'Hammering' (as a Prelude to Spear Phishing) - Wham! Bam! - That's a SCAM # 14
Вставка
- Опубліковано 26 січ 2024
- Here's a twist on a common scam called Spear Phishing - in this case, creating false legitimacy and false urgency by first 'Hammering' your account with password reset or failed login attempts.
Some links and information:
What is Spear Phishing: www.cloudflare.com/en-gb/lear...
How to prepare against Spear Phishing: www.egress.com/blog/phishing/...
Identifying fake calls: www.ukfinance.org.uk/press/pr...
Identifying scams in: www.citizensadvice.org.uk/con...
Join the Atomic Shrimp official Discord server - / discord
Atomic Shrimp subreddit: / atomicshrimp - Навчання та стиль
*Does this ever happen with just the messages and no followup attack* - yes, in fact that's quite common; it might just be someone with the same name as you trying to log into the wrong account; it could be a bot(automated attack) somewhere that isn't configured properly; it might be scammers playing some longer game, where the messages are sent over a longer period, to induce complacency before they try the actual attack, so try not to let your guard down.
*What about legitimate companies who routinely call you and ask you to confirm security details?* - This is just my opinion, but if you can, refuse to deal with such companies (unless there's some way to initiate the call to them). Caller does not get to ask call recipient for important information unless caller has proven their own identity - and caller ID doesn't help as it's too easily spoofed.
This happened only one time with my Google account. Only three attempts were made, though. Hasn't happened since.
Yeahhhhh my bank has some really bad security practices... there was fraud on my account last year, and their call to me about it sounded *so* sketchy, and I told them as much. It sounded like a scam. But it was indeed legit, because I called them, and they confirmed the fraudulent activity and sent me a new card. Otherwise, my experience banking with them has been very good, and I've heard horror stories about other banks in my area, so... idk what to do there.
@@Zichqecmy bank is so paranoid, they frequently block ME when I go to a new store, like a different McDonald's. 🫨 I have to call them and verify it's me and it's a whole damn process. So too paranoid is equally not good.
@@Zichqec this literally just happened to me! The automated call regarding suspicious activity sounded so much like a scam that I ignored it, then had my card declined buying groceries! Turns out it was legit, but I let them know they should really change that call! Lol
The most frustrating part about all of this is that actual businesses make dumb unverifiable phone calls all the time asking for things they shouldn't over an unauthenticated line. I had one (that was in the process of being castigated in the media for losing tons of personal information) call me from a random number demanding that I provide a one time code over the phone, which is almost perfectly wrong, almost beautiful in a way. If anyone is wondering why these even slightly more sophisticated scams keep working, it's in no small part because of the ridiculous, poorly thought out processes actual businesses insist on using.
VirginMedia by any chance?
@@EggBastion No, Optus (which relatively recently exposed more than half of all Australians to identity theft courtesy of what I would consider multiple layers of outright negligence)
Wait, so maybe i'm reading this wrong, but are you saying a REAL business, not a scammer, called you, demanding for the OTP, that you're not supposed to give out?! WHAAAAAAAAT?!
@@nostalgicumbry3279 Kind of, they were going to make up a one time password and text it to me (which is exactly the same type of excuse scammers use to get you to reveal actual OTPs in the all too common world of SMS based 2 factor). This is a company that effectively just left a private API open to the world revealing a ton of highly sensitive data that they retained under the guise of being legally required to, even when being specifically told they weren't required to retain a lot of that data though.
my bank called me from [number A] saying to call "[bank name] Money Bank partner" (realized later it was "credit card department") at [number B], neither of which was [number C] on the back of my card. it was a legitimate call from the bank and I had fraudulent transactions on my card.
I tried to demand compensation for that (plus the 9 hour wait time to talk to them - no, I am NOT exaggerating or joking... 9 hours in total over 2 days...)
This kind of video is excellent for me to share with users at work. They LOVE clicking on things in emails and I only have about 2 minutes of their attention to warn them of the dangers. This video works a treat!
