Brexit of Champions: Britain's About to Get Eaten Alive by Phishing Scammers

By dan on June 28, 2016

"In confusion there is profit."

A spectre is haunting Europe - the spectre of the Brexit. The left fears isolationism and xenophobia; the right anticipates getting blamed for years of bureaucratic distentangling from the EU. And everyone is on the lookout for a global recession, or worse.

So who will benefit from the Brexit? Those who profit from confusion. The Brexit is a once-in-a-generation opportunity for phishing scammers, who now have greater access than ever before to England1, a wealthy country of 53 million. I'll explain how by focusing on the three parts of every effective phishing attack: a sense of urgency, false claims to authority, and a request for sensitive information.

Part 1: Generating Urgency

What is urgency? The fear of failing to act quickly enough. Scammers have many ways to make you afraid. Extreme ones include threats of imprisonment and even assassination - which, granted, are closer to extortion than typical phishing on the spectrum of email fraud.

A more common fear that scammers exploit is the fear of missing an opportunity to quickly and easily make a bunch of cash. The bigger the opportunity, the rarer it is, the greater the urgency. The greater the urgency, the more likely the victim will lower their guard, and the more money and sensitive information they will likely surrender. Scammers exploit this fear with terms like, "This is your last chance to..."

The Brexit promises endless waves of "last chances": Your last chance to buy high end products before new tariffs kick in, your last chance to invest abroad (or start a foreign bank account) without the government knowing, etc. The truth of these claims doesn't matter; they just have to sound plausible by being in the news, as phishing scammers regularly exploit topics in the headlines.

Part 2: Claiming Authority

Of course, these opportunities must come from a credible authority. As an American, I know to be wary of anyone claiming to represent the IRS during tax season. But will every Briton know to be on guard against every possible representative of British and EU bureaucracy? After 40+ years of political and economic integration, every aspect of British life could at least conceivably be touched by European Union law.

Imagine a Mancunian waking up to an email claiming to be from Her Majesty's Passport Office, threatening a huge passport re-issuing fee if they don't pay £50 right now. Or a Briton working in Berlin who's instructed to confirm their personal identification info immediately to qualify for a work visa. This is a threat for every Briton who works in Europe, travels in Europe, or does business with Europe - in other words, almost everyone in this small island country.

There are over 400 government agencies in the UK. It's hard enough for Americans to remember to watch out for IRS scams between January and April. What will it be like for citizens of England and Wales, who, for at least the two full years it will take Article 50 to resolve, will have to beware scams from everyone from the Department for Work and Pensions to the Land Registration Rule Committee?

Part 3: Requesting Sensitive Information

Most hackers target two things: money and data. The Brexit is a rich opportunity for both. Bank account information? Health conditions? Every aspect of a Briton's life is fair game for one government agency or another, either in the United Kingdom, the European Union, or both.

Starting now, a hacker can create an effective phishing email from an official-looking address, with an urgent call to action, requesting virtually anything they could hope to find out.

(I hope this doesn't come across as a libertarian screed. My American life is subject to any number of private sector bureaucracies. Between navigating health insurance paperwork and being subject to credit card companies' terms and conditions, my existence is likely as regulated as that of a Briton - quite possibly with less to show for it.)

What's Next?

Hacking is a two-way relationship. Hackers constantly refine their existing tools and develop new ones; hacking targets get savvy and use more secure services.

I don't foresee a datapocalypse for Britons. Instead, I anticipate that resisting phishing attacks will become something of a national pastime. People will follow the latest scams just as they follow the weather, football, and, yes, the grinding details of the Brexit that started it all.

Notes

  1. As a citizen of the United States, I'll definitely mix up England, Britain, and the UK. My apologies. 

Updates

My man Cory Doctorow at BoingBoing has already spotted a phishing email, aimed at BitCoiners, sparked by post-Brexit anxiety:

It's the first phishing email aimed at Bitcoiners that I've seen. My guess is that its timing has something to do with the current, post-Brexit currency market instability, which has seen a spike in btc value, and this has doubtless led a lot of newbies into Bitcoinland, where crypto is magic and anything is possible. 


Author picture

by dan


About Apozy

Founded in April of 2014 in San Francisco, we are a venture-backed motley crew of passionate hackers building cybersecurity technologies to make the world's information faster, cleaner and safer to access.