Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Email That Knows Your Address (bbc.com)

Posted by msmash on from the evolution-of-phishing-emails dept.

An anonymous reader writes: BBC is reporting about a new type of phishing email that includes the recipient's home address. The publication, citing sources, claims that thousands of people have already received such malicious emails. Clicking on the email apparently installs malware such as Cryptlocker ransomware on the recipient's computing device. From the report, "Members of the BBC Radio 4's You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms. The firms involved have been inundated with phone calls from worried members of the public. 'The email has good spelling and grammar and my exact home address...when I say exact I mean, not the way my address is written by those autofill sections on web pages, but the way I write my address.'"

2 of 108 comments (clear)

  1. alternate email address by kennethmci · · Score: 4, Interesting

    I remember a while back I read about an interesting way to identify where this info is coming from. If you have your own domain, there are people out there who will append the site name to their email address when they sign up.... e.g. kenneth.facebook@yourdomain.com - then as you receive spam you can see where it orignated from...due to them sharing your email ( or if it was stolen ). Would be interesting to know if anyone has done this and identified the original source of the data.

  2. Re:Oh, come on, now! by Nunya666 · · Score: 5, Interesting

    Any truly important, official communication from a government agency, or from any company demaning payment of any sort, is going to send it in a printed letter, not an email.

    The average user does not know that. Perhaps they just don't care, or they're too ignorant to know better. Unfortunately, that "fact of life" is exactly why phishing emails work.

    My wife is a perfect example. She is intelligent, but not technically savvy. She once asked me if she should click/touch something on her Android phone. It was an advertisement, disguised to look like a "you've got mail" alert. I told her to ignore it, since it's just an ad. "But it says I have mail, shouldn't I click on it?" No, honey, anything that appears in that area of the screen (in that particular app) is just an advertisement. Ignore it. "But it looks so real!"

    We even had a successful phishing attack at work recently. The email said it came from the IT department, and that you needed to click on the link to validate your domain credentials. It didn't look like any of our official communications, and the "click here" link was a shortened URL. It was pretty obvious to me that it was a phishing attempt, but several users clicked on the link anyway, and keyed in their domain credentials into the web form. Thankfully, it didn't install a cryptovirus, or spread to the network.