I got an interesting phishing email on Friday alleging to be from the Ohio Business Gateway, the portal that small businesses have to use to file their Ohio Sales Taxes. The phish builds credibility by including good security advice like changing your password regularly and keeping your anti-virus software up to date. But then it goes on to demand that you “Download and install OBG Secure Software” and, of course, claims that failure to comply will result in the shut-down of your account.

There were a lot of signs that it’s a phish – poor grammar, hidden link destinations and generally suspicious content. On the other hand, it’s from the government… I have to admit that even after reporting it as a scam, I kept wondering if the email was a legitimate but incredibly clumsy attempt to roll out new security software. Lord knows, the state could use some investments in this area.

As it turns out, the Department of Taxation confirmed that it’s a scam in an email sent out Monday. They also updated their website with an alert. Unfortunately, the legitimate message warning users about the phish got caught in my spam filter even though the original phish came through unhindered. I’m not sure what that proves except that Murphy is alive and well.

A couple of interesting aspects to this phish.

  1. It was sent out on the Friday before Memorial Day. Either the scammers got lucky or they were deliberately trying to get an extra day or two exposure before the government’s security staff could find and react to the scam. I guess we need to add to our list of suspicious clues “any ‘alert’ email sent right before a major holiday”.
  2. The list appears to have been targetted only to people who have accounts with the OBG portal. (I’m on the list because I submit taxes for the local bee club.) It’s possible that they hacked the site to get the list but my guess is that the spammers just used some public records law to make an open request. Be suspicious even – perhaps, especially – when you actually do have an account with the organization.

Remember, it’s not paranoia when they really are out to get you.

Leave a Reply