How to go phishing

Friday, October 27, 2006

Phishers aren’t stupid, they’ve got a pretty good thing going for them: free money. I think we’re all familiar with how phishing works. Someone sends out hundreds of thousands, if not millions of emails to people posing as a bank, eBay, PayPal, King of Zimbabwe, etc.

Even if .0001% of the people who get these emails fall for them that’s a pretty huge return. It doesn’t cost much to send an email, right? But, as I mentioned the emails are pretty much a shot in the dark. A random email to a random person from a seemingly trusting but often unfamiliar source. Most of us know we don’t have an account with Bank of America, right? I obviously won’t even open those emails. So, how do you increase the odds of people opening their emails?

Phish a friend

What if we made a script that scrapes people’s social networking sites and learns about them? Kevin over at WIRED made a script that finds sexual predators on MySpace. Couldn’t we make one that gathered everyone’s top friends and then sent an email posed as them? I’d certainly open an email addressed from someone in my ‘top 8′. Wouldn’t you? Think about something as simple as the following:

hey man sorry i havent emailed u in a while. anyway i want to buy this stuff on amazon but it sux because it doesnt take my cc. could you send me your number and ill hit you back later?? you no im good for it. anyway holla at ya later.

Obviously a lot of damage could be done if someone grabbed their card and hit reply. I’d certainly think about helping a friend like that. Maybe not via email but some people (obviously) don’t know better.

What if someone is listed with a college education and a high income? You could use some different cases like:

Hey Jon, I was looking to get a present for my Mom but since I’m switching banks my card doesn’t work. Would you mind lending me your information? It’s only $24.99 + shipping and I can just write you a check. Would you mind? I’d really appreciate it, man. Take it easy, Mark.

Those are some emails that I imagine people would stop and think about. “Hey, it’s from Mark, of course I trust him”. Trust is powerful. Make a program that can manipulate it and I think your odds of successfully scamming people will greatly increase.

Besides, think of how popular you’d become. CNN would label you something clever like the ‘MySpace Scammer’. You’d be uber popular!

Anyway, whoever decides to do this, let me know and we can split the earnings up accordingly.

Update: Seth Godin writes about people who attempt this kind of manipulation and the power of trust, as well.

Update 2: A recent ‘social phishing’ study confirms the powerful notion I explored here..