I feel like spammers and cyber criminals are getting better. Stuff is starting to get through Google spam filter by mashing up with elements that seem very real and urgent. Like yesterday I got this spam in my Gmail primary inbox with a subject line like "RE: Department of Education Case #295720186".
It made me wonder if you could autogenerate filter-evading spam using GANs? Train a GAN to generate email that fools a spam filter, feed it your spam prompt, and the neural network camouflages your prompt in filter-evading cruft and misdirection.
Gmail's spam protection has been broken for ages. I'm keeping getting obvious spam (pills, eggplants emojis, money from prince kind of stuff) directly into my inbox. At the same time, legitimate email is going to the spam folder.
I seem to have the opposite experience. I've been using the same email address, never hiding it at all even on Usenet, for 25 years. I get >600 spams/day and ~20 non-spam, and at most 1 or 2 spams get through Gmail's filter.
I want to move to Fastmail, but every time I try it out, their spam filter lets through 50-75/day, which is unworkable.
A simple Bayesian model seems to be the only thing which works for keeping out obvious fraud, and for more sophisticated fraud it's tough to do it automatically.
On the other hand, I’m seeing more and more legitimate stuff land in Gmail’s spam filter.
Like virtually of San Francisco Marathon’s newsletters. Sure they’re pushy and really really want you to sign up for more races and I definitely need to unsubscribe … but I did subscribe and that means it isn’t spam.
One of the things that I assume happens is that, even when people have explicitly signed up for something or at least not opted out of receiving updates etc., they'll just "report spam" rather than unsubscribe and when enough people do this it gets put in everyone's spam folder unless enough people reclassify it.
There's not much stuff that ends up in my spam folder that I really care about and a fair bit I don't know how I got on some list. But relatively little of it is spam in the usual meaning of the term.
> they'll just "report spam" rather than unsubscribe
I'm guessing this is a major part of it. But then again, if a legitimate service is so spammy that people will just "report as spam" rather than unsubscribing, maybe they should change their behavior.
There's definitely a continuum from I signed up for your newsletter, to I attended your event/downloaded your document and opted in, to I didn't opt out, to random mails typically semi-relevant at best from someone who got my email from some list somewhere, to outright scams/offers to sell mailing lists/etc.
Of course it depends somewhat on frequency etc. as well. I'll still mostly just unsubscribe if there's a link and usually reserve report spam for random crap that doesn't have an automated unsubscribe option.
Pre-Covid, I attended a lot of events and that's probably has led to me getting on a lot of lists. Like it or not, no small part of the event industry is for companies to get leads.
In e-commerce I've noticed that customers that request to be removed from the mailinglist and/or to have their info/account be deleted often forget about ever using the site. Then a few months later they order something and sign up for the newsletter again. When they receive their "first" newsletter they recognize the style and remember that they requested it to be cancelled, which leads to many angry emails and spam reports.
An order form with no pre-selected "join newsletter" option doesn't seem to mitigate this problem. The obvious soloution is to save the customer's email in the mailinglist as unsubscribed, but afaik that's not legal if they request an account deletion.
I'm sure it depends on jurisdiction but that would presumably be saving PII after a removal request.
I find the tabs on my personal Gmail help a lot. Most of the form stuff lands in Promotions or Updates which I glance at now and then. Occasionally there's something I'm actually interested in. I used to keep a separate email for orders and the like but over time I found that just became a black hole that I never looked at.
My favorite problem are people who go “Never email me again about anything” then a few months later complain “Why didn’t you tell me about the new version?”
> I’m seeing more and more legitimate stuff land in […] spam filter.
I use iCloud Mail with a custom domain, after having self-hosted my mail for many years.
I had some job interviews recently and in a couple of cases iCloud Mail was spam filtering the meeting invitations. Whoopsie!
Fortunately in both cases we had communicated about when the meetings would take place outside of the invitations. So even though I didn’t see the invitation mails, I knew when the meetings would take place, and in the case of lacking a link to join one of the meetings I got them to send me another link for the meeting.
And on the whole I will say that iCloud Mail is much more comfortable and convenient for me to use than continuing to self-host my mail. Both in terms of keeping spam out of my inbox, and in terms of mail that I send getting to other peoples inboxes rather than ending up in their spam.
Its just different people disrupting the spam space.