Thanks. Yeah, that's pretty much the target audience - people who can't or just won't expend attention on security
I absolutely adore this series. It's hard to fool someone, but exponentially harder to convince them they've been fooled- quick and informative explanations like this have helped me save a couple family members from scam attempts!
that's a very smart quote. I'm going to start using that
@@themelnova Credit where credit is due, I was paraphrasing Mark Twain.
As in brexit…
It's not that hard to fool people, just ask the clueless people I'm currently scambaiting.
I like this short, sharp and to the point format. Also thanks for the heads up about this sort of thing.
How do I get in contact with John Warosa?
You don’t contact John Warosa, he contacts you 😀
@@thekingofming Well John Barosa’s email would also be fine since I understand that they work in same office/department
@@thekingofming But do not immediately trust, when "John Warosa" contacts you.
There are literally thousands of scammers out there, pretending to be John Warosa without actually being John Warosa. 😉
@@thekingofmingnot sure if John Warosa and Barosa ever contacted someone else after what Shrimp put them through :)
you must get in contact with the John Barosa Legacy Fund first
I get these emails at least two to three times a month and it's always annoying. For the accounts I do have, I always ignore them or check on things via *NOT* clicking the link but the best ones are the 'requested login' from accounts on services I don't even have. Or when I check the email and it's not just that it's not even the actual emails of the services, they're the fake emails that are like 100 letters long (exaggerating) and twirls that red flag around.
The worst ones I have had are email from banks I don’t even bank with
It's Saturday morning - I've got my coffee and am sitting down to enjoy a nice long Atomic Shrimp video. 😅
I haven't watched all of yesterday's yet :)
I saved yesterday's for this morning. This was a nice little teaser before caffeinating with the other!
😂
Thank you! I didn't know about this one, and I reset my passwords often enough that I might genuinely be in danger of falling for it.
What's annoying is some legitimate companies will call you and then ask for personal details or security phrases to confirm it's you before they proceed with whatever it is they called for...
I think I would have to refuse to deal with such companies, unless they have a way to convince me of *their* identity when they call (caller identity wouldn't cut it, as that is easily spoofed)
This has happened to me. I said "I do not know that you are really who you say you are." They have then said, "Call me back at our main number and my extension is XYZ."
As someone who works in IT, don't he afraid to question the caller - most will hang up once pressured but if they are legit IT, they will have no problems telling you ways to verify (ie calling them back at the phone number in your company directory, etc). If you are at home, remember there is no one out there monitoring your internet connection to make sure you don't get a virus, etc. If it sounds questionable in any way, it probably is. But if you want to have fun, play along and give them false passwords, then act shocked when it doesn't work, then say you forgot you just changed it and give them another false password, keep that up as long as you can - eventually they will catch on and be mad, problem swear at you and in the end all they did was lock your account.
To paraphrase most those emails with the code: "If you did not initiate this request, you do not need to do anything"
Aaaah! That explains why I received all these recovery emails recently! Thanks for the explanation.
It isn't necessarily this exact thing, it is possible it's "just" someone trying to log in on the off chance you don't have 2FA or some other system in place and they are trying to hack into an account. We secured my daughters' online gaming accounts in this way and I do get random login attempt emails from very weird places from time to time, which I just ignore because I know when my daughters are needing to log in. It's not possible to login with just a password, you need a code which gets sent to my email and then my daughters ask me for it.
@@andymerrett Yup, definitely someone who just happens to have the same unique name as me trying to log in every single day for months, definitely not a scam-bot.
This series would make for great UA-cam shorts.
YT shorts need to go extinct.
@@apokalypthoapokalypsys9573 Fair.
Never click on any links in emails.
If you press and hold down on a link (works on most email programs) it will show you a preview of the web page and you can see the links URL (web page address) and if it’s not the normal one you use then don’t open it
Press and hold is too easy to accidentally just be a click. Just don't click.
@@AtomicShrimpwell it works ok for most people I speak too
I'm not saying it doesn't work - it just courts the risk of accidental left click (also if there's a tracking parameter in the URL, loading that preview tells the scammer you clicked, and that may be valuable information for targeting)
Great info as always, thanks. End cards missing from the end (not sure if those get added later or not, ignore me if thats not a prob!)
