Scamicry: Are you deliberately putting your customers at risk?

As Troy Hunt writes this week in Thanks FedEx, This is Why we Keep Getting Phished maybe the company you are dealing with is grossly incompetent at security?

Imagine that you receive a notification that:

• comes from an unknown, withheld number
• comes from a no-reply email address from some weird origin that does not match the company domain
• is written in poor English with grammar and spelling mistakes
• contains dodgy looking links and incoherent urges to click them
• has out of date branding or poor quality images
• contains nonsensical reference numbers

But here's the twist… It's actually from them!!

Adam Shostak has a name for this. He calls it "scamicry": legit communications that mimic scams. Like if a company calls you and asks for your security details, but offers you no way to verify who they are first. Here, you can read Adam's notes from BlackHat 2018.

If you follow NCSC best practice to avoid phishing you'll immediately attempt to establish a communication with the company via a known legitimate link, initiated by yourself. You could visit their website or call them. Well good luck with that!!

As you know, it's impossible to speak to a human. You'll encounter layer upon layer of automated deflection, so-called customer service using AI voices and chat bots. You'll encounter "contact us" forms with broken HTML, dangerous JavaScript, more tracking code and cookie popups than you can shake a stick at.

You'll have to navigate endless greedy and unnecessary data gathering, jump over CAPTCHA puzzles and "security questions" and still the form will fail to send your message. If you're lucky that any human ever reads it, you may get a "timely response" in a few weeks or months.

Their dreadfully designed website will send you around in circles for hours, eventually asking you "Why not use our app?"…

Hmm, maybe because I'm not stupid enough to install another backdoor infested data harvesting tool on my already compromised smartphone from a company that appears to be ignorant about security?

If you were only in a state of high-anxiety about being scammed then certainly, after hours of dealing with inhuman gate-keeping and infuriating hold music, your mental health will now be in shreds. Better just to click the scam link under intolerable pressure.

So why is the standard anti-phishing advice that you'll read on the NCSC website or get from standard corporate training seminars about as much use as a chocolate teapot in the Sahara desert?

Here's why, and you won't find many people telling you this fact of modern life:

Because profit and security are in tension.

• It costs money to provide security for customers. Lots of money.
• Your security is an externality.
• It's cheaper for companies to pay fines and compensate customers than to fix things.

Sorry for the spoiler, but as you probably guessed, the punchline of Troy Hunt's article is that the insanely dodgy communication he reported as a phishing scam was actually genuine!! It had come from FedEx.

The pattern for these scamimic security blunders is typical.

Your bank or some other service sends a suspicious messages through a wild and weird channel, usually a third party outsourced service, insisting that something is;

"Urgent. Immediately answer this form with your personal details or we will lock/close your account".

To any normal person who has the least security awareness this seems scammy, and is rightly ignored. But then a few weeks later a physical letter arrives explaining how "Your account has been closed". If you're lucky you'll be inconvenienced by hours of phone calls or travel. If you're unlucky you'll lose thousands of pounds.

Something similar recently happened to me. While attempting to set up an account I was thrown by a random email from a so-called "identity confirmation service" with a name that oozes all the legitimacy of a Chinese chicken delivery service. Its obdurate tone was dressed in fluffy, almost infantile corporate down-talk, vague insinuations and insistence that I immediately start uploading my personal documents to their "secure" website (I'll be the judge of that, thank you), and a presumptuous air that I should know who they were.

Everything about it yelled phishing scam! After deleting three such messages, I contacted the alleged company, and surprisingly verified that they really did want a verification. So I arranged an in-person meeting. Apparently it's all about KYC (Know Your Client). KFC more like. Kentucky-Fried Cybersecurity.

And it happened to our own Helen Plews. As you can hear in this Cybershow segment (time:42:20), she received a very dodgy SMS from a private number with all the hallmarks of a phishing scam. Following best practice, she called a listed organisational number, and was soundly punished for attempting to report a security problem.

Like the NHS, healthcare companies in the US send scammy looking links for payment processing, things like my-healthcare-billing.net.

Punishing the customer for being vigilant about security seems ever more common. One correspondent explained how their bank website had a section about security. They helpfully showed the fingerprint of the TLS key (website security key that should give you a "green padlock"). Their own instructions clearly said: "If this key doesn't match, then please do call the bank." The keys didn't match. The customer dutifully called the bank… and promptly got their bank account locked. Resolution arrived after an expensive and time consuming visit to the branch. The fault was with the bank whose online website was outdated.

