Post · bonfire.cafe

@stefano@mastodon.bsd.cafe · 3 months ago

I saw something disturbing this morning.
One of my clients showed me an email. They use Gmail for their emails (on their own domain) and download them locally.
The email officially came from their company president, giving the purchasing department orders to immediately pay an invoice of around €20,000 to a new supplier in the UK. It included all the details and had the invoice attached as a PDF.

The worrying part is that the style and tone of the writing were exactly like their president's. However, the sender's address, while using the correct name, was a generic Gmail account. This immediately raised a red flag for the purchasing department, and they didn't fall for it. It was also easy for them to check because the president was in their office at that very moment.

Looking at the sender's address, it would have been simple for anyone to figure out what was happening, but many people don't.
The accuracy with which they (likely using an LLM) recreated the president's writing style is truly concerning.

#Scam #Spam #FakeSender

Gabe Saltar

@gabe_saltar@mastodon.bsd.cafe replied · 3 months ago

@stefano As embarrassing as it may be, I once was scammed by someone pretending to be the owner of the company where I worked. I lost approximately $1,000

However, I did learn my lesson and checking the email address of any suspicious email is the first thing I do now

Anonomouse13

@Anonomouse1981@mstdn.social replied · 3 months ago

@stefano

@eff

Joel Carnat ♑ 🤪

@joel@gts.tumfatig.net replied · 3 months ago

@stefano I’ve heard that they also do this through phone call, using AI mimicking voices.

Tim Chase

@gumnos@mastodon.bsd.cafe replied · 3 months ago

@joel

I'd considered making a mini CLI-oriented podcast but this concern was part of why I have very little audio of my voice online.

@stefano

xenotar

@xenotar@mastodon.bsd.cafe replied · 3 months ago

@stefano PGP signing is 34 y.o. with several open source implementations that make it easy to sign and to verify email messages. I will never understand why business avoid it

Anita Lewis

@ajlewis2@social.vivaldi.net replied · 3 months ago

@stefano

LLM adds a whole new dimension to this sort of thing. I'll watch out for this in my own little world.

xinqu

@xinqu@mastodon.bsd.cafe replied · 3 months ago

@stefano I'm frustrated because a solution to this problem exists for decades - its name is #PGP. Also it has it's disadvantages, problems and is of course not bullet proof, I wonder why nobody was able to design a GUI that is usable for most users with a few hours of training. You only need to understand 5 % of PGP to be able to use it.

I think convenience and lack of interest (until it's too late) are the main obstacles.

Nick

@nick@shore.me.uk replied · 3 months ago

@stefano@mastodon.bsd.cafe I hope that they have learnt that a single email should not be enough to authorise a payment

Nick 'The Viking' O'Pelican

@nlarson830@techhub.social replied · 3 months ago

@stefano

I wonder how the scammers get samples of the president's emails to use?

Ricardo Martín :bsdhead:

@ricardo@mastodon.bsd.cafe replied · 3 months ago

@stefano That's only dangerous if a potential victim has 20k spare change laying around 😆

Stefano Marinelli

@stefano@mastodon.bsd.cafe replied · 3 months ago

@ricardo unfortunately, amounts like those are in their budgets, so they could pay them

Ricardo Martín :bsdhead:

@ricardo@mastodon.bsd.cafe replied · 3 months ago

@stefano All jokes aside, wouldn’t a proper accounting department question an unscheduled or unbudgeted expense just because the invoice says "pay now", specially without any warning? 🤔

Gabe Saltar

@gabe_saltar@mastodon.bsd.cafe replied · 3 months ago

@stefano WOW! In my case the person pretended to be my boss, and asked me to send him money in for apple gift cards... It sounded suspicious as hell, but I felt for it because I was new in the company. It was second week at the job and I didn't know anyone in the company well enough to make the correct judgement call.

I found the whole thing to be embarrassing because my major is in Cyber Security. To say I felt stupid, would be understatement of the year

😬