How the world's leading breach expert got phished

I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me in PITTSBURGH on May 15 at WHITE WHALE BOOKS, and in PDX on Jun 20 at BARNES AND NOBLE. More tour dates here.

If you can't spot the sucker at the poker table, you're the sucker. Also, if you think you can't get phished, you're the sucker.

I've been successfully scammed six times in my life. Each time, the scam relied on the confluence of several factors that yielded a fleeting moment of vulnerability that some scammer was able to exploit by being in the right place at the right time. I had to be lucky always, they only had to be lucky once.

The first time I got scammed was in 2008, on my first trip to India. As I walked toward the Mumbai airport taxi queue at 2AM, I was approached by two uniformed airport security guards who told me that the taxi rank had been moved in the wake of a recent terrorist bombing in Islamabad, which had resulted in all the regional airports going on high alert. The bombing was real, the airport high alerts were real. The security guards – not real. They were scammers, working with a fake cab that charged me $200 for a $20 taxi ride.

I got scammed again this way in Shanghai, at the Pudong taxi-rank. I was with my wife, daughter and parents and we split into two cabs and the drivers colluded to turn off their meters and charge us extremely high cash fares, dropping us across the street from our hotel so we couldn't enlist the doorman to interpret. Again, it was very late at night, things were confusing, and we'd had to wait for more than an hour for the cab, so we were exhausted and sweaty and divided into two groups so we couldn't coordinate strategy.

Then there was the time I got successfully phished by a Twitter account takeover worm:

https://locusmag.com/2010/05/cory-doctorow-persistence-pays-parasites/

That was also a miracle of timing – for the scammers. I got hit on a day when I was running late, when I'd just reinstalled my phone's OS and was being prompted for my passwords all over again, when I had just done a bunch of major publishing and was getting a lot of messages about my new articles. When a friend got infected by a worm that took over his account and messaged me, "Is this you?" with a link that took me to a webpage that asked me to log back into Twitter, I re-entered my password. If I'd been five minutes later in getting to that DM, I would have seen three more identical messages from other infected friends and twigged to the scam. But I just happened to look at my phone in the two-minute window when the scam wasn't self-evident, and I just happened to be distracted and flustered about running late, and I just happened to have had some life circumstances that made the generic phishing lure seem plausible.

In 2023, I got scammed by a fake restaurant. I was on the couch with a friend from out of town who'd come by to watch a movie. We were chatting and decided to order from our local Thai restaurant. The top result on Google was a paid ad (marked out with the word "ad" in 8-point, grey-on-white type) that had a plausible domain name, which led to a replica of my local place's menu, only with the prices set 15% higher. I didn't even notice – not until the restaurant called me to say that they'd had a flood of orders from these scammers, who charged their customers' credit cards 15% over the odds, then placed an order for delivery using their own credit card numbers. I ended up contesting the charge with Amex, getting the scammers' Wix and credit card accounts canceled, and shaming Google into blocking their ads:

https://nypost.com/2023/02/25/cory-doctorow-duped-by-fake-thai-restaurant-scam/

Then there's the guy who used leaked data from my credit union to impersonate their fraud department, calling me up and social-engineering me out of the last seven digits of my card number (not the last four, as is common – most banks use the same nine-digit prefix, so the final seven digits are all you need to derive the whole card number). The scammer called right after I used two dodgy ATMs in New Orleans, during my last hour in town when I was rushing around to get my most favorite sandwich in the world before leaving. It was the day that a Boeing 737 Max lost its door-plug so the airport was a zoo and we barely made the flight, so I lost the hour I'd planned to use to call the bank's fraud department back. Again: if, if, if. If he'd called an hour earlier – or later. If there hadn't been a giant aviation disaster. If I hadn't been traveling. The scammer had to get lucky once, I had to be lucky every time:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

I got scammed again last Christmas week. I was in NYC with my wife and daughter and I'd gotten great tickets to see The Outsiders on Broadway. It was my kid's first musical and to her surprise, she loved it. In the cab back to the friend's place we were staying at, we talked about what other musicals she might want to see. She loves South Park, and I'd seen banners advertising The Book of Mormon (which was created by the same people) in LA. So I looked up "book of mormon tickets los angeles" on my phone in the cab and found the production's website and ordered the tickets, working quickly in the cab because it was one of those websites that has a countdown timer so you have to finish your transaction in five minutes.

