The bad guys are getting smarter and working harder. You thought you were paranoid already? Here’s a story that will send a chill down your spine.
We’re accustomed to scams that start with email messages sent to thousands of people randomly. In the last few years, the bad guys have improved their English and gotten better at copying the style of real messages. A message might appear to be from a bank or UPS or the IRS. It doesn’t matter what they say. They’re designed to fool you into clicking a link that leads to a poisoned web site. It happens all the time. We expect it now.
The bad guys are elevating their game.
Imagine this scenario.
You’re the bookkeeper or accountant for a small business, or you work in the finance department of a larger business.
An email comes in from the owner or CEO or a senior executive requesting a wire transfer. You reply, the two of you exchange a couple of messages about details, and you authorize the wire transfer.
The next time you talk to the owner, the blood drains from both of your faces when you find out she knows nothing about the wire transfer – didn’t send the emails, didn’t see your replies. Slowly the truth dawns: you sent money to the bad guys.
When you contact the bank, it politely tells you that it’s not their problem: you gave the instructions, the bank carried them out as instructed.
Does that sound unlikely? It happened to two of my clients last week. One of them caught on before sending money, but the other client sent two wire transfers totaling more than $50,000 and probably has no recourse to recover it.
The story gets really scary when you look at the technical details that make the scam work.
This scam is not directed at a thousand people. It is directed at you. You are targeted very precisely.
The scammers have studied your company’s website or LinkedIn page or social media posts. The first message is sent to a specific person who is likely to have authority to issue a wire transfer. It appears to come from a manager or executive who is likely to have authority to request one.
In each case for my clients, the first message did a very plausible job of reproducing the email signature used by the owner, including title and logo. The scammers deliberately use very few words in the request to avoid grammar and spelling errors.
In one case, the incoming message used the normal technique to conceal who the sender was: it showed the name of the company owner, but the reply email address was clearly phony. When the bookkeeper hit Reply, the recipient looked like this in Outlook: Bruce Berls (email@example.com)
Seems obvious? How diligently do you double-check recipient addresses when you hit Reply to see if they match what you expect? Most of us never even look.
But the other client had an even worse experience.
That morning, the bad guys registered a domain name that was almost but not quite identical to the real company domain name, with a typo that was chosen to be overlooked. Imagine that the bookkeeper hits Reply and sees the reply in Outlook going to: Bruce Berls (firstname.lastname@example.org) or Bruce Berls (email@example.com). The bookkeeper doesn’t notice and thinks she’s dealing directly with someone she trusts.
Think about what that implies for scams going forward! The scammers are doing research to make their scams more believable. According to one article: “The people perpetrating these frauds frequently research employees’ responsibilities so they know who to target, and often gather information to try to make the wire transfer request as believable as possible. For example, they may research the executive’s schedule using public information or by making inquiries of the executive’s assistant with the goal of sending the fraudulent emails when the executive is out of town and cannot be easily reached for verification.”
This scam does not involve malware on your computer. It does not require hacking your email. The bad guys don’t crack your password. Instead, they methodically prepare their attack using publicly available information and they use technical tricks to make the email messages more believable.
There has been a resurgence of these attacks recently. Ubiquiti Networks (makers of UniFi wireless access points) disclosed in a financial filing that it lost almost fifty million dollars to this scam in June.
There are specific steps that can be taken to prevent this wire transfer fraud – require a second verification by some method other than email before issuing a wire transfer, for example. This article has a detailed list of suggestions for companies that might be vulnerable.
But there’s a bigger security issue. This month it’s wire transfers. What’s next? Imagine that a scammer is trying to fool you and is willing to study you for a while to do it. The bad guy is willing to register a domain name if that helps run the scam. Maybe next it will be a nearly exact duplicate of the remote access portal for your company to capture your password, or a nearly exact duplicate of a website for one of your vendors to redirect your payment. What will be the scam that gets past your defenses?
Be careful out there. Follow the Rules For Computer Safety. You’re already being careful? Step up your game. Your security depends on your paranoia.