American View: Looking at phishing attacks through red, white, and blue tinted glasses

Fraud Prevention27 May 2025

It’s nice to see scammers taking time out of their busy schedules to thank us veterans for our service. I’d rather they send me a bottle of Bowmore than send me a phishing attack, but hey … it’s the thought that counts, right?

Yesterday was Memorial Day weekend in the USA … While it’s supposed to be a day of somber remembrance for our nation’s fallen squaddies, it’s more popularly known as the unofficial beginning of summer. That’s almost believable here in Texas where the weekend started off sunny and 38 degrees (in y’all’s reckoning). It’s traditional that everyone cooks outside on the grill over Memorial Day weekend whether they want to or not. What doesn’t generally happen between all the sunbathing and the outdoor cooking is anything that commemorates the fallen. Unless you think getting an extra 5% off on the purchase of a new mattress somehow “honours” soldiers’ and sailors’ memory.

Today, though, I got a lovely surprise in my inbox: a high priority security alert from a credit union that primarily caters to military families. There was a grave problem, it warned, with a recent deposit that I’d made. I needed to log into the bank’s security messaging portal ASAP, it insisted, to get things sorted before I encounter an insufficient funds problem. How mortifying!

Exceeeeeeeeeeept … no. While I appreciated the scammers’ use of a pro-military financial institution to give their malarkey a veil of legitimacy, the baddies botched just about everything else in their phish design. Sure, their use of stolen logos and visual style was top-notch, but the targeting left an awful lot to be desired.

“OMG, you really thought I’d fall for that?!?”

First off, I’m not a customer of this financial institution. Kinda makes it hard to have deposit problems with them when I don’t have an account there and there’s no reason for anyone at that bank to know who I am. Swing and a miss, fellas.

Second, my email account the scammers sent their “alert” to isn’t one that’s ever been associated with anything financial. There’s no way that any bank, credit union, credit card company, loan shark, or money laundering crypto loon could ever associate it with either me or with my finances. To be honest, I’m amazed they even thought to target that account.

Third, I know this institution and how they operate. I was – very briefly – a secondary signature authority on an account for a military unit there between 2002 and 2003. I’ve been to their branch on base, and I’ve dealt with their obnoxious approach to paperwork (hence, why I’m not one of their customers to this day). It’s been a long time, but I know that this institution has a 24/7 customer support line because they print that phone number on everything.

There were other tells as well. The email “alert” didn’t address me by name or reference any account number since it was obviously hurled at a few million random target email addresses. The sender’s email was hosted on a consumer-focused free email service. The hyperlink to the “secure messaging portal” went to a wacky non-commercial domain that reeked of “recently pwnd.” Everything about this phish was easy to detect if you invested two seconds to give the phish some scrutiny.

We’re not talking “C.S.I. Gmail” here. Danger Mouse could solve this mystery.

Overall, this phish is an excellent practical example that I can use to teach friends and family how and where to look to find the clues that prove a suspicious email is a phish. Those are always welcome.

That, however, wasn’t what made me happy to get this silly little phish. I appreciated that the designer of this phish must have studied American life since they made an association between the bank they were spoofing and the time of year when they’d be blasting out their phish. The designer created a little unconscious synergy to improve their chances of hooking a victim. “It’s Memorial Day in America,” the designer must’ve mused, “so my targets are presumably thinking about the military.” A fake “alert” from a military-focused institution should seem 5-ish percent more realistic. Maybe out of a million messages they’ll net themselves a profitable number of victims. It’s putting in some effort, and I appreciate that. Good job, nameless criminal!

This is not to say that I approve of cybercrime. Obviously, scamming current and retired veterans out of their savings by stealing their banking login credentials warrants a Hellfire missile colonoscopy. It’s not like we can’t afford to flatten a few office parks what with an $85 billion defence budget.

No, what I appreciate is the attention the scammers gave to our culture. Sure, they do that all the time when they’re spearphishing; the entire point of a good spearphish is to resonate so strongly with the victim that the lure is irresistible and engagement is all but guaranteed. Spearphishing takes effort, though and this was a generic spray-and-pray attack. They baddies were probably hoping for a 0.001% success rate to make a profit. They likely didn’t have it in the budget to hire a designer or consultant who had personal experience with both American holidays and veterans’ affairs … but they chose to put in the extra work. Nice.

The image of dedicated professionals synergizing their world-class skills to achieve a win-win stretch goal is inspiring. Just like those motivational lithographs in the break room!

Or, and this is just a wild idea, this phish could represent a side effect of the USA’s mortifying obsession with deporting every immigrant, university students, and foreign workers. Sure, it’s economically suicidal policy. This blatant xenophobia does serve a specific purpose: it’s self-destructive theatre intended specifically to appeal to America’s virulent white nationalist population through sensational institutional cruelty. The use of government power to bully vulnerable groups is a heady power fantasy that authoritarians, zealots, bigots, and violent whackadoos crave. It’s also a killer technique for keeping outraged voters focused in the wrong direction while oligarchs rob us all blind.

One (of many) negative side effects of terrorizing and expelling foreign guests is the creation of enemies where none previously needed to exist. What happens when you welcome a guest into your home with the promise of safety, prosperity, and opportunity, then turn into frothing mad demonic host and chase them out again? They get pissed off, that’s what. When – if! – these former guests make it home, they’re bringing a ton of up-close analysis of American life with them. They understand where and when we’re most vulnerable and are motivated to use that experience to hit back.

But that’s just crazy talk. That could never happen, right? We can’t be deliberately creating an entire generation of highly motivated adversaries just so a tiny fraction of Americans can get away stealing a bunch of other Americans’ money. That’s just a crap adaptation of 1988’s Die Hard. It’s the kind of implausible social collapse predictions that cyberpunk fiction require to justify their grimdark settings.

No, that would be too horrible to contemplate. It’s probably the output of some enlightened cybercrime group’s HR initiative to become more culturally sensitive. That fantasy sounds much less apocalyptically dystopian. Pleasant, even. As a bonus, if you buy into this sugar-sweetened lie, you don’t have to think about fallen squaddies at all … and certainly not face the fact that the country those hundreds of thousands of brave squaddies died to preserve is being gutted for the sake of a quick buck and the right to say racial slurs in public again.

Right? Can’t be …

Fraud Prevention