** WARNING: This article contains explicit and disturbing subject matter and images. Before opening the article be aware, and do not do so if you may be sensitive to images of extreme violence.
**DISCLOSURE: While I am contracted to Microsoft Corporation, I am not an employee. The articles that I write are not meant to represent the company, nor are they meant to represent me as an employee or spokesman for the company. As has always been the case, all articles on this website represent me and nobody else.
The fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.
Spear Phishing (NOUN)
The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
Neither of these terms was new to me when I woke up Saturday morning. I have taught enough IT Security courses, consulted with enough clients, been involved in enough cases… not to mention targeted on enough occasions that even if I did not know the actual terms (I had to search my memory banks for the smishing term before my first cup of coffee) I would have recognized the text for what it was.
Over the course of the last few days I have received three smishing attempts. One from my bank and one from a bank that I do not deal with. They both included a link to click and recover my account. I ignored both of them. I did not click the link, I did nothing. And then there was the other one.
Saturday morning at 7:52am (EDT) I received the following text message on my phone:
Los Angeles, CA
Full Name: Mitchell D Garvis
Current Home Address:
117 XX Street
Los Angeles, CA 9***2
Listen well to what I am going to tell you, my name is XXXX XXXXXXXX , the boss of the girl who wasted his time, who has to answer for that money that my girl stopped earning $ 1800 because of you ‘if he does not pay me for the good It will be for the bad because I have your address and all of your family, look what will will happen to him if he does not pay me okey
So you have until today For you to pay $ 1800 motherfucker I hope it is clear to you or your family will also suffer the consequences I am not a man of games I am a man of my word and I promise that if you do not pay the consequences they will be fine great with you and your family Okay.
(Writer’s Note: on advice of a colleague I have removed the three extremely graphic images that accompanied the message, one of which included a decapitated head. These images were not for the faint of heart, and really do not belong on this site.)
Please note that I copied the text word for word, spelling and punctuation mistakes included. I have XXed out his name and my address (a previous address, but a real one) for obvious reasons. I call this out because I am not entirely clear as to what is alleged to have happened, to who or to what by who. The only thing that is clear is that anyone reading this would easily come to the obvious conclusion that this is a death threat.
The originating phone number was 224-236-xxxx which places it somewhere in or around Bartlett, Illinois, north of Chicago. That of course means very little, as cellphones travel easily. To wit, I received the message to my Los Angeles cellphone while sitting at the breakfast table in Hamilton, Ontario (Canada).
Most people would be frightened by this message and respond somehow. That, in my opinion, would have been a big mistake. The minute you open a dialog with someone like this you have lost.
I have always told the targets of phishing and smishing attempts – even spear phishing and spear smishing (targeted attacks directed at an individual, rather than a generic ‘Your bank account has been frozen. Click here to recover it’ attack which may have your name at the top (Dear Mitch, or often Dear Mitch@emailaddress.com)) to simply ignore them. There is nothing to them – hackers buy long lists of email addresses and phone numbers, and then they send out somewhere between hundreds and hundreds of thousands lines, hoping to catch something. I have no statistics on it, but I suspect they make a lot of money from these scams. Not from me they don’t.
Most smishing attacks do not include death threats.
Over breakfast I analyzed the message.
- They have an address that I lived at for five months when I first got to California, which means it has been more than two years since I moved out.
- They have my name and age correct, although those are not difficult to find off the Internet. In my full name D is not my middle name but my middle initial.
- The name given in the threat is about as generic a Hispanic name as one could think of. On the one hand, this could be an alias, but on the other it could be a real gangster/pimp name. Either way, this was not Inigo Montoya telling me to prepare to die. I have never met an Inigo Montoya, but I have probably met five people with this name, between my time in California and my visits to South America and the Caribbean.
- The grammar and punctuation are terrible. The only thing that tells me is that I am not dealing with a Bond villain. I do not expect most gangster pimps to use Oxford commas… or any commas for that matter.
- There is no woman (prostitute or otherwise) whose time I can remember wasting recently, and certainly not one where $1800 was involved. Unless the woman in question was calling me to talk to me about my car’s extended warranty (I like to mess with them) then I cannot think of any woman who this could apply to.
In short, this is obviously a scam.
Unfortunately, scam or not, this is a death threat. I have to take action, I have to report this to the police. But which police? The originating phone number is from Illinois, my cellphone is from California, and I am sitting in Canada. That makes it non only an interstate crime, but an international crime as well. If I was at home, I would have reported it to the LA County Sherriff, who likely would have gotten the FBI involved. From Canada I thought about looking up the phone numbers, but decided instead to visit the local constabulary… I looked up the closest Hamilton Police station.
The constable on duty was a very nice young man and he took all of the information down and filed a report, giving me the case number. He also looked on the online police resources to see if there was anything else reported that was similar. We had a good chat. He recommended that I block the originating phone number, and I explained to him why I felt that was a bad idea. He agreed that if this was real, keeping the lines open was a way to gather evidence. On the condition that I not return communications, he agreed that I do not need to block the number.
I did try to get him to go one step further. I wanted him to confirm for me that he agreed that this was a viable death threat. When he asked why, I told him that if someone comes up to me and says ‘I’m the guy’ (stating his name) and threatening me, that I could consider myself in immediate danger of life and limb, which would mean that I could respond with deadly force. He would not agree to that. Like every cautious police officer should, he told me that if that happens then I should call 9-1-1. Thanks, If this were to happen (news flash: it won’t) then I doubt I would have time to call anyone.
As you read, I had to determine who to report this crime to. Someone suggested I report the incident to the cybercrimes division. While they will eventually be brought in, they may be difficult to find… especially over the weekend. Also, reporting a crime to the Feds (either FBI in the US or RCMP in Canada) is likely not as simple as that sounds. As it happens, there is an RCMP detachment in (or around) Hamilton, Ontario… but wherever you are there will be a local police department, and they will know how to kick this sort of case up to the appropriate authorities. Yes, in many cases there might be jurisdictional disputes; for a case such as this I am reasonably sure that all but the top local police departments (LAPD, NYPD, etc…) will have cybercrimes divisions able to investigate this sort of crime… which they would view as a hoax anyways.
The conversation you are going to have with the police officer will be difficult to start. “Hello, I would like to report a murder” is easier to get their attention than “Hello, someone in a different country who may or may not really exist sent me a text with no follow-up other than he wants me to return his text and give him money, otherwise he might or might not kill me…” See what I am saying? It took me a minute to get his attention. However, starting the conversation with “I would like to report a crime” is usually a good place to start.
If you are worried that the local cops will blow you off, I assure you that will almost absolutely not happen. While this is almost certainly a scam and I am almost certainly in no danger, no cop in the world wants to have ‘This guy reported a threat to me, I blew him off, and now he is dead’ on his record or on his conscience.
Remember, you have nothing to be embarrassed about. You are not making a mountain out of a molehill, you are dutifully reporting a death threat. They know that is what you are supposed to do.
There are myriad cyber threats in the world today. Some are harmless if ignored, but others need to be reported to the authorities. If you get a call from the Social Security Department telling you that your Social Security Number has been suspended, just hang up. When the case involves graphic threats of deadly violence, you should err on the side of caution. Report the incident to the police immediately, because while the text might have come from a call centre in central Asia, it might legitimately be a murderous gangster pimp who is prepared to kill you for $1800.