Hacker News Got Us Spear Phished
by Joe Marshall on June 16th, 2020
When we wrote about our experience with Stripe we got a great response, especially from HN. People reached out to ask for more details, tell us about their own travails, and give their own recommendations. It's been hands-down the most popular article in our still-fledgling blog.
Imagine my surprise then when we got a notice from Stripe in our contact inbox.
Wait a second - the "e" on that "Stripe" in the "From" field is weird, so is the circumflex over the "o" in the subject...
The language also sounds a little.... desperate? Stripe really wants me to fill in my bank info - it doth protest a little too much. And come to think of it, this isn't the email I've registered with Stripe...
The scary thing about the phishing attempt though is how much it gets right - the Stripe formatting, button design, even the language (mostly) - along with how personalized it felt - the phisher knew we were an early-stage Stripe SaaS dealing with hundreds rather than thousands in payouts. It was enough that, barely thinking, I almost clicked. In the multi-tasking haze of buttons, icons, menus, and other UIs we run into every day, all it takes is an ill-spent second to blindly stumble forward, right onto an outstretched hook.
It has us regarding even our usual Stripe correspondence with a wary eye.