Someone looked at the operational assumptions of “lets target gullible people by using stupid obviously fraudulent scenarios so that we can weed out everyone who wont play along” and noticed it is missing a very large target market unnecessarily.
Like it or not, this is the price of "privacy". Being able to easily pretend to be anyone, in the absence of an overarching identity framework -- and leaving identity recognition to the end user -- makes cybercrime a lot easier than it has to be.
Privacy does not mean anonymous interaction with known parties. It means the CIA can’t see me make an account transfer over the wire. In other words, without a warrant. Authentication and privacy are compatible. Privacy and anonymity are orthogonal.
The CIA can and will monitor your offline and online behavior if your profile is interesting to them. No amount of "muh privacy" appeals will stop them.
Privacy and anonymity are absolutely not orthogonal. How do you KYC? By "violating" their privacy (storing and querying personal records) to identify (deanonymize) someone.
> The CIA can and will monitor your offline and online behavior if your profile is interesting to them.
That’s because we don’t have adequate privacy safeguards in modern western society.
> Privacy and anonymity are absolutely not orthogonal.
Privacy and anonymity are not synonymous. I can have a private conversation with a friend. That does not require anonymity. In fact it precludes anonymity because my friend and I know who each other are. Privacy says nobody else knows what we discussed or even that we had a conversation.
> KYC?
Know Your Client? This is a new term to me but sounds like an authentication concept. Which is compatible with privacy but precludes anonymity, by definition.
I can privately communicate with my bank. But I cannot do so anonymously. LEO can’t see what I am doing on the wire. But with due process they can compel my bank to reveal what I have been doing with my money.
In theory the CIA cannot legally monitor anything about you if you're a US person, even with a warrant. That's the FBI's job. If you're not a US person the CIA can monitor you all day long without a warrant.
"Better safeguards around privacy"? How is Google or Cloudflare or NSA or whoever peeking at your incoming emails to determine what gets through good for "privacy"? That is upside down and backwards.
E2e encryption to prevent that peaking didn't really debut until the 2000's, as that's right when the crypto wars ended. Spam was actively fought in 1990's, and then improved measurably into 2000. See projects like Hashcash in 1997, anti-spam tool.
So your premise doensn't make sense with that timeline. Right when consumer privacy measurably improved via encryption availability and the end of related legal challenges is right around the time spam improved as well.
Which is to say, there is no correlation that's logical b/t the two in my mind, but if anything the timeline invalidates privacy improvements -> worsening spam without more evidence.
Html enabled email can easily contain tracking. Even without JavaScript, you could insert an img tag pointing at a uniquely generated address and log the query...
It becomes a question of who you trust more: the service you've chosen for handling your email (and spam protection), or the people sending spam emails. If you don't trust your provider, you should find another provider.
And Google auto downloads embedded images when they receive the email, they show you the cached version and there is no information provided to the sender.
The bank account and the bank that the funds were misdirected to both have government-issued identities attached, so exactly what "privacy" are you talking about?
Oof, if a $900,000 invoice doesn't trigger review from their accounting dept, kind of their fault for not having a process of the common sense to question that bill.
I hate to say it but a lot of "accounting depts" these days are someone with no formal training who just took on the role as another hat on top of other hats as the more experienced folks retired or moved on to greener pastures. There's a shortage of accounting folks in general as well.
There are many job postings for folks with 3+ years of experience. Very little is being offered for people who don't want to work in Big 4 or haven't completed a few internships. Most traditional entry level work is being or has been automated. Accounts receivable and payable are being rolled up along with payroll into the job duties of outsourced accounting and the like.
Oh they have more technology than thinking people in many non-technical departments. Automate the decision process and forget the edge cases seems to be the modus operandi.
“We can’t provide all of the specifics at this time,” Higdon said, “but it appears the criminals succeeded in impersonating one of our vendors online and directed payments from the college into a fraudulent account.”
- so they sent a fake invoice and the college paid it?
I read that more as someone called the school and said something like: “hi, I’m calling from vendor X you usually pay into our bank account ABC, but due to some reason, we’ve needed to close that account. Can you please update that account to DEF and make all future payments there?”
