Peter Pelland

Peter Pelland

Editor’s Note: Peter Pelland is the CEO of Pelland Advertising, a company that he founded in 1980 that has been serving the family camping industry for nearly 40 years. His company specializes in building fully responsive websites, along with producing a full range of four-color process print advertising, for clients from coast to coast. Learn more about Pelland Advertising at www.pelland.com.

A combination of recent events suggested that it is time to revisit the issues of Internet security and phishing scams. If you are somehow unfamiliar with the term, a phishing scam usually involves a spam email message that is cleverly designed to trick recipients into responding in one manner or another. That response might involve clicking on a link, replying to the email, or calling a phone number. Most email service providers will adequately filter out the lion’s share of these messages and relegate them to spam folders, but a few will inevitably reach their intended targets.

Looking in my spam folder a moment ago, I see a message that was sent to me twice within the last two hours. The subject line of the message reads “Hurry Up!! Sam’s Club Surprises Inside” and the message reads “Congratulations! You now have the option of our new Sam’s Club! Participate now and maybe you and many others will get a selection of our latest patterns.” followed by a highly encrypted 95-character URL. Clicking on that link will undoubtedly get you “and many others” something, and it is probably not “our latest patterns”, whatever those might be. The links will almost certainly either install malware on your computer, provide a bogus payment link for the alleged membership upgrade, or both. Not being a member of Sam’s Club or any other wholesale buying club, I immediately recognize these messages as phishing scams. What the senders are hoping is that their messages will randomly reach some of the more gullible people from among the hundreds of thousands of Sam’s Club members throughout the United States. When you send out hundreds of thousands of spam emails, a response rate of as little as 1/10 of 1% can generate a fortune in untraceable income.

In the case of these two emails, telltale signs are everywhere. First of all, the links do not point to Sam’s Club, the sending addresses (which are easily spoofed) are totally random (one being 1972987juan@gmail.com), and the messages just do not look quite right. Most such phishing attempts are somewhat obvious, with spelling, grammatical and punctuation errors that are comparable to what would result if you or I attempted to compose a convincing email message in Ukrainian. Checking the actual sending addresses and hovering over (never clicking!) any link URL’s will immediately uncover most of the disguises. One thing that every such scam has in common is that the senders want your money or your credit card number. Usually these are one-step processes where the goal is to trick you into making an immediate payment (usually employing a sense of urgency) before you realize you have been taken. In other instances, a two-step process is employed, where the sender attempts to gain your confidence before providing you the same sort of payment link.

Turning money over to an anonymous criminal is bad enough, but the worst phishing scams involve ransomware payloads that can take down an entire computer network thanks to one employee clicking on a link. In recent weeks, at the height of the COVID-19 pandemic, ransomware attacks have taken down hospital systems and entire school systems that are relying upon remote learning (one of the most recent targets being Baltimore County in Maryland.) These criminals will typically demand hundreds of thousands of dollars to unlock a compromised network.

People like to believe that they can trust their fellow human beings, making us highly vulnerable to this type of activity. At a time when these scams are getting more and more sophisticated and legitimate in appearance, many of these scams specifically prey upon our basic desire to try to do good and help those in need. One of my clients is the state branch of a national fraternal organization with a strong emphasis on community service and charitable outreach. The president of the organization recently forwarded me an email message that had been widely circulating among its membership, with the appearance of having been generated from within the organization itself.

This message picked up the organization’s logo (readily available online), spoofed a non-existent email address based upon the actual domain name, then spoofed a bogus GoFundMe campaign, and emailed leading members of the organization (easily harvested online.) The campaign showed a photo of a young boy on hospital life support and made up a bogus story about how the 4-year-old boy had been diagnosed with a rare and serious disease, how he had been transferred to a children’s hospital in Oregon, where he urgently needed to undergo a bone marrow transplant that would save his life. It went on to say how the alleged parents had little to no health insurance, that the procedure was going to cost $52,000 and that they have so far raised $21,000. It concluded with the appeal, “We are knocking on your generous heart to support us financially in this journey, no amount is too small, and any amount given will truly make a huge impact.” This was followed by a “Make a Donation” link that did not go to GoFundMe but to a PayPal account.

I performed a Google Image Search for the photo of the boy on life support and learned that he was an actual boy who had been injured in a fall on a school playground in Butte, Mont., back in January. The photo had been picked up from a news story published by the Sinclair Broadcasting outlet in Missoula. The stolen photo, the fictitious story, and the sense of urgency were all carefully designed to tug at the heartstrings. When I clicked on the PayPal link, I noticed that it was not converting U.S. dollars into a foreign currency, suggesting that the perpetrators of this criminal activity might very well be based on the United States. I recommended that my client contact the nearest FBI field office, hoping that the criminals could be brought to justice thanks to their careless use of a traceable PayPal account rather than the more usual use of cryptocurrency. By implying that $21,000 had already been donated, they tried to appear legitimate, and they knew that well-intentioned people would be less likely to be made suspicious by a PayPal link as opposed to a request for Bitcoin or similar payment.

Kind-hearted people could unwittingly turn thousands of dollars over to thieves like this. There is no question that there are probably a greater number of legitimate needs today than there has been in decades; however, be sure to exercise an extra degree of caution before generously opening your wallet and having it burst into flames.