It wasn't the real Book of Mormon website. It was a scam website, reselling Book of Mormon tickets at a 200%+ markup. That fact was noted in infinitesimal writing on the main screen, which I missed in the crowded taxi backseat while I raced the countdown timer. I figured it out about 20 seconds after the transaction cleared, and immediately emailed the vendor to cancel it. All I got was a series of smug "all transactions final" emails from outsource customer service reps (in the end, I was able to get my credit card issuer to reverse the transaction, but it took months). But yeah, I got scammed by a sleazy company called "Bigstub." Fuck those guys.

Every time I got scammed, the con that got me was nearly identical to a con that I'd avoided on numerous occasions. The fact that I'm actually pretty good at spotting this kind of hustle, 99.9% of the time, didn't mean I was immune it it. It just meant that I was vulnerable under very special circumstances, and those very special circumstances do crop up from time to time.

This is the most important lesson of scams: that no matter how well-attuned you are to cons, you can still be conned. The belief that you are immune to a con actually makes you a mark. It's for that reason that I recount the tales of how I got scammed – to help other people understand that being sophisticated, alert and even paranoid is no guarantee that you will be safe.

I'm not the only person for whom a detailed knowledge of scams created immunity from being scammed. Troy Hunt is the proprietor of HaveIBeenPwned.com, the internet's most comprehensive and reliable breach notification site. Hunt pretty much invented the practice of tracking breaches, and he is steeped – saturated – in up-to-the-minute, nitty-gritty details of how internet scams work.

Guess who got phished?

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Hunt had just gotten off a long-haul flight. He was jetlagged. He got a well-constructed, plausible counterfeit email from Mailchimp telling him that his mailing-list – which he absolutely relies upon – had been frozen after a spam complaint, and advising him to click on a link to contest the suspension. He was taken to a fake login screen that his password manager didn't autopopulate, so he manually pasted the password in (Mailchimp doesn't have 2FA). It was only when the login session hung that he realized he'd been scammed – and by then, it was too late. Within minutes, his mailing list had been exported by the scammers.

In his postmortem of the scam, Hunt identifies the overlapping factors that made him vulnerable. He was jetlagged. The mailing list was important. Bogus spam complaints are common. Big corporate sites like Mailchimp often redirect their logins through different domains, which causes password manager autofill to fail. Hunt had experienced near-identical phishing attempts before and spotted them, but this one just happened to land at the very moment that he was vulnerable. Plus – as with my credit union scam – it seems likely that Mailchimp itself had been breached (or has an insider threat), which allowed the scammers to pad out the scam with plausible details that made it seem legit.

Hunt's forensics on the scam are very interesting. Of especial note is the fact that Mailchimp had retained the email addresses of thousands of former subscribers who had already unsubscribed, meaning that their data was exposed as well. It's not clear why Mailchimp would do this, but I will note that the company is extraordinarily spammer-friendly and goes to great lengths to make it easy for spammers to add you to their lists, and impossible to get off of all those lists;

https://pluralistic.net/2024/07/22/degoogled/#kafka-as-a-service

Getting scammed doesn't mean you were stupid, or careless. Frequently, it just means you were distracted, upset, or distraught. We're living through a moment of total, all-consuming chaos, and the scammers are sharpening their blades – not least because the people running the show are unabashed grifters who openly boast that when they get one over on you, "that makes me smart":

https://pluralistic.net/2024/12/04/its-not-a-lie/#its-a-premature-truth

Buyer beware – it's ugly out there, and it's gonna get a lot worse before it gets better.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/04/05/troy-hunt/#teach-a-man-to-phish

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecomms.org/licenses/by/3.0/deed.en

Mailchimp is union busting! If you have a second to send them a quick email (this form will write it for you), it would be deeply appreciated!

2011-08-31:

Mailchimp Acquires TinyLetter We’ve acquired TinyLetter. For those of you who don’t know, TinyLetter is a beautifully simple email newsletter app created by Philip Kaplan and launched late last year. We’re pretty excited about this. Sure, we think TinyLetter fills a gap in the MailChimp offering and all that, but more importantly, we think it has the potential to fill a significant gap we’ve seen growing in the social conversation. … We’re trying really hard not to make things disruptive for existing TinyLetter users. 

2017-12-11:

MailChimp to Phase Out Its Popular TinyLetter Email Service But now TinyLetter's days as a standalone entity are numbered, [Mailchimp Co-founder and CEO Ben] Chestnut told me in October. When I met with him in Atlanta and mentioned my newsletter plans, Chestnut advised me to stick to a basic MailChimp template instead of a TinyLetter, to avoid any potential headaches when MailChimp swallows up TinyLetter.

