BrianKrebsOct 10, 2023

Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

I like to show my work, and went pretty far down the rabbit hole with this one:

https://krebsonsecurity.com/2023/10/phishers-spoof-usps-12-other-natl-postal-services/

Phishers Spoof USPS, 12 Other Natl’ Postal Services – Krebs on Security

Show threadFinchHaven sfbaOct 10, 2023

@briankrebs

I see probably five or six of these a week

Which is why I do *not* do email on my phone

Thunderbird, desktop only

That way I can inspect every URL with a mouse hover and not have to touch anything

Not to mention being able to look at Full Headers, which I hardly ever bother with, because this cr*p is so ludicrously obvious

Show threadJames Trickle uPOct 10, 2023
@FinchHaven @briankrebs those that miss ludicrously obvious are the targets. you and I are not their targets. it's the elders or the weak minded they want to exploit.
Show threadDavid Andersen
@opalmirror @FinchHaven @briankrebs I think that's unfair to many victims. There are a lot of folks out there who would spot these things under normal circumstances, but put them on a phone and add in some distraction / being in a rush and you'll get many more hits.
Oct 10, 2023 at 1:56pmWeb
Show threadFinchHaven sfbaOct 10, 2023

@dave_andersen

[me ignoring that comment about "elders" by not pointing out that I'm 76 years old]

oops...

cc @opalmirror @briankrebs

Show threadJames Trickle uPOct 10, 2023
@FinchHaven @dave_andersen @briankrebs You both seem to miss my point which is scams are usually made to be obviously flawed so that savvy folks will see it as flawed and won't waste the scammer's time. I do not mean to make anything less fair for victims, they need all the help we can offer. I will work harder to change the class terms I use... senile would more accurate than elder, my apologies. Scams are despicable and criminal, preying on the more easily manipulated.
Show threadBrianKrebsOct 10, 2023

@opalmirror @FinchHaven @dave_andersen I realize there is research to support your point (and have read it), but IMHO acceptance of that as a proper and good explanation seems like even more throwing up your hands and blaming the user.

The truth is a lot of companies are training users to respond to these types of messages. And basic knowledge about how to navigate the interwebs on a phone is hardly a given, and yet we so often assume it is and then blame the user.

Show threadJames Trickle uPOct 10, 2023
@briankrebs @FinchHaven @dave_andersen I concur with you that the exploited are not to blame here and we need to give users ever better and easy to use tools to try and impair the scammer's success rate. my text message app recently started categorizing some texts as suspected spam and added a spam reporting and blocking action along with hinting on how to use that. I'm certainly grateful for it. We definitely need more of this.
Show threadDavid AndersenOct 10, 2023

@opalmirror @briankrebs @FinchHaven There are scams and there are scams.

Someone calling you about your call warranty _is_ always looking for easy prey. It's a comparatively high cost approach.

Someone blasting out 10M phishing emails to catch your credit card _isn't_ trying to filter out the clueful. They're trying to make the phishing content as realistic as possible to maximize the number of people who'll enter a credit card, however briefly.

Show threadJames Trickle uPOct 10, 2023
@dave_andersen @briankrebs I'm more of a user advocate on this issue... I'd like both the annoyance and the criminals to both be plonked in a 'better ignored' bin and not greatly interested in accurately determining which is a spam and which is a phish. It's all abuse.
Show threadJames Trickle uPOct 10, 2023
@briankrebs @FinchHaven @dave_andersen I want my big brother (much less tech savvy than me) to have as much support to resist scams as he can get, to make the scams transparent and tag likely spam. Longer URL viewing windows might help. Autoclassification as spam definitely helps. It's not his fault he is not a techie. He deserves the same access to Internet as anyone else. The same is true of my sharp (1970s techie) nonagenerian step mom and my brother-in-law in cognitive decline.
Show threadFinchHaven sfbaOct 10, 2023

@opalmirror

Tapping out of this convo right here

Y'all go on and quibble about whether spam is a scam or is spam and who is a techie or not on someone else's time

Bye...

cc @dave_andersen

Show threadJames Trickle uPOct 10, 2023
Sorry for our misunderstanding - which I tried to clear up, and apologize for my poor initial choice of words. I respect you and listened, and tried my best to set things right. Peace. Out.