How scammers very nearly stole £20,000 … and the practical steps you can take to avoid being a spear phishing example

Rachael, the bookkeeper for a medium sized company trading physical products across Europe, receives an email from her Managing Director, Bob Smith. The email seems fairly normal:

From: Bob Smith

Hi Rachael,

I have an urgent payment to sort out. Let me know the bank details i need to send to you to make an international wire transfer.

Thanks,

Bob
Sent from my iPhone

Rachael responds quickly – it’s her Managing Director and she assumes there must be a time limit on preferential pricing or similar. It’s something that she’s used to as Bob often works on deals like this.

Rachael requests banking details for the new supplier, exact amount and invoice number.

Bob and Rachael exchange a number of emails back and forth in order to set-up the bank transfer.

Only it’s not Bob who Rachael is communicating with – instead, she’s falling victim to a targeted email scam called a spear phishing attack.

This is a real story (only the names have been changed) and Rachael actually tried to make the international transfer. She wasn’t able due to lack of  permissions in their online banking system. She even asked another Director (Steve) to try to set-up the transfer, but Steve’s permissions limited the creation of new payees as well.

The scam was finally uncovered when Steve replied to Rachael’s email copying in Bob to explain that Bob would have to set-up the new Payee due to the restrictions on Steve and Rachael’s bank logins. Bob received the email – the first he’d heard about it and immediately phoned Rachael, eventually uncovering the elaborate scam.

How could this happen?

The first email, supposedly from Bob to Rachael actually came from the scammers. The From details of the email Rachael received was set to show Bob Smith’s name and email address, but the Reply Address was set to the scammers’ email. So when Rachael pressed reply, her email software used the scammers Reply Address, but still showed ‘Bob Smith’ in the To field.

Could a spear phishing attack happen in your business?

Rachael didn’t realise she wasn’t emailing Bob because everything looked normal. The wording of the mail seemed normal. Bob often sent urgent requests. The company dealt with lots of suppliers and money was regularly transferred internationally. Even though Rachael didn’t usually set-up new suppliers with the bank, she knew Bob was travelling and just assumed he was unable to login to banking himself. After all, her job is to deal with the finances!

Scammers research their intended victims using social media and public domain information to create a plausible scenario, such as the one above, which won’t ring any alarm bells. They may have inside help or may have received some communications from their intended victim before so that they can copy their writing style and signature – in the above example, Bob always uses the ‘Sent from my iPhone’ signature when emailing from his iPhone and often forgets to capitalise the letter I in emails he sends on the go – so both of these things helped trick Rachael into thinking she was emailing with Bob.

The above example highlights a targeted fraud involving multiple interactions. However Spear phishing could also involve just a single email which tricks you into divulging more information than you otherwise would do. This information may then be used in other attacks against you or your business.

Steps to Protect Yourself from Being Reeled In

BE ALERT

  • Stop. Consider the request. If it’s asking for confidential information or money, take additional steps to verify it.
  • Check the email Reply Address matches the From address or is valid (see below for how to do this).
  • Contact the individual using the telephone to see if it is legitimate.

IMPLEMENT PROCEDURES FOR SETTING UP NEW PAYEES IN YOUR BUSINESS

  • Implementing a policy and procedures similar to the below would make it much more difficult for an attack such as the above to be successful.
  • Before paying any new payee for the first time, the payment must be authorised by all Directors by telephone (email authorisations not allowed).
  • All payment requests must be accompanied by a supplier Purchase Invoice number.
  • All supplier purchase invoices must quote a valid Purchase Order number.

EVALUATE YOUR PUBLIC INFORMATION

  • Look over all the information you have stored on the internet (ie. social media pages, shopping accounts, site profiles, forums). How much knowledge about you could a spear phisher retrieve? Remove irrelevant information that makes you a target online.

PROTECT YOURSELF ONLINE
Follow advice on staying safe online:

  • Use different passwords for all your accounts. Learn how to create a strong password here.
  • Understand the threats and what you can do to protect yourself. Read here.
  • Stay up to date. When a product or service offers an update, read about it and take action. Most of the time the update will be accompanied with security patches and important information regarding your privacy.

In general, you should always be cautious sharing any confidential information online. When in doubt, don’t share it and contact the individual or business first.


Suggested Links:

Posted on January 11th, 2016  and last modified on September 21st, 2016.