This “Spear Phishing” Attack Requests Money
A dangerous email scam, known as a “confidence trick” is becoming more prevalent. Frequent guest on “Into Tomorrow”, SpamStopsHere President Ted Green and his Team have detected a handful of these emails being sent to their customers. This is not a high volume attack, so far. It is targeted to specific company employees by name, attempting to trick them into transferring money to someone pretending to be a trusted associate.
Scams like this one employ social engineering techniques to convince the target that someone they trust (like the CEO) is asking for the money. Unfortunately the success rate is high enough to encourage even more of these.
Is This a Phishing Attack?
Some people may refer to this as a “phishing” attack, or (because it is targeted to specific individuals) a “spear phishing” attack. In a phishing attack, the scammer tries to get the victim’s login credentials to steal money or information from their account.
That’s a different type of confidence trick from this one; the scammer here is trying to get the target to transfer money directly.
How This Scam Works
The scam we’ve seen this week is very convincing and thus dangerous. The criminal not only knows the name and email address of the victim (e.g., the CFO or Comptroller) but also knows the name and email address of someone the victim would trust, such as the company president. Information like that can be obtained easily from many places, including social networking sites.
Armed with that information, the criminal registers a domain name that looks like the target company’s; for example:
mywigdets.com (note the reverse ‘g’ and ‘d’)
Then they send an email to the target that looks like it’s coming from someone else in the company, for example:
The email asks for a wire transfer and might even reference some personal information the scammer learned about the target (e.g. from their LinkedIn page or their kid’s Facebook post) to further gain their confidence.
What You Can Do
Train your co-workers (including management) on email threats, keep them up-to-date on the latest scams and how to respond to them. At the very least, make sure they know that if they get an email asking for money, passwords or personal information and want to pursue the matter, to remember these simple rules:
- Never click the link in an urgent-sounding email. If you think there may be a problem with your account, type the address that you know and trust manually into your browser.
- Confirm requests for money or information in person or on the phone. Never use the phone number shown in the email, that could be fake as well.
- Don’t be fooled by personal information. A lot of information about us and our families are now all over the Internet, thanks to social networking. It is very easy for someone to gather it up and sound like they know you.
Everyone must be ever more careful with passwords and financial information. It is especially important that management and others with access to company resources are aware of spear-phishing scams and these confidence tricks.
Not Just an Email Scam
This type of scam is not limited to email. These criminals might contact you by phone, by texting, by Instant Messaging, by emailing to your personal accounts, via Facebook, LinkedIn or any combination. We can only encourage you to become more vigilant every day and let us know your thoughts.