An email pops up in your inbox, saying you have a date in court. And it uses your first name. Pretty alarming, no? Not to worry — courts don’t communicate that way. It’s a scam — a variant of one that apparently has spread from Australia and the UK. But the purpose isn’t to bilk you out of money — it’s to steal your identity and get you to click on malicious links.
Welcome to the new spam, a phenomenon that threatens consumers and companies alike. Such schemes have long existed, but they are now more insidious, thanks to improved technology and the boundless creativity of the perpetrators.
For example, the Internal Revenue Service warned this week that thousands of taxpayers’ W-2 records have been compromised.
“This particular scam, sometimes referred to as business email spoofing (BES), reportedly first appeared last year, said the IRS,” PYMNTS.com reports. “Cybercriminals send emails to employees in payroll and human resources (HR) using slightly modified email addresses to make it appear as if the emails are coming from an organization executive, said the IRS. The email requests a list of all employees and their W-2 forms.”
PYMNTS.com continues that the scam has “evolved beyond affecting just the corporate world and has spread to other sectors, including school districts, the health care sector, temp agencies and nonprofits, among others.”
It used to be that fraud artists rented an email sucker’s list: Many still do. But it’s expensive, and not as reliable as it once was. Anyway, why risk the liability to both sender and vendor? There are better ways.
Take the “snowshoe spamming” allegedly conducted by Michael A. Persaud. Persaud was indicted on federal charges this week, according to Krebs on Security.
“The Justice Department says Persaud sent well over a million spam emails to recipients in the United States and abroad,” Krebs on Security writes. “Prosecutors charge that Persaud often used false names to register the domains, and he created fraudulent “From:” address fields to conceal that he was the true sender of the emails. The government also accuses Persaud of “illegally transferring and selling millions of email addresses for the purpose of transmitting spam.”
It gets worse.ZDNet reported yesterday that spammers can spoof Gmail accounts, and that Gmail can’t stop them. Renato Marinho, a researcher from Brazilian security firm Morphus Labs, claims that Gmail “doesn't filter or indeed even warn users about dodgy messages from a spoofed @gmail.com address,” according to ZDNet. “That is, the email appears to have come from a Gmail account, but actually came from a non-Gmail server. It's not hard to imagine the fun that hackers and spammers could have with this behavior.”
The solution? Stronger cybersecurity at companies and institutions of all kinds — to protect customers, employees, and everyone.