top of page
Search

How I Almost Fell for a Phishing Scam

  • Apr 6, 2022
  • 3 min read

A couple of months ago, I almost fell for a smart phishing scam. I am sharing this experience to warn you about the increasingly sophisticated phishing attacks and give some tips on how to identify and handle them.



A "government grant"

It began with a Facebook message from my realtor, Joanne (I am using a fictitious name to ensure her anonymity). Joanne had recently helped me and my wife buy a house. We became good friends and stayed in touch on Facebook.


That evening, Joanne sent me a casual "Hi, how are you doing?" message and, after a brief chit-chat, she told me I was eligible to apply for a $20,000 "government grant for first-time homeowners".

Phishing attacks often involve the use of a financial incentive as bait

Who would say no to free money, right?


"It made no sense"


All I had to do was fill out a short form.


The link Joanne sent was a shortened URL. That's where suspicion hit me. Why would a link to a form on a Canadian government website be shortened? Also, why would Joanne send me a link to an important form via Facebook? It made no sense.

"Why would a link to a form on a Canadian government website be shortened? It made no sense to me".

Knowing that shortened URL links were often used for malicious purposes, I decided to check later whether it was safe to click.


In the meantime, I asked Joanne to tell me more about the grant. She responded by saying that the first-time homeowner support program was a "joint initiative" involving the government of Canada, UNICEF and International Monetary Fund (IMF).


That's when I knew that this was a scam. I had worked for UNICEF in the past, and I had a very good idea of what the IMF was about. I knew that neither of these organizations had any business supporting homeowners in Canada.


Many phishing scams are easy to avoid if we stop to think or investigate before acting on emails or messages

Imposter account

But why were these messages coming from Joanne? Was her Facebook account hacked?


I looked closer at Joanne's messages. After some digging, I realized that they had been sent from a recently created Instagram account that featured Joanne's name and the profile photo that she used on Facebook. The account had no posts and no followers. But because Facebook had merged Messenger and Instagram chats into a single messaging platform, messages from this Instagram account looked no different from messages that real Joanne sent via Facebook.


Whoever was behind the scam knew very well what they were doing. They created an Instagram account, using Joanne's name and real photo. Then, they began contacting all of Joanne's Facebook contacts, assuming correctly that many of them had recently purchased houses.

Phishing attacks always start with a message that looks like it is coming from a person or organization you trust

I got in touch with Joanne who then emailed all her contacts and posted a message on Facebook, warning her followers about the scam. She also reported the imposter account and Instagram removed it eventually. Unfortunately, at least a dozen people had filled in the phishing form by then. Among the details they provided were their real names, addresses, phone and email numbers, as well as social insurance numbers.


Don't fall for phishing

Phishing is here to stay, and people behind phishing attacks will continue designing increasingly sophisticated tools to steal money and personal data. You can increase your chances of not falling for one of these scams if you follow these three tips.

  • Slow down to think. Phishing scams are often designed to create a false sense of urgency. They tell you it is your "last chance" to act before you miss on a great opportunity, lose your job, or face "legal consequences". Every "urgent" message you receive should raise alarm bells and make you think twice before acting on it.

Phishing scams are often designed to create a sense of urgency and make you act fast

  • Remain skeptical. It is simple, really: when something is too good to be true, it probably is. Phishing scams commonly manipulate our emotions, particularly greed. Remember that it is highly unlikely that you would ever get a free iPhone, win an online lottery, or get a large government grant (particularly if you didn't apply for it).

  • Beware of attachments and shortened links. Many phishing attacks involve attachments that look like legitimate documents. When opened, these attachments infect the devices you are using with malware designed to steal your personal information, including banking details. Shortened URLs often lead to infected web pages that install malware on your devices. Don't ever open attachments or click on links received from people or organizations that you do not fully trust.

These are only the most important tips. For more information on how to protect yourself from phishing, check out this resource.

Comments

bottom of page