This is such an interesting channel, especially the scambaiting area. I love seeing this style of quick bites, really easy to share and great to follow up for less "scam-literate" people.
Keep up the great work! (also your foraging videos are so calm, they are definitely another gem here)
We need a „wham! Bam! That’s a scam“ jingle from our (spanish?) friend!
I can't think of anything that rhymes with Barosa -- oh wait... Warosa!
@@tobyfitzpatrick3914 Don't get sad, don't get moroser ;)
I work for a bank and this what you’re doing is amazing. More people with an audience should be warning people of scams in general but this type of scam more so. It works every time with vulnerable people and it’s disgusting what these people are doing. Really wish more people had the awareness. So appreciate this type of video !!
I have actually been under this attack by this vector earlier this month. Random numbers kept calling, but were blocked by spam filtering so my phone never even rang, but they would leave a voicemail. They didn't wait for the tone of my inbox so I would only get the tail end of my email address and something about account access, unrecognized activity, or password reset. I checked my email for emails about any of those but found nothing. This went on for 2-3 weeks to the point I turned off my call filtering just to figure out what website/platform/service they are targeting but they haven't called back again.
Scam calls often start a recorded message in the middle. I've picked up the phone without saying anything and still didn't get a complete message. It probably raises a victim's curiosity by making them think they missed something important, like who is even calling. We all know how that worked out for the proverbial cat! 🙀
In the UK calling 159 will safely connect you with most UK banks, this should receive more publicity.
Perhaps you could promote it Mr Shrimp? 🥰
Unfortunately not all banks use this service, it is also best to ring from a different phone or at least wait a minute or two in case the scammer has kept your line open.
I didn't know about this. It looks like most of the popular banks are on board. Seems like a good idea.
I'm not sure whether the thing about scammers keeping the line open is possible any more, on modern digital phone networks. I suppose there might be some parts of the network that have not yet been updated.
@@AtomicShrimp/videos - If I've learned anything from my friends in I.T about how much security is or isn't in the phone network it's _do not get them started about how much security is or isn't in the phone network_
I understand that BT in the Uk are in the process of changing all home phone lined to become VOIP (internet calls) so I don’t think scammers will be able to keep the lines open any more
159 works in the same way as 101 for the police or 111 for the NHS. It’s the number you can trust to get you through to your bank safely and securely, every time.
So if you think someone is trying to trick you into handing over money or personal details - stop, hang up and call 159 to speak directly to your bank
@@AtomicShrimp
I'm so glad I follow you, because I might've fallen for this. I get to watch you forage AND give me peace of mind. What a win!
I've been getting 'Password reset request' notifications and wondered who could be trying to do it, this explains it, thanks !
I don't have a phone number associated with that account so they'll find it extremely difficult to phone me and I'm highly suspicious of any emails that I receive so that's not going to get them anywhere either !
Thanks for sharing this information, at least I know now !
As an extra line of defense, it can't hurt to change your password. Even if the scammer was telling the truth about how someone was trying to log into your account, it would mean that your password is compromised and you'd want to change it regardless.
Sometimes they are trying to reset the password, hoping you’ll respond to the 2FA prompts to let them in.
I had a person call me saying they were from PayPal. Then they ask who I am. But they can never confirm who they are. So I hung up and went to their help assistant chat thing on the app. It's much better than being on a phone call anyway.
The more questions you ask the better, the genuine company will totally understand your concern and be happy to respond, scammers hang up immediately !
I answered the phone for my elderly mother a few days ago and the caller was claiming to be from the gas company and enquiring about servicing my mum's boiler. This would not seem suspicious to my mum at all and she would slip straight into a detailed conversation with the caller and disclose all kinds of personal information with them without questioning it !
I asked if they knew the first name of the person they were calling but of course they didn't know and quickly hung up !
Oh, glorious Atomic Shrimp, thank you !
