Phishing email

I'm not sure if this is the right place to post this, but I have received an email purporting to be from LT support claiming that my account has been suspended due to a new privacy policy, and saying I need to contact them for them to guide me through a verification process. I can access my account as normal. When I clicked on the link it tried to get me to enter card details. Text received is below:

LibraryThingSupport just sent you a message on LibraryThing.

Your conversation with LibraryThingSupport is at https://www.librarything.com/conversation/LibraryThingSupport

All your conversations are at https://www.librarything.com/messages

LibraryThingSupport wrote:

(This message was generated automatically and not sent by the user)

Complete Verification

Your LibraryThing account has been temporarily restricted.

We have updated our Privacy Policy. In accordance with the new Privacy Policy, your account will remain under review until the verification process is completed. This step helps us maintain the security and protect the personal data of all our users.

A LibraryThing support representative will guide you through the necessary steps on the verification page.

To verify your information and regain full access to your account, please use the secure link below:

https://librarything.965834.shop/VKyhFxVe

If you can‘t click on the link, copy and paste it into your browser (Safari/Chrome, etc.).

(This email was sent because you elected to have comments sent to your email. To turn off this feature, choose "edit profile/account settings" and uncheck "email comment.")

I received the same message. When I clicked on the link the message that popped up was:

❗️Mandatory Verification

Information:

The account is currently suspended. To restore your account, please verify your bank card. Please enter and Confirm your bank card details within 24 hours. Once verification is complete, your account will be activated. We apologize for any inconvenience caused.

>2 Familyhistorian: Looks like some kind of phishing attack. You and I are both heavy LT users of long standing.

I got one too, in both email and LT message format; just reported via an email to info at LT .

https://www.librarything.com/profile/LibraryThingSupport

It sounds like they're abusing the messaging system which sends messages to your email.

Also, just fyi, you can see that the link they want you to click doesn't look like a LibraryThing link - see the bunch of numbers (dot) shop right after LibraryThing, instead of (dot) com?

That's a pretty typical trick phishing emails try to do, and it's why when you receive an email or text message with urgent/worrisome stuff like this, you should ignore any links in it and go straight to the website in your browser, or call your bank (if it's pretending to be your bank).

>5 keristars: Sure, I was never going to do what it said and provide card details. But presumably LT will be looking into how their system has been abused in this way.

>1 john257hopper: I received the same message and sent an email to LT to let them know of the issue in case they already did not. I have been on LT for 20 years now and have never seen anything like it before.

Yeah. They've sent out 21 messages to 21 members. I'm suspending them and sending out messages to all members who got this. Depending on what I can get done in the next hour or two, I may turn off comments for a day.

The cause here is that LibraryThing allows members to send messages to members. We have various ways of catching spam, but we aren't currently screening members comments. I think we're going to have to wash these through an AI filter to look for spam now.

>8 timspalding: Thank you for dealing with this, and providing reassurance via your email, Tim.

Account killed, messages removed, apology comments sent.

I've made some changes. Your profile flags will pause a user more quickly, and members are restricted to 10 messages per day. I'll be adding more measures in an hour or two.

>10 timspalding: Thank you, Tim, for being on top of this!

I’ve added a ton of words that can’t be in a member name, so no more accounts that sound official. A few legitimate names will be stopped too.

Thanks Tim for getting on top of this so quickly.

Zeph suggested that instead of limiting the number of messages you can send to other members per day, we should first limit the number of different members you can talk to. That way, you can chat back and forth with another member, but not send many messages to many members. I'm not sure what the right level for that is. Maybe something like 10 members per day, 30 total messages. I have not implemented this yet.

>14 timspalding: I would really support switching from number of messages to number of members. If there's a limit on number of members I'm not sure why there needs to be a limit on number of messages at all?

>15 norabelle414:

No, it's a good idea. (Yay Zeph.) There has to be SOME upper limit, but, yes, it need not be small.

We could also exclude members that you are friends with. This too is a good idea—yay me. At present, the system is very simple because it's part of a simple system that limits certain actions across the site. Various things are controlled by member, by hour, by day. It's a very rough way of stopping bad use. For example, even if somebody spread out their comments across many, many members, at some point it would trip up the hourly or daily limits, alerting us to the fact that something has radically changed in the normal pattern of conversations and usage.

>17 timspalding: oh, excluding friends would be a great idea. If a long conversation needs to happen, the two members can just friend each other and then that connection can be ended at any time by either person.

>18 norabelle414:

Agreed. I don't generally use the "friends" feature, as it really doesn't do much for me, but this would be a good reason to "friend" someone.

I think a limit on the number of members is good. But I think a limit on the number of messages is also good -- although (if possible) it should be a limit on messages per hour rather than per day. I can think of one instance where I think I exchanged ten messages with someone in a day (about that person establishing a rather specialized library), but there is no way we could do ten in an hour. And a spammer isn't going to get anywhere sending to members once every six minutes.

And that flurry of messages came before I knew whether to friend that person. So you might need to put in a thing that lets you friend someone once you reach your limit.

Which implies a limit on how many friends you can add in a day, to deal with people who will take any friend they get. :-)

So something like:
- No more than fifteen members per day
- No more than ten messages per hour
- Friends don't count -- but the rules for friending require that they have messaged you at least twice (three times, four times?). You don't want friending to become a weapon.

>20 waltzmn: Friending is a two-way agreement so I don't see any reason to put limits on it. If you don't want to be friends with someone before they've sent you several messages, just don't accept the friend request. If someone I know IRL creates an account here I don't want to have to send them 2 or 3 or 4 messages here before we can be friends

>21 norabelle414: Note what I said: Which implies a limit on how many friends you can add in a day, to deal with people who will take any friend they get. :-)

I know it's a two-way process -- but in this social media age, people may accept a friend without thinking about it. I think we have to account for people who will do that and then get spammed. Maybe the answer isn't to force exchanges before people can become friends, but we do need something to keep people from abusing people who automatically accept friend requests.

>22 waltzmn: Ahhh, that explanation makes your original proposal make a lot more sense. Thank you.

>22 waltzmn: Getting messages from a friend who is not really a friend because the recipient accepted a friend request without reading it seems like a personal issue on the part of the recipient, not something that LibraryThing should put significant measures in place to prevent. Luckily if the recipient does not want to receive unlimited messages from that non-friend, all they need to do is click the unfriend button.

Thanks Tim. I hadn't even realised I'd been targeted :0)

See my change here: https://www.librarything.com/topic/385009