Are phishers really trying to steal physical debit cards?

Phishing has become an everyday part of internet life, something most users of email and social media have come to expect — and ignore — almost without thought.

The concept is an old one, with many of the techniques used dating back to well before the invention of the computer, let alone the world wide web. The infamous 419 scam or “letter from Nigeria,” for example, is a minor evolution of the classic “Spanish Prisoner” technique, already considered old hat in 1898.

With the mass adoption of email in the 1990s, the cost of sending out scam messages on a large scale suddenly dropped to almost zero. Almost inevitably, this led to a massive increase in scamming attempts and the emergence of the term “phishing” to describe the new menace, probably sometime around 1995.

So surely in our modern era of instant global communications, no scammer is still using physical snail mail to send out their lures?

According to a rather humorous blog post from security firm MalwareBytes, a letter was sent to U.K. bank customers warning them that their Barclays Bank debit cards have a fault which could cause them to explode. The letter then urges recipients to mail their cards, along with their PIN codes, to an address in Bangalore, India as part of a mass recall.

CHRIS RATCLIFFE/BLOOMBERG NEWS

Although the story has been referenced elsewhere, there is little sign of further supporting evidence that such a scam is really taking place. As the writer of the MalwareBytes post admits, it seems more likely that someone, somewhere is having a little fun mocking the tropes of the phishing scam world.

There are signs that the letter is a spoof, including the very heavy use of typos and misspellings — “costumer” for “customer,” “Molton Keynes” instead of “Milton Keynes,” “precushion” rather than “precaution.”

There is a theory, expounded upon by the writers of the classic “Freakonomics,” that phishers’ renowned bad spelling is actually a deliberate method of weeding out readers sharp enough to spot such errors and ensuring that only the most gullible respond. But in this case it feels like the typos are too frequent, and too perfectly apposite, to be anything but intentionally amusing.

There’s also the problem of cost. Despite the emergence of low-cost remote printing and postage services, it’s still not entirely free to produce and distribute physical letters. The success rate of phishing scams is difficult to measure; one study by Google researchers saw anywhere from 3% to 45% of visitors to a scam form filling in some details (the higher figures probably indicating a more targeted scam), but this does not necessarily mean that usable personal information was revealed. Those percentages also only reflect the actions of those who actually clicked a link in their email to get to the form in the first place, already dismissing anyone who identified and ignored the scam straight off, or whose mail filters blocked it from reaching their inbox at all.

Most phishing campaigns target potential victims in the hundreds of thousands if not millions, in the hopes of defrauding just a small number of marks, and the cost of sending out that many printed letters would be prohibitive. There’s also a big difference between typing a few numbers into a website, and packaging up your debit card and sending it by post all the way to India; the extra effort involved would weed out another tranche of potential victims, as would the extra thinking time.

So, this has every sign of being a satire on the whole phishing phenomenon, another facet of our urge to mock those who threaten us, along similar lines to the popular pursuit of “scambaiting.”

That doesn’t mean, however, that phishing by physical mail is entirely a thing of the past.

Just a few weeks ago, there were reports of malware-infected CDs being mailed to U.S. government agencies from China, in hopes of an unwary recipient popping the CD into their computer and passing the infection on to valuable systems.

As we are ever more inured to email phishing and grow better at spotting it, more targeted scams may have a better chance of success if carried out by post rather than email. A classic example is the “please change my account details” scam, usually a variant of Business Email Compromise.

There’s at least one instance of this succeeding in the real world, where the Guernsey government was tricked into sending a payment of £2.6 million to scammers posing as a contracting firm engaged on a major airport project. In that instance, the request to update account information was sent as a physical letter.

There are also, of course, all manner of other scams still being carried out by snail mail, mainly fake competitions and pyramid schemes.

It seems we still need to exercise similar care when reading and actioning mailed letters as we do with our email inboxes, especially when payments are involved. But for the most part, phishing is still confined to the digital world.