A true story about impersonation and smishing threats

Post hero image

Table of contents

Here is an example of how a small coincidence can lead to a big mistake. The following names have been changed for privacy reasons. John Doe is our attacker, and Victor Victim is playing – you guessed it – the victim.

The email ended up in spam and created a sense of urgency

John Doe (customer success manager) and Victor Victim (senior accountant) both work for the same company.The attack begins with an email that John sent from ‘John’s iPhone.’ This is an important detail because it can make the recipient ignore that the email was sent from a personal Gmail account instead of the company’s own email environment, also excusing minor spelling and formatting errors.

impersonation and smishing example 1

The attacker even included the real John Doe’s signature (not shown in the picture) with details like a link to his LinkedIn. However, despite all of these elements, the email has landed in Victor’s spam folder.Three weeks later, Victor noticed the email in his spam folder. Noticing the email late, Victor hastily replied to John without thinking it through rationally. The coincidence of the email landing in the spam folder had actually worked out great for John since it naturally created a great sense of urgency, a feeling that suppresses rational thinking and, therefore, a feeling attackers commonly try to exploit.

impersonation and smishing example 2

Later that day, John replied.

impersonation and smishing example 3

The attack continued as smishing

Victor sent John his cellphone number, and they continued the conversation by text messages. John began the conversation by confirming that the number is indeed Victor’s. Victor confirmed that it is him and apologized again for missing the email for so long.John then explained the task to Victor. He claimed that he is going to a conference and he will do some guerilla promotion. He needed Victor to go to the closest store and buy $1000 worth of Steam gift cards, but iTunes and eBay gift cards would also be acceptable. He told Victor to keep the receipt for reimbursement. John gave Victor instructions to peel off the silver linings that hide the gift card codes and then send pictures of them to John.This was the point where Victor finally noticed that everything didn’t add up and dropped the conversation. A close call!

Giftcards are a typical currency in scams

Gift cards are often used as currency in scams. They are easy to get and share and leave little to no traces. Once the attacker gets the codes, he would have immediately redeemed them and converted them into something else that’s valuable. In our case, Victor would have been left only with a hefty receipt reminding him of his mistake. Luckily, he realized in time that something wasn’t right!

Hoxhunt empowers your employees to shield your organization from threats. Our phishing training is trusted by the world’s leading cybersecurity professionals - maximizing training outcomes by serving every user a personalized learning path that measurably changes behavior.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this