to simulate them online.

Phishing image by mohamed Hassan from Pixabay

1. A gift for scammers

Scammers love Christmas. It’s the perfect time of year to try and extract money or information (or both) from frazzled, busy and distracted Christmas shoppers.

“We’re sorry we missed you”

This popular phishing scam will come via text, saying that there’s a problem with delivering your item and you need to pay some small amount of money to rearrange delivery.

In the run up to Christmas so many people are expecting deliveries so this scam is successful because even if only a small percent of people fall for it that’s still a lot of people. The text message will contain a link that looks like it’s for the genuine web address of a delivery company where you might already have an account. But… the link’s taken you to the scammer’s replica website in the hope that you hand over your login information and possibly your bank card details to pay. The scam is quite subtle as once you fill in your details and press send you are then redirected to the genuine company’s website, so it’s easy to miss what’s happened at first.

How to stay safe: were you expecting this text message? If not, be alert. Look at the link carefully – does it seem correct? If it seems fake you can forward the message from any mobile phone to 7226 (which spells SPAM on your keypad). Learn about scams (See further reading) and tell people about them so they know what to watch out for.

See how well you do on Google’s Phishing Quiz (you can make up a fake email address to use) – some are genuine, some are trying to steal information. Can you spot which is which?

Screenshot from Google’s Phishing Quiz (c) Google.

Further reading

Phishing: Spot and report scam emails, texts, websites and calls, from the National Cyber Security Centre

2. Logging on, to your computer

Some phishing attempts are a bit more involved. You might get a phone call from someone claiming that ‘bad people’ have ‘got into your internet’ and you need to take immediate action to prevent being cut off. Sometimes the scammers pretend to be from a well-known computer company (such as Microsoft) or from the company that provides you with your broadband internet.

Fraud image by mohamed Hassan from Pixabay

Sometimes they’ll try and engage you in conversation – this is ‘social engineering’. This is a to try and gain your trust while keeping you anxious that something has gone wrong and which they are going to help you with. They may even use some tricks to convince you they’re legitimate. If you use a Windows computer they might ask you to open up the Event Viewer and count the errors, suggesting that there’s a problem (in reality it’s all pretty normal and harmless).

The next thing they might want you to do is to download some ‘desktop sharing’ software onto your computer. The software is real enough (and can be used genuinely to help people) but in this case they want to be able to access your computer and cause havoc. What they probably want to do is see if you have online banking (so they can steal your money) or they might delete some important files and say they’ll give them back only if you pay them. Don’t let them in!

How to stay safe: you can just hang up! Definitely don’t download any software, don’t visit any links they suggest you go to and don’t give them any information.

Further reading

Remote access scams: the call that could wipe out your life savings (Nov 2020) Which?
Who scams the scammers? Meet the scambaiters (October 2021) The Observer

3. And you are…?

This ‘friend in need’ scam will likely come via WhatsApp. Someone pretending to be a family member or friend gets in touch claiming they’re contacting you from a new phone after their old one was lost or stolen. They then claim they need money for some urgent reason and ask you to send them some via online banking.

This scam relies on people’s kindness and goodwill, and not wanting to be seen to be stingy or unhelpful, but sadly it causes thousands of pounds to be stolen and it’s often very difficult to recover that money.

How to stay safe: be suspicious. Try and contact your friend / family member in another way to check it’s really them. Or do a bit of social engineering yourself – make up something and ask them about it. Rather than admit they don’t know about it they’ll probably answer ‘yes’ and give themselves away!

Further reading

We lost festive savings in family WhatsApp scam (11 November 2021) BBC News
Friend in need’ message scam costs victims almost £50,000 in three months (24 November 2021) Action Fraud

Advert for our Advent calendar
Click the tree to visit our CS4FN Christmas Computing Advent Calendar

EPSRC supports this blog through research grant EP/W033615/1.