“Perhaps the most visible change is the push for phishing-resistant authentication—methods like passkeys, hardware-backed authenticators, and device binding….This shift signals that yesterday’s non-phishing-resistant MFA (SMS codes, security questions, and email OTPs) is no longer enough because they are easily compromised through man-in-the-middle or social engineering attacks like SIM swapping.”
I still receive “snail mail” at home. And every time I look at it I get enraged.
In fact, I’m this close to opening most of the pieces of mail, removing the postage-free reply envelope, and returning it to the originator with the following message:
Thank you for contributing to rampant identity theft.
How do companies, possibly including YOUR company, contribute to identity theft? Read on.
Snail mail, a treasure trove of PII
Let me provide an example, heavily redacted, of something that I received in the (snail) mail this week. I won’t reveal the name of the company that sent this to me, other than to say that it is an automobile association that does business in America.
John Bredehoft
[HOME ADDRESS REDACTED]
John Bredehoft…
You and your spouse/partner are each eligible to apply for up to $300,000.00 of Term Life Insurance reserved for members – and with Lower Group Rates ROLLED BACK to 2018!
… SCAN THIS [QR CODE REDACTED] Takes you right to your personalized application
OR GO TO [URL REDACTED] and use this Invitation Code: [CODE REDACTED]
So that’s the first page. The second page includes a Group Term Life Insurance Application with much of the same information.
And there’s the aforementioned return envelope…with my name and address helpfully preprinted on the envelope.
What could go wrong?
Google Gemini.
Dumpster divers
Now obviously the sender hopes that I fill out the form and return it. But there is a very good chance that I will NOT respond to this request, in which case I have to do something with all these papers with personally identifiable information (PII).
Obviously I should shred it.
But what if I don’t?
And some dumpster diver rifles through my trash?
Perhaps the dumpster diver will just capture my name, address, and other PII and be done with it.
Or perhaps the dumpster diver will apply for term life insurance in my name and do who knows what.
Thanks, sender, you just exposed me to identity theft.
But there’s another possible point at which my identity can be stolen.
Mailbox diverters
What if this piece of snail mail never makes it to me?
Maybe someone breaks into my mailbox, steals the mail, and then steals my identity.
Or maybe someone breaks into a mail truck, or anywhere on the path from the sender to the recipient.
Again, I’ve been exposed to identity theft.
All because several pieces of paper are floating around with my PII on it.
Multiply that by every piece of mail sent to every person, and the PII exposure problem is enormous.
Email marketers, you’re not off the hook
Now I’m sure some of you are in a self-congratulatory mood right now.
John, don’t tarnish us with the same brush as junk mailers. We are ecologically responsible and don’t send snail mails any more. We use email, eliminating the chance of pieces of PII-laden paper floating around.
Perhaps I should break the news to you.
Emails are often laden with the same PII that you find in traditional snail mail, via printed text or “easy to use” web links.
Emails can be stolen also.
Google Gemini.
So you’re just as bad as the snail mailers.
What to do?
If you’re a marketer sending PII to your prospects and customers…
Stop it.
Don’t distribute PII all over the place.
Assume that any PII you distribute WILL be stolen.
Because it probably will.
And if you didn’t know this, it won’t make your prospects and customers happy.
On LinkedIn, the hashtag “#opentowork” isn’t the only magic phrase that attracts all sorts of people. I found this out Sunday morning when I reshared my September 26 “Graber Olives is in Foreclosure…But There’s a GoFundMe” post on Bredemarket’s Inland Empire LinkedIn page.
I should note this is Kelsey Graber’s GoFundMe. This is not my GoFundMe.
Anyway, I reshared the post on LinkedIn…and got all sorts of reposts…with additional commentary. The commentary was not addressed to the GoFundMe fundraiser…but to me. (The resharers probably never read my original post; they just saw the word “GoFundMe” and jumped.) I’ve redacted the redirects to WhatsApp…a common fraud scam tactic.
The scammers’ what
Foone Berkeley:
“Hi, I came across your campaign, really impressive work. It reminded me of an independent group I’ve seen quietly helping project owners connect with private contributors who genuinely want to make a difference.
I’m not part of their team, but I’ve seen them support a few people in my circle. If you’re open to exploring new sources of backing, you can reach them directly here:
📞 WhatsApp: [REDACTED]
They usually prefer to speak one-on-one with campaign owners to understand their goals and see if there’s a good fit.
Wishing you continued success, your work truly deserves attention.”
Alex Mary:
“Hello 🌸 I just read your campaign, and it truly touched me. I know how tough fundraising can be, but there are genuine people out there who want to help. A trusted charity once helped me raise over $38,000 after I’d almost given up. If you’d like, you can message them on WhatsApp 👉 [REDACTED] they might be able to guide you too. 💙”
Olivia Williams:
“If you’re looking to grow your campaign donations fast, I truly recommend reaching out to Crowd. She’s an expert in GoFundMe promotions and helped me raise over $180,000 a few months ago! he knows exactly how to attract real donors and get results. You can contact her directly here [REDACTED]”
The scammers’ how
Let’s look at the red flags common to all three:
The person is touched by the fundraising effort, but doesn’t say anything specific about them. (And doesn’t acknowledge that this is someone else’s fundraiser, not mine.)
The person resharing is not the person who can provide help. It’s always someone else: an independent group, a trusted charity, or a woman (or man?) named Crowd.
The person wants to get you off LinkedIn as soon as possible. Private email, SMS, or an encrypted service like WhatsApp or Telegram.
The scammers’ goals
So why are these people so willing to recommend helpers who can assist desperate GoFundMe fundraisers? GoFundMe itself has addressed this:
“If someone you don’t know is reaching out to offer something that sounds too good to be true, we always recommend validating the individual before sharing any personal information. Donors and donor networks shouldn’t expect anything from you in return for their generosity.”
Two common tactics include:
Guarantee reaching your fundraising goal in exchange for a service fee or percentage of funds raised
Make a donation if you provide personal information such as email address, phone number, or banking information
There are other tactics, but the goal is the same. Instead of helping you raise money, the “helper” wants to get money from you.
Now there are legitimate companies that assist charities in their fundraising efforts…but they can be contacted via methods other than WhatsApp.
Today’s honeypot
And now that I’ve written this warning, I’m going to conduct a little experiment.
I’m going to reshare THIS post on LinkedIn.
With quotes from the first and fourth paragraphs that include several mentions of the word “GoFundMe”…plus the additional honeypot word #opentowork. (I haven’t planted an opentowork honeypot in a while. Oh, and not that they’ll notice, but the words “fraud” and “scam” also appear.
Grok.
Let’s see what moths are attracted to the new flame.
And consider what YOU are doing to fight fraud.
Bredemarket specializes in helping anti-fraud firms market their products.
(Image sources: Gemini (still), GoFundMe, Grok (video). Only the GoFundMe is real.)
Bredemarket 