What does business email compromise (BEC) have to do with the vanity anthology scam?
“To be part of this exciting project, all you have to do is pay $700 by Jan 1!”
I’m a writer. I’m also a woman in tech. When I saw the call for writers in a Reddit channel, looking for women in tech to write an essay about their career for an upcoming book, I was interested. Very interested. I filled out the Google form.
On December 22, I got a group email announcing a project meeting at 6pm that day. A little short notice and the message didn’t indicate the time zone, but OK. Responding back to the group, I clarified the time zone and decided I could attend.
We met on Google Teams. The woman running the meeting seemed uncertain how to work a virtual meeting, which seemed strange because she billed herself as the chief information officer (CIO) of a large organization and, well, it’s 2022. “We’re always learning!” she announced to the 20 or so women as she struggled to get the video and screen share to work.
She devoted the first 15 minutes of the presentation to her professional background, which demonstrated that she was a “Visionary.” She even referred to herself that way on the typo-ridden slides. Visionary, upper case. She covered the many benefits of the book project for this select group. Visibility in our profession, authority, marketing, inspiration, you can’t be what you can’t see. Our stories would inspire generations. Generations.
By the time she got to the part where we needed to give her $700 nonrefundable dollars by Jan 1st to be included in this inspiring projectーor $100 now and three easy payments!ーI knew we were in the middle of a scam. Specifically, the vanity anthology scam. Most professional writer organization websites cover it in detail.
Different con, same rules
So why should this story interest cybersecurity people?
I’m fortunate to work for a security company. When this scam presented itself, I’d just completed our annual internal security training, and was hyper-vigilant about everything, so I saw this swindle for what it was. Because we’re assaulted by an array of ad, marketing, economic, and partisan pitches every day, we’ve evolved pretty good BS detectors. But scammers are evolving too.
In this case, the Visionary employed tactics very similar to what we commonly see in BEC scams.
- Sense of urgency: the first meeting happened just as most people were starting their holiday break, with all the bustle that goes with it. We were given about six hours notice of the meeting. Payment was due in a week. This was all very fast during a time of year where people are already overloaded with commitments and tasks.
- Typos and other language issues: writers are especially sensitive to typos and dropped words because, well, words are our air. The slides had typos and missing words. Not what I expect of a CIO.
- Uncertainty in using basic tech: the Visionary didn’t know how to share her screen initially. In 2022. After two years of remote pandemic work. Additionally, she was a CIO. A basic familiarity with simple conferencing and presentation is expected. And this was for women in tech, so technological ability should be inherent.
- Person of authority: She used her résumé to assert credibility and emphasized how important the Visionary is in the world of tech.
- Too good to be true: being included in this project would enhance our careers and inspire generations. She said the volume would be an Amazon Best Seller. That’s a lot for any book, much less one that’s essentially self-published.
In the end, the message is that people are people and bad guys are bad guys. The lessons we learn from “real life” apply to the cyber world, and vice versa. My awareness of BEC tactics helped me sniff out the Visionary’s grift. Take your sensitivity to the iffy product and service claims you encounter in everyday life with you when you log in.
And maybe that’s how we inspire generations.