Huh that's a new one on me! Thanks for the heads up! 👍🏼
I'd love to see a video where you converse with one of these scammers at some point. 🙂
This happened to me, but because i dont like to talk on the phone i went to the bank and ask what was happening lol
Omg this explains the legit Facebook password reset attempt emails
I didn't trust it anyway and manually typed Facebook's URL into the address-bar to do the "I didn't request this" thing instead of taking a chance that the link in the email had Unicode lookalike characters. I don't bother with that anymore since it seems it's just a placebo and Facebook doesn't actually do anything if you tell them it wasn't you that requested it. 😒
Clever. Psychological means are always more important than technical ones in forcing these scams on people.
If only banks weren't so poor in their use of texts and emails, we might be a bit less vulnerable to this.
Thank you Shrimp, keep up the good work.
I've actually been receiving warnings of someone trying to change my password coming from the official FB email, so now I know what to expect, very useful info as always, thank you Atomic Shrimp
i’ve been teaching my parents about IT, your explanations are always so helpful
40 minutes after upload and 2 scammers have already disliked this video 🤣🤣
the good thing about that is, even the negative responses effect his algorithm positively. so people trying to be nasty are actually helping this video get suggested to more people 😄
very helpful. thank you for the information!
Another excellent, concise video
thx for keeping me safe. i didnt fall for a scam that was pretty well made cause of your videos!
Thanks for this quick flyover. Although I prefer hearing you destroy scammers. The need for awareness is more valuable.
Thanks for this video, I appreciate all of your good advice.
WOW, that is one of the best - and definitively the most impressing - videos I have ever seen on cyber security.
Got a new one yesterday. Phone rings and automated voice asks me If I am Michael Williams, IF I am press 1, if I know a Michael Williams Press 2, if I don’t Know a Michael Williams press 3. This must be very easy to con the more gullible and Older people!
That sounds like debt collectors
I've been having this happening to me but I have 2FA on EVERYTHING so I just delete the reset requests and then I never answer the phone unless I recognize the number so - lol, good luck to them
Thanks for this, both my partner and I have been sent multiple emails regarding attempts to get into some old accounts; we've changed passwords and have 2FA set up for them so wasn't too worried someone might actually get in but if someone had tried calling my number claiming to represent the site our accounts are with I might just have believed them
I've been repeatedly getting this with my internet/mobile phone provider. The e-mails I get are legitimate (as far a I can tell); I knew there had to be some kind of scam behind it but I never got anything else so I didn't know what could it be, so this video has been enlightening for me: I have calls from unknown numbers blocked on my phone, so I'm probably missing the second part of the phishing attack. Thanks!!
Also use 2FA
Definitely use 2FA, but be aware that this scam is one that is specifically trying to work around 2FA
Thanks for Saving me time but your one of the UA-camrs that I totally enjoy wasting time with keep up the good work/fight
I've received a few of these Facebook emails recently. Thanks for the heads-up.
I have a question for you, Mike.
Where did the name "Atomic Shrimp" come from?? Why did you go with it?
I'm really, genuinely curious about how and why that is what you decided to go with for your channel name.
Also, wanted to say... I LOVE your content. You're something of a personal hero of mine.
I believe he has an earlier video explaining the name, if you search for it
Thank you for the reminder.
I feel safer when using face recognition or biometrics, I would like to see much more those security features used.
i don't feel very safe about either, tbh, in order to recognize it as _you_ it has to make a record & store it somewhere
I really hate scammers & I’ve been scammed, which makes me feel really stupid ☹️Thsnks Atomic shrimp 🦐🤗
Don't feel stupid just because you've been scammed, scams are set up to deliberately target the vulnerable, and by vulnerable that includes anyone who had a very stressful day to people who desperately wish scams to be true due to their circumstances (e.g. a scam promising a source of income). It can happen to anyone regardless of age/intelligence etc, which is why they are so successful.
I didn't know that is what they were doing. Few mates reported it recently.
Thanks Michael
Very good video Mike, i think i've been accidentally hit by a few of these but never got the followup
hahah and i just read the pinned comment, give eva a treat for me
Excellent
When I worked, I was the go to guy for "should I click on this email link?" My answer was always the same; 'probably not". Then people would argue with me and often click. People can be stupid.
I had something similar last September. Someone added me on Facebook pretending to be someone I know asking for a code. I sent it thinking I was helping them. Then I got locked out my account. Luckily I was able to get back in quickly.
