Monday, December 17, 2012

How to Scam Tufts (for Dummies)

It's Sunday, 3:52pm EST. It's nighttime in Edinburgh, and I'm typing away at my computer, studying for upcoming exams. Suddenly, an email notification. The subject reads: "(Suspension Of Your Email Account)*". The message claims to come from "noreply@tufts.edu". That seems pretty legitimate. There's a link... it wants me to submit my Tufts username and password. "Failure to comply will lead to the termination of your email email account in the next 48 hours." Scammer, let's get a couple things straight, here. This was pretty good. You probably picked up a few email account passwords. But you weren't exactly the brightest hacker of the bunch. I've got a few pointers for you.


This Isn't "24"
The fact that you gave your victims 48 hours to submit their personal information is a little excessive. If Jack Bauer can diffuse nuclear warheads in 24 hours, how long do you think it honestly takes for us to figure out your scam? Tufts University Information Services took nearly 10 hours to send out a warning to the Tufts community, which is admittedly embarrassing (considering students like me reported this to them within 6 minutes of the attack), but why cast your deadline so far out? Next time, demand the information within no more than a day.

Yes, President Monaco is on Facebook

Mr. President, We Have a Situation
It was impressive that you managed to hit so many tufts.edu account holders. Maybe even all of them (check your spam folders, people). But you didn't really think this through, did you? When your email went out to everyone, that included President Monaco. By the time I chatted with him on Facebook, he had already received the email. That's like sending a fake "Wells Fargo Bank" email to the Wells Fargo CEO. Next time, be more selective. Recent graduates, students abroad, and freshmen are perhaps most likely to believe that there is an issue with their email accounts. The people in the IT department? Not so much.

Wait a Week
Your timing was almost perfect. You chose a weekend, when you expected the university to be closed; very good. This limits the ability of the university professionals to warn students that your email is a scam. But guess what? Someone at UIT was around at 5:30pm on a Sunday to answer my emails. Guess techies work weekends. Next time, wait for winter break. Sure, fewer students may check their emails, but at least most of the first-responders will be out of the office.

A screenshot from the linked Google Form

Google is Not Your Friend
A Google Form for phishing passwords, honestly? Any eight-year-old with a laptop could've pulled that off. If you're going to trick people into doing something, at least put in an appropriate amount of effort. Next time, make the form look nice, make the URL seem authoritative, and don't use a service that lets users "Report Abuse" via a link along the bottom. If Google hasn't taken down your form already, it should soon. And you better have your fingers crossed that the university isn't working with Google to track you down. You're currently eligible for criminal charges, and if you have any relationship to the university, you're also in violation of their UIT Email Policy.

What are You Gonna Do, BCC on Me?
Collecting email addresses and passwords isn't exactly the most daring heist. If you're going to risk serious consequences, at least collect something profitable, like credit cards, social security numbers, or Amazon logins. What were you going to do with my Tufts email address, rate my professor? Next time, go big or go home.

The scam email

Messin' with My Generation
But whether or not you executed your scam well, and whether or not it was worth the pay-off, one mistakes rises above the rest. You tried scamming tech-addicted, socially-networked, hyper-communicating college students, many of whom have friends earning university degrees in computer science. Of all the possible populations in the world, you targeted one of the most tech-savvy, not to mention best-able to cross-check the validity of your message with internet sources, friends, or technology gurus. I'm dying to know your success rate, but I know; it's probably too embarrassing to publicize. Next time, don't come after us with a technology scam. Try our grandparents. (Grandmom, don't click on strange links).

* * *

Jumbos: Listen Up
For any non-scammers reading my post, I'll throw in some advice for you, too.

1) Email addresses can be faked. My time solving computer problems through Andrew & Brian's Computer Innovations has certainly taught me that. Just because the email says its from "tufts.edu" doesn't mean it is. This one wasn't.

2) Never give out passwords or other secrets online. It's that simple. If you have to type sensitive information online (for example, to log into something), make sure you sought out the website yourself. If you clicked a link in an email to get there, it's likely a scam. And some of them look way more convincing than a Google Doc.

3) Check with a savvy friend (like me!) before doing something that doesn't feel right. (I'm talking about technology, people. Don't reinterpret this.) At least one of my friends forwarded me the email when she got it, asking if it was legitimate. Other people read Facebook posts warning against the scam. Do that. While our technology is a potential vulnerability, it's also our best tool to combat misinformation.

Oh, and this part is key. If the email you received asks you to "fill the required information's", don't do it. Anyone with that kind of grammar doesn't work for Tufts University.

No comments:

Post a Comment

Have something to say? Add to the conversation!