publishing date icon
February 12, 2021
read time icon
5 min. read

A true story about impersonation and smishing threats

Author image
Jon Gellin
Junior Threat Analyst
Post hero image

Table of contents

share this post

Here is an example of how a small coincidence can lead to a big mistake. The following names have been changed for privacy reasons. John Doe is our attacker, and Victor Victim is playing – you guessed it – the victim.

The email ended up in spam and created a sense of urgency

John Doe (customer success manager) and Victor Victim (senior accountant) both work for the same company.The attack begins with an email that John sent from ‘John’s iPhone.’ This is an important detail because it can make the recipient ignore that the email was sent from a personal Gmail account instead of the company’s own email environment, also excusing minor spelling and formatting errors.

impersonation and smishing example 1

The attacker even included the real John Doe’s signature (not shown in the picture) with details like a link to his LinkedIn. However, despite all of these elements, the email has landed in Victor’s spam folder.Three weeks later, Victor noticed the email in his spam folder. Noticing the email late, Victor hastily replied to John without thinking it through rationally. The coincidence of the email landing in the spam folder had actually worked out great for John since it naturally created a great sense of urgency, a feeling that suppresses rational thinking and, therefore, a feeling attackers commonly try to exploit.

impersonation and smishing example 2

Later that day, John replied.

impersonation and smishing example 3

The attack continued as smishing

Victor sent John his cellphone number, and they continued the conversation by text messages. John began the conversation by confirming that the number is indeed Victor’s. Victor confirmed that it is him and apologized again for missing the email for so long.John then explained the task to Victor. He claimed that he is going to a conference and he will do some guerilla promotion. He needed Victor to go to the closest store and buy $1000 worth of Steam gift cards, but iTunes and eBay gift cards would also be acceptable. He told Victor to keep the receipt for reimbursement. John gave Victor instructions to peel off the silver linings that hide the gift card codes and then send pictures of them to John.This was the point where Victor finally noticed that everything didn’t add up and dropped the conversation. A close call!

Giftcards are a typical currency in scams

Gift cards are often used as currency in scams. They are easy to get and share and leave little to no traces. Once the attacker gets the codes, he would have immediately redeemed them and converted them into something else that’s valuable. In our case, Victor would have been left only with a hefty receipt reminding him of his mistake. Luckily, he realized in time that something wasn’t right!

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.