It was in 2010. My kid had made a fuss about going to day-care so my wife and I were late walking to work. The cafe we always stopped at for a coffee had longer lines at that hour, so I stood in line while she sat down and read a paper.
I had reinstalled my phone's OS the day before - the same day I'd had three different articles come out. I was hearing from a lot of people about those articles, *and* I was having to re-key my password in a lot of websites because I'd blown out my browser preferences with the reinstall.
Standing in line, I got a DM from an old friend: "Is this you?" followed by a URL. I clicked it, and my browser opened, then redirected to Twitter.
I sighed, thinking that I needed to find the system setting to tell my phone to open tweets in the Twitter app. I typed my Twitter password into my browser, and ordered coffees.
As I was handing my wife her coffee, my phone buzzed three more times. It was three more DMs, from three more old friends: "Is this you?" and the same URL.
My guts twisted. I'd just been phished.
The Twitter worm that got me was simple: they took your Twitter password, logged in as you, and DMed all your friends with "Is this you?" and a phishing URL that looked like Twitter's login screen. The URL started with https://twitter.com, but continued with .scammysite.com (my mobile browser only showed me the first part).
I got fooled because of a perfect alignment of vulnerabilities - late, long line, new OS, new publications, bad browser design, inattentiveness.
If the first phishing DM had come in 5 minutes later, in the flurry with the three others, I'd never have been caught. If we'd been on time and I'd received the DM while at my desk on my laptop, I wouldn't have been caught.
It's easy to sneer at people who get fooled by phishers, but imagine this: you are buying a house. You've just gone into escrow. You get an email or a phone call or a text from your bank about your mortgage, telling you that you have to complete another form.
It's probably not even the first time that's happened - buying a house often requires going back several times to complete new forms! It's high-stakes, high-tension, and the market is so hot that if you miss a form, the house might go to someone else. Maybe you've already given your landlord notice or sold your own house.
Do you triple-check the URL your bank gives you? Does it even matter? Your bank is probably using half a dozen fintech services to close your mortgage and escrow.
You're already routinely transmitting sensitive data to companies you've never heard of.
I get dozens of phishing emails like this every day, but I'm not actually buying a house, so I ignore them. But if I got one of these on the morning that I was closing on the deed? While juggling movers and finance and maybe a new job and a new school for the kid in another city? I'm not so sure. If you're honest, you won't be so sure, either.
That's the thing we miss about scams - they're scattered like dandelion seeds. The cost of adding another email address to an untargeted scam is close to zero, and the scammer doesn't care whether that email is deleted unread anymore than a dandelion cares whether one of its seeds falls on concrete.
The dandelion's reproductive strategy isn't to ensure that every seed takes root - it's to ensure that every crack in every sidewalk has a dandelion growing out of it.
11 years ago, I got phished. I immediately realized my mistake and changed my Twitter password, but, like many people then (and now!), I'd reused that password elsewhere.
I'd created my Twitter account while standing in line for a Game Developer's Conference press pass, after Ev Williams sent me an invite to the beta.
I didn't think I needed a good password for it, because it was a toy that sent you updates about other people's lunches over SMS. Half a decade later, I had tens of thousands of followers and the account was key to my professional life.
The person who phished me hadn't targeted me. I was fooled by an embarrassingly blunt and transparent ploy. Is there any way I could have avoided this?
Perhaps. But not by maintaining perfect vigilance, or by never being harried or hasty. The blame-the-victim school of unattainable security locates the infosec pandemic's problem in human frailty, rather than bad systems.
Good security advice transcends this, and Ars Technica has just published an outstanding guide to securing your online life, in two parts, written by Sean Gallagher.
Part One ("The Basics") lays out both a way of thinking about security (particularly dispelling the notion that criminals won't target you because you're no one special), and a set of (mostly) simple steps you can take to defend yourself against opportunistic, untargeted attacks:
Part Two ("The Special Circumstances") offers advice for people who might be specifically targeted by attackers. That's not just one percenters and politicians - it can include people whose ex-spouses harass them with stalkerware, middle-schoolers targeted by bullies, and more.
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.