Pages Menu

Showing posts with label social engineering. Show all posts
Showing posts with label social engineering. Show all posts

Tuesday, December 9, 2025

How a Harmless Christmas Greeting Turned Out to Be a Phishing Attempt

 

Being a seasoned web and software developer, I got fooled

Phishing warning Santa scam image

A Real Example That Slipped Past My First Instinct

Today I ran into a phishing scam that was dressed up as a friendly Christmas greeting. It came from someone I know well, which is why it slipped past my first instinct. Scammers are becoming more sophisticated, and even people with a technical background can be momentarily caught off guard. That alone should tell us how many people are being exploited who do not have the same level of awareness.

The message arrived through Facebook Messenger and simply said that a friend had sent me a “surprise message”. At this time of year, we expect cards, greetings and animations, so there was nothing unusual about the context.

The First Screen: Cute, Harmless, and Designed to Lower Defenses

Phishing scam warning The first page showed a cartoon Santa sitting between two wooden doors with a bright arrow that said “Touch this”. It looked like a children’s game or an animated holiday card. There were no warnings, no login boxes, no pop-ups, nothing aggressive.

This is deliberate. Scam designers use soft onboarding: they begin with something innocuous to lower your vigilance and get you to follow the steps without overthinking. The theme also exploits seasonal priming. December conditions us to lower our guard because we expect cheerful, informal messages.

The Second Screen: Personalisation, Trust, and Emotional Engineering

The next screen displayed the sender’s name in colourful letters, along with a festive banner and a

countdown timer. It looked like a custom greeting.

Personalisation is one of the most powerful psychological triggers in social engineering. When a site uses a name you recognise, your brain shifts into a trust mode. The scammer knows this. They rely on you thinking, “Of course this is from my friend, their name is right there.”

At this stage, the scam still appears completely harmless. You are gently shepherded deeper into the trap.

The Trap: When I Clicked the Name Field, My Browser Tried to Autofill My Credit Card

This is where everything changed. When I clicked the “Enter your name” field, my browser automatically offered my stored credit card information and Google Pay.

That was the moment the red flag appeared. My immediate thought was: Why would I have to pay to read a message from a friend?

This is an advanced trick scammers use. They design form fields to mimic payment fields, triggering your browser’s autofill menu. Most people don’t realise the site does not know their card number — it’s the browser trying to be helpful. But this psychological effect is powerful. Seeing your card appear creates a false sense of legitimacy.

Fortunately, once I saw the payment suggestion, I closed the page immediately.

Why This Scam Works So Well

What makes this phishing attempt successful is the combination of emotional familiarity and technical deception. Here are the key elements:

  • It uses a trusted friend’s compromised account. You’re more likely to click without hesitation.
  • It uses seasonal imagery. December greetings lower defensive awareness.
  • It uses personalisation. Seeing your friend’s name tricks your brain into trusting the page.
  • It delays the danger. The scam doesn’t show anything suspicious until you’re already engaged.
  • It manipulates browser behaviour. Autofill is weaponised to create the illusion of legitimacy.

All of these work together to increase the probability that someone will complete the payment step. This is classic social engineering.

Connected Mind Analysis: How This Fits the Unified Theory of Probabilistic Connections

Viewed through the lens of the Unified Theory of Probabilistic Connections, this scam is a perfect example of how behavioural vertices connect and shape outcomes.

  • Trust vertex: The message originates from someone familiar.
  • Contextual priming: Holiday themes create emotional openness.
  • Familiarity vertex: The sender’s name reinforces perceived legitimacy.
  • System feedback loop: Browser autofill creates a misleading validation signal.
  • Pathway collapse: The moment critical thinking returns, the harmful pathway ends.

This event demonstrates how human cognition, environmental cues, and system behaviours interact probabilistically to shape a user’s decision process — and how scams exploit these natural pathways.

What Everyone Should Know

  • You should never pay to view a message from a friend.
  • Autofill appearing on a screen does not mean the site knows your card.
  • If something suddenly asks for payment, close it immediately.
  • If a message looks slightly “too fun”, “too cute”, or out of character, verify with the sender first.
  • If a friend’s account sends unusual links, tell them to change their password.

Final Thoughts

Scammers rely on predictable human behaviour. They exploit trust, timing, design, and system features. If this one almost passed my radar, it will absolutely fool someone who isn’t used to online threats. Sharing information is one of the most effective ways to reduce the success of these scams.


Posted by at No comments:
Labels: , , ,

Saturday, November 8, 2025

Beware: Scammers and Fraudsters Are Adapting to Get Your Money

Split scene: elderly woman worried on the left; hooded scammer smiling while using a laptop on the right. Represents how scammers harm vulnerable victims.
 Online scammers and fraudsters don’t care about their victims’ hardships.

By J. André Faust (November 8, 2025)

The Numbers Game of Digital Scams: A Case Study, Psychology Breakdown, and How to Verify Emails

This post examines a live Facebook scam I received, compares it with a legitimate fundraising email about a real multimillion dollar lawsuit, and unpacks how a separate DHL phishing email tries to trick recipients. Along the way, I explain the persuasion mechanics and show exactly how to verify email authenticity using message headers.

Part I — The Facebook “Government Grant” Scam: A Case Study

Transcript highlights (abridged):

  • Scammer: “Have you heard about the DC program… an International Development program by the government due to the pandemic to give financial assistance to everyone… Even I got $150,000… I’ll send you the agent.”
  • Me: “Which government, which country? I base decisions on verifiable data.”
  • Scammer (later): “Federal government… Canada… It’s 100 percent real.”

