He is a master of the simplest “hack” of all — impersonation. In recent months, he has pretended to be White House officials like Jared Kushner and Reince Preibus or even Eric Trump. And it worked. He fooled plenty of people who should have known better, including Anthony Scaramucci, former Utah governor and presidential candidate Jon Hunstman, Homeland Security Adviser Tom Bossert — and Trump’s son, too. In the past, he’s tricked high-profile British banking officials. More recently, he was able to get a response from Harvey Weinstein and long-time advisor Lisa Bloom.
Now, the notorious email prankster — his real name is James Linton — is talking to me about trying to help people avoid these kinds of attacks. In an exclusive interview with me, Linton explains how he does what he does, and how you and your company can adopt an approach that protects against such attacks.
To refresh your memory, Linton’s technique is trivial, but effective. The prankster simply registers email accounts like Reince.Preibus@mail.com and starts sending messages. He often does this at times of intense news interest, when targets should really be on high alert — but instead, are often highly impetuous. In the case of Scaramucci, he fell for the hoax hook, line and sinker.
In one part of a typical dialog, the fake Preibus said, in part, “The way in which that transition has come about has been diabolical. And hurtful. I don’t expect a reply.”
Scaramucci, believing the message was authentic, responded: “You know what you did. We all do. Even today. But rest assured we were prepared. A Man would apologize.”
The hoax exploits an age-old problem with the way the Internet was built: It’s pretty easy for people (and computers) to lie about who they are and where they are.
The attacks are mostly a stunt, but they are a form of something that’s rampaging through the business world right now – executive ID theft. Workers around the globe are falling for fake emails like this and taking real steps that cost millions. The FBI has called the crime – which goes by the pedantic name “business email compromise” – one of the fastest-growing digital cons. One technology company reported in an SEC filing in 2015 that it had been hit by a con that led to “transfers of funds aggregating $46.7 million.” In one version of the crime, the fake executive sends an urgent message asking that money be wired to close an international business deal. Given the power relationships involved, assistants often comply.
So it’s worth listening to Linton as he describes why people fall for this simplest of social engineering tricks, and what you might do about it.
Bob: Many people think they could never fall for this kind of thing. The vast majority are sadly wrong, I think.
Linton: I agree with you entirely, anyone – no matter what their technical background – could fall for the tricks I do. Obviously for the most part I’m after a humorous exchange, so my tone of voice rapidly moves towards the more bizarre end of believability. I also know very little about the dynamics and internal setup within the company the ‘mark’ works at. Are they all based at the same site? Same timezone? Office-based? Mobile? Etc… So with a little help from an internal observer, a lot assumptions I make an educated guess at …. could be confirmed and the ‘attack’ could be infinitely more targeted and dangerous.
Bob: What should someone do to protect themselves from….well, you? And folks like you?
All that being said, I believe protection from this type of attack needs to come from the mail app you’re using. I’ve lots of ideas about how this could be done, both at company and individual level. I’m hoping to find someone to partner up with going forward, it would be great to use my experience to make everyone a little safer.