When phishing gets personal

26 November 2018

There I was scrolling through my email, past the never-ending promotions from every online retailer I have ever shopped with, when one more personal message stopped me in my tracks.

It was from the architect we have been using for work we're having done on our home and the subject line declared it was his bill. Nothing so onerous in that you might think, except in this case, the drawings had been completed, planning had been permitted, building regulations obtained and – most significantly – what I thought had been the final bill, paid.

So unsurprisingly I went in to panic mode, did we still owe him any money? Were there any hidden costs we hadn’t accounted for? Our original budget for the work had already been blown out of the water and I couldn’t stomach another bill.

So I opened the message and zoomed straight down to the attachment, clicked on it and thankfully it didn’t open. As foolish as I feel for admitting it, it was only then the alarm bells sounded and I actually took the time to read the contents of the message.

Lots of details were correct – including his name and email address, but while the code for his landline was correct the number wasn’t. It was also apparent that the email had been written to someone unknown to the real sender – it opened with ‘Good Afternoon’ for example, rather than addressing us personally as our architect always did.

Writing this now, I cringe.  I’m so used to writing about scams and I’ve had numerous phishing attempts from big businesses that I just delete without hesitation. But I think it was the personal nature of this attack that sent me into tailspin. It was a request for money from an individual that I had a business relationship with and there was nothing in the subject line or sender’s details to make me question it, until I actually opened it.

Thankfully I was not a victim of the scam and the experience has taught me a vital lesson: scammers don’t just pretend to be big businesses like banks and building societies. They will also hack into the email accounts of individuals and small businesses and attempt to dupe their clients or customers too.

It also means when our building work starts and I start dealing with a whole host of tradespeople and suppliers I will make doubly sure I am paying them and not a fraudster.