There are more and more reports of serious phishing attempts that do not rely on mere fake emails, but involve criminals breaking into a business' infrastructure, observing mail (and sometimes even call) flow for a while (this can take months!) and waiting for an opportune moment to strike. They'll use the real company's infrastructure to send an invoice or email in the middle of an existing project that goes unnoticed for long enough to hit several clients. By the time the client and the hacked company start arguing about who paid what bill when into what account, the criminals are already out and moving on to their next target.
Not many people are prepared for these attacks. All the standard checks for phishing scams (sender, subject, language used, information repeated, technical measures like SPF and DKIM) pass with flying colours. You need to be wary of every single email from legitimate contacts to protect yourself from such a threat.
Such hacks target businesses (because huge b2b transactions are common enough) but also wealthy individuals contracting companies. Anyone capable of wiring out a sum of money large enough to make months of work for the (probably third world) salaries of the people involved in the operation worth it can be a target.
There are plenty of people who will fall for your old "we're the IRS, pay us Google Play gift cards" scam and even a fake invoice from an unknown company sometimes gets paid by a billing department that doesn't care about their jobs, but not every scam victim fell for some comically obvious scam. In the real world, real companies don't stick to best practices ("hi we're your bank. No you can't call us back to verify") and as long as legitimate companies send weird bills or make weird payment requests, scammers will find ways to mislead people.
> The loss of the funds will not affect students, classes or operations, states the release.
Are organizations liable when they make statements like this? Suppose operations actually are affected and the college intentionally misrepresented the consequences of the fraud—are there grounds for legal recourse by students and future students?
It might just be a phrase to reassure stakeholders not to panic and rethink potential or existing relationships with the college of fears of incompetence.
We just got a spear phishing email to one of our finance department people. It appeared "From" the CEO. Must have pulled the names from LinkedIn.
Had some legitimate company in the email. Turns out that company even has a fraud page on their website since so many people seem to get these emails. It must work enough that the scammers keep trying.
The scammers typically recruit fall guys to open accounts to receive the funds by offering them some small portion of the take. Along with a story about it being a favor , like "I'm from outside the country and don't have a bank account to receive my recent inheritance, etc".
With perhaps some intermediate transfers to other fall guys if it's a large amount.
The funds are withdrawn in sub $10k chunks by the fall guys in cash as they arrive and the larger portion handed over to the scammer.
These people are usually called mules or money mules, inheriting the name from drugs smuggled on an individual courier.
Usually they are tricked into immediately depositing the cash into an array of destination accounts; this part is called smurfing. Sometimes they are told to buy physical goods and have them shipped, usually to a third country.
Cuckoo smurfing is a clever variant where the mules think they are receiving a legitimate payment, e.g. an inheritance, and they have to pay some beneficiaries, or they think they are shipping agents, doing drop shipping, and they have to pay their suppliers. People are gullible.
EFTs are reversible but have much lower limits. To move this much money they probably used a bank wire. This can be reversible if you catch it in time. But wires happen so fast the thieves will surely transfer the money elsewhere before the originator even finds out.
If it's a transfer using your authentication details they might put the transaction on hold or call you, but, no, they generally aren't liable with the processes they have in place unless there's significant negligence. The college might have been the one authorizing the transfer here to the wrong party. Banks can't or don't typically verify all of your vendors and clients and transactions. They provide the money pipes.
I still don't quite get this. I always imagined a bank wire as a data transfer, and that an actual settlement of hard currency happens sometime thereafter. How is it irreversible, in this regard?
This is probably the first time I am seeing this. The ads served on website are local to MO, probably where the college is based. Rather than being customized to my browsing/locality.
I can confirm that, based upon google research, the "Ozark Technical Community College" is in the Ozark Mountains of Missouri and Arkansas. More or less.
They have been getting more sophisticated over time as well. GPT and GAN generated or hand tailored phishing will do in even trained professionals at times.
> We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time. For any issues, contact internet@bransontrilakesnews.com or call 417-334-3161.
The site is not available for European visiotrs due to legal reasons:
>>> We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time.
For websites with specifically-American audiences, it can often be easier to only allow people from their intended readership access than to correctly understand and implement compliance to a foreign law. In this case, it's a local news website.
It made me wonder if you could autogenerate filter-evading spam using GANs? Train a GAN to generate email that fools a spam filter, feed it your spam prompt, and the neural network camouflages your prompt in filter-evading cruft and misdirection.