Yes, that would be a hoax

These messages used to regularly do the rounds on email systems, in recent years social media has replaced e-mail as the medium of choice to share information with friends and family and a ‘share’ is sometimes easier than a resend.

As a general rule, we are not running the same level of spam filtering on our social media as we run on our email systems and the messages do not get automatically highlighted as suspicious.

Why is this an issue? From an IT Security perspective there is a greater chance of active click through on social engineering attack vectors when the general public has a general acceptance of hoax messages. The reactive response is a risk factor.

An example that was doing the rounds on Facebook this week.

Paper-on-Rear-Window Carjacking Scheme


Recently we parked in a public car park. As we drove away I noticed a sticker on the rear window of the car. When I took it off after I got home, it was a receipt for petrol. Luckily my friend told me not to stop as it could be someone waiting for me to get out of the car. Then we received this email yesterday.



Heads up everyone! Please, keep this circulating… You walk across the car park, unlock your car and get inside. You start the engine put it into reverse.

When you look into the rearview mirror to back out of your space, you notice a piece of paper stuck to the middle of the rear window. So, you stop and jump out of your car to remove that paper (or whatever it is) that is obstructing your view.

When you reach the back of your car, that is when the car-jackers appear out of nowhere, jump into your car and take off.

They practically run you over as they speed off in your car.

And guess what, ladies? I bet your purse is still in the car.

Yes, that warning is a hoax
This warning has been described as a hoax since 2004;
* Paper-on-Rear-Window Carjacking Scheme [urbanlegends]
* Car-Jacking Scheme Warning – Paper on Rear Window [hoax-slayer]
* The Paper Chase [snopes]
* Carjacker Warnings [urbanlegends online]

How do we identify a hoax?
The best advice I can give for this process is to trust but verify.

1.) Review
Read the message carefully, is it overly dramatic or written in a professional manner? Does it promote alarm, fear and panic (pushing emotional buttons)- or does it read as a press release (informing the reader)?

… the only thing we have to fear is fear itself …
— Franklin D. Roosevelt
FDR’s First Inaugural Address

Generally a hoax or phishing message uses emotive language to get you to act without verifying the message. Seeing lots of UPPERCASE LETTERS and exclamation points!!!!!! is not a good sign. A request to forward the message to everyone on your contacts list is another bad sign.

In the carjacking example above:
* Which Police (jurisdiction, location, etc)?
Jurisdiction is important in this case; awarning for Johannesburg regarding carjacking is more credible than one for Melbourne where there is much less of a carjack culture, in fact it is a relatively rare event.
* Is it official? A passing mention of an authority figure doesn’t impart authority to the message.
* Where, and when was the warning given?
* Is there a link to the official warning?

The warning is missing all the real elements of a police alert … and is pure FUD. In the case of a phishing exercise you may see a software vendor mentioned but no official bulletin or knowledge base article mentioned in the article.

Many current phishing scams, especially well targeted ones, are doing this part very well. A quick check over the initial message doesn’t ring any bells – further checking starts to reveal issues.

2.) Find the source
Don’t be a passive consumer, dig deeper.
* Check for references to other sources of information, does the message cite verifiable evidence?
* Use a search engine to locate the original warning, bulletin, news item or press release.
* Check to see if the message has already been debunked by Websites that debunk scams, spam and hoaxes.

3.) Verify the authority
What is the trust level of the original message? Different sites and authors have different levels of trust eg. an academic journal may have more trust than a MySpace post – do you trust the source?

There’s a guy works down the chip shop swears he’s Elvis
But he’s a liar and I’m not sure about you

— Kirsty MacColl
Theres A Guy Works Down The Chip Shop Swears Hes Elvis

This entry was posted in hoax, security, spam. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.