2018-01-05:

MailChimp’s CEO clarifies: TinyLetter won’t shut down this year "We have no plans to make changes to TinyLetter in 2018. And we’ll let you know what to expect before we make any changes in the future. In the long term, we do intend to integrate TinyLetter into MailChimp. Doing this will better enable us to support the product and its users. But we’re taking it slow because we want to get it right."

2023-11-29:

Since then, our business priorities have evolved, and we've been laser focused on building tools to serve marketers and help small businesses grow. The TinyLetter community's needs have changed too, with some customers moving to Mailchimp to scale and monetize their newsletters, and some moving to alternative services that cater specifically to writers. With all of that in mind, we've made the decision to close TinyLetter and focus on our core Mailchimp product. On February 29, 2024, we will officially sunset the product and you'll no longer be able to access your TinyLetter account or letter archive. You'll still be able to log in and access your account until February 29. We know you worked hard to build your audience, so we strongly encourage you to log in before February 29 to export your subscriber list.

My sister, who spent four years at Mailchimp, just got laid off yesterday. She called me sobbing to let me know she got the email. No amount of a fat severance package can fix the damage to her psyche this job did imo. Her birthday is coming up soon. So i made her this cake.

(i only decorate a cake like once every few years lol don't come for me)

She started in customer support, and sure enough was skilled and talented enough in apprenticeships with a higher up team in a different department that she was happily brought onto the team.

She ran events, improved entire workflows that saved the company thousands of dollars, delivered tasks on time and of high quality, and was highly praised by leaders of other teams and from those above her boss. She kicked ass and took names.

On that team, she spent two years experiencing bullying and discrimination for having ADHD. Yes, arguably the most common ND condition out there just about. She had to take 2 months off for mental health leave to get her ADHD diagnosis to defend herself from all the corporate bullying. She documented her boss literally making things up and her coworker refusing to communicate with her and then blaming her for things not being done how she wanted. They actively ignored all the times she went above and beyond expectations and all the times she did receive praise from other teams. I watched two corporate goons crush the confidence my sister had finally closed together for herself.

The CEO of Intuit called her and 1800 other employees that were laid off "low performers" in a public statement. A convenient 10% of Mailchimp was completely laid off. We knew this was coming because over the past year or so, Intuit has been forcing managers to label a specific percentage of people as "Does Not Meet Expectations" on year end reviews to justify letting people go, no matter how much they actually did meet expectations.

I look in the Intuit Mailchimp tags and only see one post about them Union busting. The only posts are just geared towards companies comparing and contrasting products and marketing strategies. Reddit isn't much better because the only sub on there is the official one modded by MC themselves. This isn't the biggest fire rn by any means but it's once again proof that the people behind these corporations are as soulless and evil as the corporations themselves. No matter how much good you do they will never appreciate you.

I hope the company eats shit and dies. Intuit is ruining everything people liked about MC, from the product to the culture. Fuck you.

Please take this the wrong way Mailchimp, but I would rather fucking die

5 Biggest Mistakes Authors Make When Releasing A Book - Desireé Duffy

Watch the video interview on YouTube here.

𝐒𝐮𝐩𝐞𝐫𝐜𝐡𝐚𝐫𝐠𝐞 𝐘𝐨𝐮𝐫 𝐌𝐚𝐫𝐤𝐞𝐭𝐢𝐧𝐠 𝐰𝐢𝐭𝐡 𝐌𝐚𝐢𝐥𝐜𝐡𝐢𝐦𝐩 + 𝐒𝐚𝐥𝐞𝐬𝐟𝐨𝐫𝐜𝐞 𝐈𝐧𝐭𝐞𝐠𝐫𝐚𝐭𝐢𝐨𝐧!

Ready to take your marketing efforts to the next level? 🌟 With Mailchimp Integration with Salesforce, you can seamlessly sync your customer data, create personalized email campaigns, and drive higher engagement! 📈✨

💡 Improve your ROI with real-time data updates, boost customer targeting, and streamline your marketing strategy effortlessly! 🎯

Want to know how? 👉 𝐂𝐥𝐢𝐜𝐤 𝐨𝐧 𝐭𝐡𝐞 𝐜𝐨𝐦𝐦𝐞𝐧𝐭𝐬 𝐛𝐞𝐥𝐨𝐰 𝐟𝐨𝐫 𝐦𝐨𝐫𝐞 𝐢𝐧𝐟𝐨! 👇

Discover the top 5 digital tools every small business should use to boost growth and build lasting customer relationships:

Google Analytics – Track and understand website traffic.

Google Ads – Reach new audiences with targeted ads.

MailChimp – Effortlessly manage email marketing campaigns.

HubSpot – Streamline CRM and improve customer connections.

Canva – Create beautiful graphics with ease.

Empower your business, streamline your operations, and engage your customers effectively!

#SmallBusinessTools #DigitalMarketing #GrowthHacks #GoogleAnalytics #GoogleAds #MailChimp #Hubspot #Canva

"Need a reliable freelancer for VPN app development, HubSpot optimization, or Mailchimp email campaigns? Look no further! I'm Drake Murch, a seasoned professional with expertise in these areas. Let's achieve your goals together! Reach out to me on or visit my website to get started!" 👇👇👇

🎯 Master Digital Marketing with the Right Tools!

Want to grow your business online? 🚀 Here are 5 Popular Digital Marketing Tools every marketer should know about:

✅ Google Analytics – Track and understand your website traffic ✅ Canva – Design stunning visuals in minutes ✅ Mailchimp – Automate your email campaigns ✅ Buffer – Schedule and manage social posts easily ✅ Semrush – Optimize your SEO like a pro

With the right strategy and these powerful tools, you can boost your brand visibility, engage your audience, and drive real results!

💡 Ready to level up your marketing? Connect with Param Web Info and let’s build your digital success story together!

🌐 www.paramwebinfo.in 📞 +91 877-044-7379

The real problem with anonymity

I'm on tour with my new, nationally bestselling novel The Bezzle! Catch me in TUCSON (Mar 9-10), then San Francisco (Mar 13), Anaheim, and more!

According to "the greater internet fuckwad theory," the ills of the internet can be traced to anonymity:

Normal Person + Anonymity + Audience = Total Fuckwad

https://knowyourmeme.com/memes/greater-internet-fuckwad-theory

This isn't merely wrong, it's dangerously wrong. The idea that forcing people to identify themselves online will improve discourse is demonstrably untrue. Facebook famously adopted its "real names" policy because Mark Zuckerberg claimed to believe that "Having two identities for yourself is an example of a lack of integrity":

https://www.zephoria.org/thoughts/archives/2010/05/14/facebook-and-radical-transparency-a-rant.html

In service to this claimed belief, Zuckerberg kicked off the "nym wars," turning himself into the sole arbiter of what each person's true name was, with predictably tragicomic consequences:

https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/

Facebook is, famously, one of the internet's most polluted reservoirs of toxic interpersonal conduct. That's not despite the fact that people have to use their "real" names to participate there, but because of it. After all, the people who are most vulnerable to bullying and harassment are the ones who choose pseudonyms or anonymity so that they can speak freely. Forcing people to use their "real names" means that the most powerful bullies speak with impunity, and their victims are faced with the choice of retreat or being targeted offline.

This can be a matter of life and death. Cambodian dictator Hun Sen uses Facebook's real names policy to force dissidents to unmask themselves, which exposes them to arbitrary detention, torture, and extrajudicial killing. For members of the Cambodian diaspora, the choice is to unmask themselves or expose their family back home to retaliation:

https://www.buzzfeednews.com/article/meghara/facebook-cambodia-democracy

Some of the biggest internet fuckwads I've ever met – and I've met some big ones! – were utterly unashamed about using their real names. Some of the nicest people I know online have never told me their offline names. Greater internet fuckwad theory is just plain wrong.

But that doesn't mean that anonymity is totally harmless. There is a category of person who reliably uses a certain, specific kind of anonymity to do vicious things that inflicts serious harm on whole swathes of people: corporate bullies.

Take Tinyletter. Tinyletter is a beloved newsletter app that was created to help people who just wanted to talk to others, without a thought to going viral or getting rich. It was sold to Mailchimp, which was sold to Intuit, who killed it:

https://www.theverge.com/24085737/tinyletter-mailchimp-shut-down-email-newsletters

Tinyletter was a perfect little gem of a service. It cost almost nothing to run, and made an enormous number of peoples' lives better every day. Shutting it down was an act of corporate depravity by some faceless Intuit manager who woke up one day and said "Fuck all those people. Just fuck them."

No one knows who that person was. That person will never have to look those people in the eyes – those people whose lives were made poorer for that Intuit executive's indifference. That person is the greater fuckwad, and that fuckwaddery depends on their anonymity.

