Post · bonfire.cafe

I saw something disturbing this morning.
One of my clients showed me an email. They use Gmail for their emails (on their own domain) and download them locally.
The email officially came from their company president, giving the purchasing department orders to immediately pay an invoice of around €20,000 to a new supplier in the UK. It included all the details and had the invoice attached as a PDF.

The worrying part is that the style and tone of the writing were exactly like their president's. However, the sender's address, while using the correct name, was a generic Gmail account. This immediately raised a red flag for the purchasing department, and they didn't fall for it. It was also easy for them to check because the president was in their office at that very moment.

Looking at the sender's address, it would have been simple for anyone to figure out what was happening, but many people don't.
The accuracy with which they (likely using an LLM) recreated the president's writing style is truly concerning.

#Scam #Spam #FakeSender

Gabe Saltar

@gabe_saltar@mastodon.bsd.cafe replied · 3 days ago

@stefano As embarrassing as it may be, I once was scammed by someone pretending to be the owner of the company where I worked. I lost approximately $1,000

However, I did learn my lesson and checking the email address of any suspicious email is the first thing I do now

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 days ago

@gabe_saltar don't be embarrassed. In 2004 or 2005, I was scammed on ebay, too. I lost 1700 euros

Gabe Saltar

@gabe_saltar@mastodon.bsd.cafe replied · 3 days ago

@stefano Damn! That sucks!

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 days ago

@gabe_saltar it does. I felt stupid. Then I was angry, because it wasn't easy to spot. They stole the login credentials of a legit shop and changed the IBAN. PayPal or other similar tools weren't available. It came out that more than 15 people were scammed, all around Europe. We got in touch with one another and we all went to the police but they couldn't find the money. There's been some money transfer from the original country (Germany) to another, non European country and then...everything lost.

Gabe Saltar

@gabe_saltar@mastodon.bsd.cafe replied · 3 days ago

@stefano WOW! In my case the person pretended to be my boss, and asked me to send him money in for apple gift cards... It sounded suspicious as hell, but I felt for it because I was new in the company. It was second week at the job and I didn't know anyone in the company well enough to make the correct judgement call.

I found the whole thing to be embarrassing because my major is in Cyber Security. To say I felt stupid, would be understatement of the year

😬

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 days ago

@gabe_saltar bad things can happen to all of us. But life goes on, and we lean the lesson 😉

1 more replies (not shown)

Anonomouse13

@Anonomouse1981@mstdn.social replied · 3 days ago

@stefano

@eff

Joel Carnat ♑ 🤪

@joel@gts.tumfatig.net replied · 4 days ago

@stefano I’ve heard that they also do this through phone call, using AI mimicking voices.

Tim Chase

@gumnos@mastodon.bsd.cafe replied · 4 days ago

@joel

I'd considered making a mini CLI-oriented podcast but this concern was part of why I have very little audio of my voice online.

@stefano

xenotar

@xenotar@mastodon.bsd.cafe replied · 4 days ago

@stefano PGP signing is 34 y.o. with several open source implementations that make it easy to sign and to verify email messages. I will never understand why business avoid it

Anita Lewis

@ajlewis2@social.vivaldi.net replied · 4 days ago

@stefano

LLM adds a whole new dimension to this sort of thing. I'll watch out for this in my own little world.

xinqu

@xinqu@mastodon.bsd.cafe replied · 4 days ago

@stefano I'm frustrated because a solution to this problem exists for decades - its name is #PGP. Also it has it's disadvantages, problems and is of course not bullet proof, I wonder why nobody was able to design a GUI that is usable for most users with a few hours of training. You only need to understand 5 % of PGP to be able to use it.

I think convenience and lack of interest (until it's too late) are the main obstacles.

Nick

@nick@shore.me.uk replied · 4 days ago

@stefano@mastodon.bsd.cafe I hope that they have learnt that a single email should not be enough to authorise a payment

Nick 'The Viking' O'Pelican

@nlarson830@techhub.social replied · 4 days ago

@stefano

I wonder how the scammers get samples of the president's emails to use?

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 4 days ago

@nlarson830 The president is active as he's talking at conferences, etc. I've tested and the LLMs are aware of this person and his style.

Ricardo Martín

@ricardo@mastodon.bsd.cafe replied · 4 days ago

@stefano That's only dangerous if a potential victim has 20k spare change laying around 😆

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 4 days ago

@ricardo unfortunately, amounts like those are in their budgets, so they could pay them

Ricardo Martín

@ricardo@mastodon.bsd.cafe replied · 4 days ago

@stefano All jokes aside, wouldn’t a proper accounting department question an unscheduled or unbudgeted expense just because the invoice says "pay now", specially without any warning? 🤔

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 4 days ago

@ricardo this one doesn't - but another I know did it. And lost 18000 euros.
And they refused a new server because "hey, 1800 euros are too much for a refurbished Dell server"

Ricardo Martín

@ricardo@mastodon.bsd.cafe replied · 4 days ago

@stefano

a close up of a man 's face with his eyes closed

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 4 days ago

@ricardo yes. life can be hard, at times

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.11 no JS en

Automatic federation enabled