In one of the most predictable phishing campaigns of the year, criminals last week started sending out emails purporting to be from BT warning of “cyber breaches on an international scale”.
In pastiche English that is still the giveaway in most phishing emails, the message implores recipients to “confirm a security upgrade” because “deficiency to do so will result in limited access to your profile”.
We don’t know how many were sent but enough for the campaign to be noticed by Action Fraud, which thinks the attack was most likely hitching a ride on real emails sent out by service providers warning of the WannaCry worm-ransomware that started affecting Windows PCs on May 12.
If and when a full account of the WannaCry attack is even written, it’s unlikely its author will devote much space to what is, after all, a routine JAPE (Just Another Phishing Email), among numerous similar campaigns that wash into inboxes all the time.
And yet, in its small way, the sequence of events perfectly sums up how cybercrime events are often experienced from the public side.
Something alarming happens – the attacks on TalkTalk, the WannaCry worm, or any one of a scramble of other data breaches – and service providers feel obliged to send their customer warning emails because that’s what big companies do to look as if they’re in control of the situation.
Coincidentally, or perhaps by design, criminals jump on the back of this panic alert channel in the hope that email users will be more receptive to their phishing ruses than they might normally be.
Nobody really knows whether this sneaky tactic works, but the end result is that a second round of warnings are sent out warning about fake warnings and so the cycle of fake and counter communications barrels onwards in an online world where people are paying less and less attention.
The notion that large companies should send people emails unbidden is the last vestige of the days when people saw the medium as novel. That world is long gone. Email these days is more often the digital equivalent of flyers pushed through the letterbox that nobody wants to read.
It’s ironic that WannaCry should set off this ripple of emails at all given that the malware itself is not now thought to have been seeded through phishing.
The advice we’d give is simply never to click on any emails that require logging in to anything. When logging into a service of any kind, visit the address directly. Using embedded links these days is simply too risky. This includes things like LinkedIn, which by default pesters people to accept invitations sent via email when we know that some of them are fraudulent.
Somewhere out there must be a population of compulsive clickers, or nobody would ever get caught out and the phishing tricksters wouldn’t bother trying to reach them. The rest of us can choose to opt out of this pastime.