Hacker News Got Us Spear Phished

by Joe Marshall on June 16th, 2020

When we wrote about our experience with Stripe we got a great response, especially from HN. People reached out to ask for more details, tell us about their own travails, and give their own recommendations. It's been hands-down the most popular article in our still-fledgling blog.

Imagine my surprise then when we got a notice from Stripe in our contact inbox.

spear phishing email one

Wait a second - the "e" on that "Stripe" in the "From" field is weird, so is the circumflex over the "o" in the subject...

spear phishing email two

The language also sounds a little.... desperate? Stripe really wants me to fill in my bank info - it doth protest a little too much. And come to think of it, this isn't the email I've registered with Stripe...

The scary thing about the phishing attempt though is how much it gets right - the Stripe formatting, button design, even the language (mostly) - along with how personalized it felt - the phisher knew we were an early-stage Stripe SaaS dealing with hundreds rather than thousands in payouts. It was enough that, barely thinking, I almost clicked. In the multi-tasking haze of buttons, icons, menus, and other UIs we run into every day, all it takes is an ill-spent second to blindly stumble forward, right onto an outstretched hook.

It has us regarding even our usual Stripe correspondence with a wary eye.

< Back to Blog

Sign up for future posts