Why this is a scam

  • Vagueness: no program name, no department, no official link.
  • Over-promising: “everyone” gets $150,000 with no repayment.
  • Scripted escalation: they try to hand you to a fake “agent.”
  • Outdated frame: they invoke “pandemic aid,” which signals a recycled 2020–2022 script.
  • Decorative obfuscation: odd characters like “ۦۦ ۦۦ …” are Arabic combining marks used as visual filler to dodge filters and to look exotic. They add no meaning.

What I did: demanded specifics — country, department, official link. When they finally said “Canada,” I asked for the minister and noted I could verify with federal contacts. The conversation stalled. That is a win.

Psychology of why these scripts work

  • System 1 vs System 2 (Kahneman): scams push fast, emotional System 1 before careful System 2 can engage.
  • ELM (Elaboration Likelihood Model): they target the peripheral route with cues like “government,” big payoff, and friendly tone, avoiding the central route where claims are scrutinised.
  • Cialdini’s principles: authority (“government”), social proof (“my friend got it”), reciprocity (“I’m helping you”), scarcity (“apply soon”), commitment/consistency (get you to reply once), liking (chummy small talk), and unity (“people like us”).
  • Heuristics under stress: financial strain, time pressure, and fatigue increase reliance on shortcuts.

Glossary

  • FOMO: Fear Of Missing Out. A pressure tactic that nudges people to act quickly to avoid “losing” a benefit.
  • Peripheral route: quick persuasion via cues rather than evidence.
  • Central route: persuasion through careful reasoning and proof.

Part II — Legitimate Fundraising vs Scam: How I Evaluated the Broadbent/PressProgress Email

Within the same window of time I received a fundraising email from the Broadbent Institute referencing a lengthy, expensive media-law trial connected to a 2019 Alberta election story. The email routes through ActionNetwork’s infrastructure, shows consistent sender identity, and references an ongoing, public legal matter involving multiple media outlets. This stands in contrast to the Facebook scam’s evasiveness.

Legitimate signals

  • Clear organisational identity (Broadbent Institute, PressProgress), stable web domains, and a consistent sender address.
  • Context that matches public reporting about a multi-month trial and a multimillion dollar claim.
  • Routine fundraising framing: transparency about costs, a donation ask, and unsubscribe links.

Why scams harm legitimate fundraising

  • They saturate people with fake appeals, creating “compassion fatigue.”
  • They erode trust in all asks, so real causes must overcome higher skepticism.
  • They mimic legitimate language, forcing genuine organisations to prove more and more.

Part III — DHL Phishing Example

I also received a “DHL EXPRESS” email, in mixed Japanese and English, urging me to click a link to correct my address and phone number. This is classic delivery-problem phishing.

Plain-English translation of the Japanese body (abridged):

“Were you not at home at the time of delivery?
Dear Customer, an international item from the United States is scheduled for delivery, but we could not deliver due to errors in the address and phone number. Please complete the delivery information using the link below and we will arrange redelivery within 1–2 business days. You can choose no-signature contactless delivery or pickup at a nearby service point. Click here.”

It then shows a fake tracking number and a button to “complete delivery info.”

Red flags

  • Sender domain is not owned by DHL.
  • Urgent correction request plus a link to a data-harvesting site.
  • Language switching and generic “Dear Customer.”

Part IV — How to Verify Email Authenticity with Headers

Email display names and apparent “From” addresses can be spoofed. What matters is the header trail and authentication results.

What to look for in headers

  • Return-Path / Envelope-From: the true sending identity for bounces.
  • Received lines: the path the message took, from the first server to your provider. Look for reputable infrastructure.
  • SPF: did the sending IP have permission to send for the domain.
  • DKIM: a cryptographic signature by the sender’s domain.
  • DMARC: domain’s policy that ties SPF/DKIM to the visible “From.”

Note: Good providers filter many spoofed messages using SPF/DKIM/DMARC, but filtering cannot be perfect. You should still verify suspicious messages manually.

How to open headers in Outlook desktop (two ways)

  1. Classic method: double-click the email to open in its own window → FileProperties → copy from the Internet headers box.
  2. Message Options shortcut: double-click the email → in the ribbon’s Tags group, click the tiny launcher arrow at the corner → headers appear in Properties.

Once opened, scan the Received chain top to bottom. For a legitimate campaign, you will usually see a known bulk sender or the organisation’s own infrastructure. For phishing, you often see mismatched domains, odd servers, or no valid authentication.

Quick test you can do

  • Hover but do not click links. Does the actual URL match the brand’s domain?
  • Check if the sender’s domain passes SPF and DKIM in the headers.
  • If in doubt, go directly to the organisation’s website and navigate to their donate or account page yourself. Never use the email link.

Part V — Practical Checklist: Spotting Manipulation

  • Specifics or nothing: program name, department, official URL.
  • No fees for money: never pay “delivery,” “clearance,” or “verification” fees to receive funds.
  • Timeline sense: does the story fit the current moment, or does it smell like a pandemic-era template.
  • Route yourself: for legit appeals, type the known site in your browser. Do not click the email button.
  • Slow the pace: taking time forces your System 2 to engage.

Conclusion

Scammers run a numbers game that counts on speed, stress, and vague authority. Legitimate organisations expect scrutiny and can point you to verifiable sources. The simplest defence is a habit: ask for specifics, read the headers, and never let urgency make your decision.

About the author

J. André Faust explores the structural entanglements of politics, economics, and society. His work follows a layered-systems approach that traces feedback loops and updates beliefs in light of new evidence. He writes and produces under the banner The Connected Mind.

Posted by at No comments:
Labels: , , , , , , , , ,
Location: Fredericton, NB, Canada
Subscribe to: Comments (Atom)