Another commenter got an email from the IT centre of her workplace, coming from a domain completely unlike the official company domain. Subject: "URGENT: your account is expiring", and containing multiple weird looking links in the email body, each an illegible multiple line scrawl of hexadecimal numbers. Exactly the kind of thing that immediately gets all the hairs on your neck jumping, and spreading down your spine like an Internet dance craze. I've had dozens of these and they all go straight to /dev/null (in the wastebasket). Turns out it was "real".

These come from the same 100k+ employee companies that send out punitive "phish-test" emails where anyone who clicks on the URL is destined for the "remedial training" naughty step.

You're screwed if you click, and you're screwed if you don't.

In another case a customer got sent "a badly-scanned letterhead" that was "very, very fishy." Could this be legit? Apparently so. The query was escalated up the security chain. Nobody in the company could "understand why it was bad."

Truth is, the security staff of most companies, right up to CISO level, are confused and conflicted. Their thinking is that - it's okay if we say it is, since we set the security policy. In a way that's true. Looming regulation aside, they're free to set their standards as low as they like.

More importantly the reciprocal is true. As a customer the one and only inviolable standard of whether your security is good enough is whether I feel it is. You have to convince me. Because it's not your security. It's mine.

Back to practicalities, why do companies not just use their main domain for URLs? Aside from the fact that some browser makers unilaterally decided it would be more secure to hide URLs from 'stupid' users (ignorance is strength), if customers can see a recognisable domain that clears up most of the confusion.

Part of the problem is that companies like Google and Microsoft, with whom millions of people sadly still have email accounts, punish companies for sending "bulk mail". If companies use their main domain, their normal corporate email may get blocked by anti-spam filters. Instead they use a different, unrelated domain for bulk mails. Some of the better known companies like Mailchimp specialise in sending bulk mail and have "arrangements" with BigTech providers who now act as the gatekeepers of email. But even giant banks, in a bid to save a few pennies, will shop around and use some insanely dodgy third party providers.

The sad thing, as it relates to global economics, is that the profile of cheap outsourced messaging companies is similar to those who actually run scams. Indeed they may be the same companies. The work is done by low paid, factory-hen "IT" workers in developing countries. They hate their jobs and do the least work possible. But how else can we have sky-high salaries and massive bonuses for bank executives?

All of this is unnecessary because in fact most of these security messages are not "bulk email" at all. They are legitimate personal messages specific to a situation and sent to a single recipient. The charitable interpretation is that because they are templated, BigTech spam filters pick them up. Obviously trillion dollar US companies don't have the resources to tell the difference. A less charitable take is that giant tech monopolies are just squeezing everyone for cash. Remember, your security and their profit are always in conflict.

Regardless, scammers can spoof addresses and send messages through the company, making them look legitimate. AI tools can now clone websites of any company, perfectly and in moments.

Why can't a recipient have certainty about the identity of who sent a message? Can't all this be fixed with technology? Surely there's some kind of cryptographic authentication system for text messages and emails and proper use of caller-ID for phone calls?

Indeed, we solved all of this in the 1980s. The truth is that most companies lack the expertise to use cryptographic signatures, or become enmeshed in proprietary "partnerships", for example with companies like Adobe whose solutions cannot be universalised. Additionally, most customers are not clear about what is really secure. They rely on the security advice of companies that are dishonest because they have their own profit motives.

For example, almost everyone wants you to install their "app" these days. Don't do that. The world wide web (WWW) was developed as a universal standard for the connected world. It has everything needed for secure commerce. Apps are closed programs that install themselves into your smartphone operating system. They are notorious for data harvesting and for backdoors and other security risks that do not come from a normal web browser. And now you need to manage a separate application for every company you do business with? No thanks! Besides, "apps" assume you have a smartphone, something that security conscious people and those mindful of their mental health are increasingly moving away from.

Even with infrastructure for public key cryptography (PKI) and transport layer security (TLS) in 2024 nobody can be sure if a message from their bank, doctor or kids school is real. This is a disgrace.

The principal problem comes from the profit motives of companies who;

• use the cheapest solution in all cases
• eschew tried and trusted open source inter-operable systems
• deliberately isolate themselves from customers
• place the security onus on the customer
• do not allow customers to insist on their own minimum security standards and methods

But Troy Hunt puts it far better than I can:

What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers!