16 Jun Anatomy Of An Email Impersonation Spree: Who Got Pranked And Why
James Linton spent more than 4 months sliding into high profile inboxes
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Jun. 16, 2020
James Linton hates fishing, but he’s an expert at spear phishing. And to think, he mastered the art before he even knew what social engineering was.
In 2017, Linton, a 39-year-old U.K. man, sought revenge over a consumer banking dispute with Barclays, a British multinational investment bank and financial services company, headquartered in London, England.
“We had a bit of a disagreement,” says Linton, feeling the Barclays outcome was an injustice. “It’s very easy for big companies to ghost you,” adds Linton, who guessed at the CEO’s email address figuring it would be one of a few formats (i.e. email@example.com). To his surprise, Linton received a response from Barclay’s CEO who said that he would look into the issue — but nothing ever came of it.
Cybercrime Radio: Interview with James Linton
Inside the mind of an email prankster
A few months later, Linton set up a Gmail account masquerading as Barclay’s chairman, and sent the CEO another email — this one having to do with their annual general meeting. And again, Linton, the fake chairman, got a response.
The satisfaction of pranking Barclay’s CEO was enough for Linton, who let it go at that. There was no attempt at stealing information, or anything that would rival a ransom or resemble a cybercrime-for-profit.
The Barclays incident led Linton down a dark cyber path — attempting to invade the inboxes of an estimated 150 people along the way — including other bank CEOs, politicians, celebrities, and media reporters. No spoofing or account takeovers required, just figuring out someone’s email address, setting up a fake email account in order to impersonate a sender, and writing a clever subject line and message. However, it did require quite a bit of time and ingenuity.
On one phishing trip, in U.S. waters, Linton set up a Gmail account using the name of a board member at the financial services giant Morgan Stanley. Then he sent their CEO an email with a story about catching a salmon, with a photo attached. The CEO took the bait. He liked the story and wrote back to his so-called board member. Game over, Linton threw his catch back in the water and moved on.
Linton tried entering Fort Knox, but he couldn’t get in. So he went after the White House — and set a lure for Tom Bossert, Homeland Security advisor to U.S. President Donald Trump at the time. Linton made believe he was Jared Kushner, and got a nibble. Proof that if a nation-state wants to get in touch with a well placed U.S. official, then they certainly can.
Brian Kilmeade, a popular FOX News TV personality, exchanged email messages with his co-host Ainsley Earhardt, a.k.a. James Linton. Again, there was no attempt to extort or carry off any type of crime. Linton disagreed with Kilmeade’s views, and Tucker Carlson’s as well, and he found satisfaction in duping them into email exchanges.
Another catch was Robert Herjavec, a Shark on the ABC TV show Shark Tank. The prankster went after Herjavec because he’s a cybersecurity expert, and he races Ferrari’s — everything that Linton isn’t. Pretending to be Herjavec’s co-founder, Linton sent an invitation to a Toga party. RSVP: Yes, I’ll be there.
Linton wound up being cc’d, accidentally, on a financial forecast from Herjavec. At that point, Linton confessed and apologized to Herjavec, who then wrote a blog about the episode — “When a Phish Catches a Shark.”
Although he’s not a celebrity seeker, Linton did get a high when the actor Kevin Spacey replied to an email.
Linton’s prank spree lasted 4 to 5 months, and he carried out most of the activity on his iPhone. Wikipedia chronicled his pranks here. Linton says that he was never apprehended, arrested, convicted or sentenced.
Is impersonation a crime? If harm is caused, then it could be. It’s a grey area, especially with email pranking. But is the CEO of a major investment house going to publicly admit that he fell for an e-gag — hook, line and sinker? Linton doesn’t think so. The CEO might suffer embarrassment — and worse, be sentenced to a year’s worth of security awareness training.
Tell us what you think about email impersonation and pranking, the legal consequences, and how to avoid it. It’s as pervasive today as it was 3 years ago.
Linton says that he’s done with email pranking for good. But is he? Until he finds his next gig, the ex-phisherman is currently self-employed at … PRANKSTER, INC. If you dare to learn more, then head over to emailprankster.com.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.