Or take @Pixsy, a corporate shakedown outfit that helps copyleft trolls trick people into making tiny errors in Creative Commons attributions and then intimidates them into handing over thousands of dollars:

https://pluralistic.net/2022/01/24/a-bug-in-early-creative-commons-licenses-has-enabled-a-new-breed-of-superpredator/

Copyleft trolling is an absolutely depraved practice, a petty grift practiced by greedy fuckwads who are completely indifferent to the harm they cause – even if it means bankrupting volunteer-run nonprofits for a buck:

https://pluralistic.net/2023/04/02/commafuckers-versus-the-commons/

Pixsy claims that it is proud of its work "defending artists' rights," but when I named the personnel who signed their names to these profoundly unethical legal threats, Pixsy CEO Kain Jones threatened to sue me:

https://pluralistic.net/2022/02/13/an-open-letter-to-pixsy-ceo-kain-jones-who-keeps-sending-me-legal-threats/

The expectation of corporate anonymity runs deep and the press is surprisingly complicit. I once spent weeks working on an investigative story about a multinational corporation's practices. I spent hours on the phone with the company's VP of communications, over the course of many calls. When we were done, they said, "Now, of course, you can't name me in the article. All of that has to be attributed to 'a spokesperson.'"

I was baffled. Nothing this person said was a secret. They weren't blowing the whistle. They weren't leaking secrets. They were a corporate official, telling me the official corporate line. But they wouldn't sign their name to it.

I wrote an article about for the Guardian. It was the only Guardian column any of my editors there ever rejected, in more than a decade of writing for them:

https://memex.craphound.com/2012/05/14/anodyne-anonymity/

Given the press's deference to this anodyne anonymity, it's no wonder that official spokespeople expect this kind of anonymity. I routinely receive emails from corporate spokespeople disputing my characterization of their employer's conduct, but insisting that I not attribute their dubious – and often blatantly false – statements to them by name.

These are the greater corporate fuckwads, who commit their sins from behind a veil of anonymity. That brand of bloodless viciousness, depravity and fraud absolutely depends on anonymity.

Mark Zuckerberg claimed that "multiple identities" enabled bad behavior – as though it was somehow healthy for people to relate to their bosses, lovers, parents, toddlers and barbers in exactly the same way. Zuckerberg's motivation was utterly transparent: having "multiple identities" doesn't mean you "lack integrity" – it just makes it harder to target you for ads.

But Zuckerberg couldn't enshittify Facebook on his own. For that, he relies on a legion of anonymous Facebook managers. Some of these people undoubtably speak up for Facebook users' interests when their colleagues propose putting them in harm's way for the sake of some arbitrary KPI. But the ones who are making those mean little decisions? They absolutely rely on anonymity to do their dirty work.

Name your price for 18 of my DRM-free ebooks and support the Electronic Frontier Foundation with the Humble Cory Doctorow Bundle.

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/03/04/greater-corporate-fuckward-theory/#counterintuit-ive

Changes... Changes... Newsletter-Changes...

Things are apparently getting tough in the marketing world. The self-acclaimed #1 online marketing tool ‘Mailchimp’, that has literally been able to be connected to nearly every electronic tool and app in existence, to whatever operating system around, and that was generous enough to offer a ‘low key’ free plan for poor little start-up businesses and authors with low-incomes and low-sales, and in…

Bueno Familia les comparto la Felicidad Tan Arrecha que me da el haber logrado mi primer formulario de suscripción al Newsletter más Revolucionario que puede haberse concebido en la tierra firme de Colombia, Contenido Hipermedia de Alto Valor para Mentes Hiperactivas.

Newsletter: --> http://eepurl.com/jfNbTQ

Suscribete!

canva mailchimp integration en email marketing  La alianza entre Canva y Mailchimp te brinda todas las herramientas para crear campañas de email marketing profesionales, efectivas y de alta conversión, sin importar el tamaño de tu negocio o presupuesto.¿Listo para transformar tu email marketing? Comienza hoy mismo y descubre cómo esta poderosa combinación puede llevar tus resultados al siguiente nivel.

Digital marketing is competitive, time-consuming, and ever-changing. Marketers struggle with SEO optimization, social media scheduling, email marketing, and analytics—all of which demand efficiency and accuracy. However, many professionals and businesses find it overwhelming to manage these tasks manually or invest in costly premium tools.