I’m sure most here wouldn’t be foolish enough to fall for some targeted spear phishing scam. However many regular people out in the public do fall for these sort of things all the time. I see this regularly at my job.
We’ve recently been the recipient of targeted scams that try to trick our users into buying gift cards. The scammer creates an email address on another email provider like gmail with a similar looking email address as a department head and will also create a legitimate looking signature at the end of the email. They start off emailing all of the addresses for that department or area that they were able to pull from the web and send an email similar to “are you around?”. The name on the email is the same as their department head, so anyone not being cautious enough to realize the address is from outside our email domain may start replying to the scammer. After a few back and forth emails the scammer will reply back with something like “I’m in an important meeting right now but need some gift cards right away to send to person X, could you please go to the store and buy $100 in gift cards and email me photos of the cards”. They also specifically instruct the victim to scratch off the back of the gift card for the security code and to send photos of the front and back of the cards. Some of you reading this are probably thinking to yourselves that no one is that dumb to fall for this. PLENTY OF PEOPLE ARE FOOLISH AND GULLIBLE ENOUGH TO FALL FOR THESE TYPE OF SCAMS!
We’ve had dozens (yes dozens) of users at my job that have fallen victim to these targeted gift card scams. Some end up being taken for several hundred dollars. My point here is that if the reward is significant enough a malicious person will figure out some social engineering method to get what they want. While I hope that Tesla never experiences any data breaches it’s not guaranteed that they never will. All it would take is a partial breach of a customer email database. A malicious party gets hold of a list of Tesla customer email addresses and then creates an authentic looking fake site mirroring the layout of tesla.com and then sends an email blast out. They can cross reference the breached email database they have for other known data breaches of other companies to get names and potentially addresses of their victims. Once they’ve tricked a few people to reveal their passwords to them they could use or sell this info.
Tesla needs to offer 2FA for their accounts. I’d even go as far to say that they should make 2FA required for all logins to the Tesla mobile app from any mobile device that has not previously logged into the Tesla account before.
We’ve recently been the recipient of targeted scams that try to trick our users into buying gift cards. The scammer creates an email address on another email provider like gmail with a similar looking email address as a department head and will also create a legitimate looking signature at the end of the email. They start off emailing all of the addresses for that department or area that they were able to pull from the web and send an email similar to “are you around?”. The name on the email is the same as their department head, so anyone not being cautious enough to realize the address is from outside our email domain may start replying to the scammer. After a few back and forth emails the scammer will reply back with something like “I’m in an important meeting right now but need some gift cards right away to send to person X, could you please go to the store and buy $100 in gift cards and email me photos of the cards”. They also specifically instruct the victim to scratch off the back of the gift card for the security code and to send photos of the front and back of the cards. Some of you reading this are probably thinking to yourselves that no one is that dumb to fall for this. PLENTY OF PEOPLE ARE FOOLISH AND GULLIBLE ENOUGH TO FALL FOR THESE TYPE OF SCAMS!
We’ve had dozens (yes dozens) of users at my job that have fallen victim to these targeted gift card scams. Some end up being taken for several hundred dollars. My point here is that if the reward is significant enough a malicious person will figure out some social engineering method to get what they want. While I hope that Tesla never experiences any data breaches it’s not guaranteed that they never will. All it would take is a partial breach of a customer email database. A malicious party gets hold of a list of Tesla customer email addresses and then creates an authentic looking fake site mirroring the layout of tesla.com and then sends an email blast out. They can cross reference the breached email database they have for other known data breaches of other companies to get names and potentially addresses of their victims. Once they’ve tricked a few people to reveal their passwords to them they could use or sell this info.
Tesla needs to offer 2FA for their accounts. I’d even go as far to say that they should make 2FA required for all logins to the Tesla mobile app from any mobile device that has not previously logged into the Tesla account before.