A phishing email made it through gmail's spam filter, and it's the first I can remember receiving that felt targeted to my generation's anxieties, so I thought I'd take a minute to point out details that started throwing red flags before I even got to the second-half giveaway.
🧵
I'm starting here because it's perhaps the least obvious and the least talked about: urgency. Whether it's a looming threat or a closing window of opportunity, scammers nearly always infuse their messages with urgency.
(Hoo boy this character limit sucks.)
They want you to panic, because panic reduces your capacity for rational thought and critical analysis.
This particular email is compelling because communication about load forgiveness has been so poor.
I see headlines from time to time, but I'm never really sure if I qualify for it, if it got shot down by congress, or how I'm going to be informed about it if I AM eligible. An area with little understanding is ripe for injecting panic. Like targeting boomers with crypto scams.
If ever an email is urging you to ACT NOW!!!, that should be your signal to look for other signs of illegitimacy. (This particular example is *rife* with evidence, but that's not a guarantee for every phishing attempt.)
Wrong last name. (You're going to have to just trust me on this one.) No one who has anything to do with my student loans would have the wrong last name.
Also: name as subject line. Official correspondence would have a descriptive title, not just my name.
A bank, loan servicer, government office, or other legitimate institution would not identify itself simply as "the Student-Loan Debt Department."
No line break in the intro, leading to incorrect capitalization. Any official communication would not have this error.
The second half, about opteing in to some ad service, is a dead giveaway for me. But it's not THAT much of a stretch for someone to think "The student loan department must be using a marketing firm to distribute notices. That makes enough sense." So it's not a TOTAL dealbreaker.
Also, that unsubscribe link might be a Plan B, hoping to snare people by offering a means to avoid further scam attempts, but which actually points them to a site that will inject malware of some sort. I don't have the skills to sandbox it and investigate that idea, though.
They also omit the slash between the domain and the rest of the URL and make it all plaintext rather than a hyperlink.
Phishing emails targeting corporations often include a link that will take you somewhere that tries to gain access to your network. By omitting the slash and formatting the address as plain text, the email is more likely to slip past spam filters trained to look for such things.
And finally, the most obvious one and the one that everyone knows to look for once the alarm bells are ringing, official correspondence regarding your student debt would NEVER come from a hotmail account.
As an added bonus, I decided to google that PO Box and the results were full of people reporting this same email as a scam. Here's Brown University's notice on it: it.brown.edu/phish-bowl-ale…
Given this breakdown, it might seem like there were so many signs that how could anyone ever fall for this? But I, even as someone who puts a lot of attention into malicious exploitation of cognitive biases, didn't think too hard about it until the urgent "only one more day" bit.
Was I gonna fall for it? No. I always check the sender of anything money related before I take any action based on the content. But it got further than most phishing attempts, so I thought it was worth talking about.
If you noticed something I missed, please feel invited to point it out.
Be safe out there.
Fascinating thing discovered while copy-pasting for alt-text:
See all the spellcheck marks on parts of words? Surrounding those marks are places where I can press the left and right arrow movements and no movement from the cursor.
Which means that text is RIDDLED with characters of no width. It's invisible to the human eye, but a computer sees a bunch of separated chunks of letters rather than words it can recognize. It's absolutely a trick to get through spam filters, and one that I had no idea about.
Let's see how this thing does with what is essentially an image gallery...
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
In this thread: I retroactively livetweet the City of Portland's "Choose Love" "community gathering" seven days after it happened, while exploring the boundary of rum consumption between making the event tolerable and not being too hung over to work for pay at 6 am tomorrow.
The recorded stream bafflingly has a half hour of lead-time before the "gathering," so I've already launched the video. For authenticity.
This logo confuses me. It says "USA" above "I Choose Love," and is topped with the Space Needle, that "Fabulous Las Vegas" sign, Mt. Rushmore, the St. Louis Arch, etc. Is "I Choose Love," like, a bigger movement or something?"