Thanks!
Is it possible to get this without the follow up phonecall? Recently I've have log in attempt emails on various sites in waves but I've never had anyone call or contact me after.
Yeah, that also happens, but be on your guard for anything that seems like a related message/call/communication, but just isn't.
Basically: do not take anything on the internet/over the phone at face value…or, really, do not take anything at face value.
I have an HMO health plan (American). They constantly call from random numbers asking for me and then asking me to verify my identity....you know personal information...before they'll tell me why they're calling. I've told them several times this is not how they should call as I have no idea they are who they say they are...only their word for it and I'm not that trusting. I'll call the call the contact number I have, and they'll verify 'Susie' was calling about something or other. Infuriating.
One piece of advice I have always relayed on is "If it sounds to good to be true it is usually a trap, kind of like cheese on a mouse trap".
brings to mind a saying that's unrelated to the subject being discussed here - "it's the early bird that gets the worm, but it's the second mouse that gets the cheese"
And I learned years ago, have DIFFERENT passwords for each site you use. If a site gets hacked, that password would only be good on that one site.
You know, to be fair, any time spent hearing your voice make funnies is time well spent.
I got a bunch of texts with OTPs for my amazon account a long time ago, like 3 every day, i just ended up changing my password and it stopped, if i had gotten those facebook emails like you shown i'd probably would have just done the same thing.
I thought the hammering scam was when someone offers to repair something and then does more damage and demands money to fix the damage they did.
Have you thought about turning this series into shorts? I think they would really benifit there
Not completely sure, but I think shorts have to be 1 minute or less. Without the intro/outrao it's just slightly over the 1 minute mark.
So _THAT'S_ why I've been getting annoying Facebook-reset emails every day for the past few months? 🤨 When am I going to get the calls? I haven't had anyone to torment in a while. 😕 (Also, hth are they going to call me? They have no idea what my phone-number is. 🤔) - Also also, wth is the point to the "tell us if you didn't request this reset" link in Facebook if they don't actually do anything. 😒
Yeah I got one and it looked official. I think I did click a "I did not request this" button or something, I'm an idiot, I don't know what I was thinking. I've been watching scambaiting videos for years and know about phishing, etc, I should know better. My FB account has been deactivated for a LONG time and I don't have any interest in re-opening it. I don't know if I should go through the trouble just to change password and add multifactor authentication. I will have to be much more wary in the future. Wish my email sent that one to spam.
i love htese videos
this reminds me of MFA fatigue, or how Uber got hacked by a social engineering attack like this
Even with 2FA, the account holder is still the weakest link.
True. I suppose it's always been like that. All the locks in the world won't make your front door secure if you're just going to open it anytime anyone knocks.
Yes but...can I get it in Beige?
Ahhhh, the benefits of being a hermit/recluse...the only emails and phone numbers in my phone book are my kids, a Doctor, and my aged care helper. If the call doesn't have a name attached- it's blocked or marked as spam. 🙃
I wish these were longer than 60 seconds. 30 minutes would be nice.
There is one scam that you could do a video about. It is the apps that in the video claim that you could get huge amounts of money by playing their game. When you click on the link in the videos it takes ypu to an app that is early access. Any money you can get out of those apps will be after the heat death of the universe. Sorry, comment is off topic to the video
Thanks so much, this has only just started happening to me. Luckily I smelled a dirty rat and never responded and never respond from within emails anyway, but glad to learn I’m not under attack from someone trying to gain access to my social media account. Not that way anyway😡😡
Hi 👋
Good to be back eh?
Why do you keep saying that?
Watch " The Beekeeper "
quick and ez. plz be careful everyone
Swap red en orange bar?
Someone tried to hack into my Facebook account by asking me for the security code. I wouldn't have known about the scam if it wasn't for you. 💜Thank you❤
Ok
Who ARE these Generals and why do they have so much gold and cash for me?
nothing worse than getting security alet after security alet, this is why I don't use Elon Face Bank >:(
This needs to be a scambait.
Pee pee poo poo 🎉🎉🎉🎉
Longer please
They're short for a reason