Would you have fallen for this phishing attack?

Print Friendly, PDF & Email

This post was submitted by Michael Van Pelt, Senior Software Engineer

An interesting spear-phishing attempt was observed last week. The Company Controller received the following email:

From: Ray CEO <ray.ceo@exampledomaiin.com>

Subject: Fwd: Wiring Instructions

To: Bob Controller <bob.controller@exampledomain.com>

Bob,

Process a wire for $221,335.46 to the attached instructions, charge to admin expenses. Send me the wire confirmation once completed.

Ray

———— Forwarded message ————

From: Phil COO <phil.coo@exampledomain.com>

Date: Apr 15, 2014

Subject: Wiring instructions

To: ray.ceo@exampledomain.com

Ray,

Per our conversation, attached is the wiring instructions. Forward wire confirmation when you have it.

Thanks,

Phil

These are the real names and email addresses of the company's CEO and COO. Well… not quite. Among other things, we changed the domain name to protect the identity of the targeted company, but it’s still similar enough for you to see how “Ray” worked his scam. Check out the alleged email address of the company head – note the extra “i” in “exampledomaiin.com”. In some fonts, those characters are very close together, which can make the altered spelling easy to miss.

The PDF file attached to the email contained the name of a Chinese lighting company, a Hong Kong bank, SWIFT code, and account number. The Chinese company name is legit, but the account number … probably not.

Bob replied, with appropriate deference to the CEO of the company, questioning the large out-of-procedures expenditure and how it would affect the company's balance sheet for the quarter. “Ray” sent him a curt response.

From: Ray CEO <ray.ceo@exampledomaiin.com>

Subject: Fwd: Wiring Instructions

To: Bob Controller <bob.controller@exampledomain.com>

Will give you more info on this later. You can have it booked differently for the financial impact to be spread. I will request for the wire confirmation when I need it.

Fortunately, Bob caught on before actually wiring the money. After some back and forth about confirmation of the wire transfer, including an “it's on the way” message, Bob sent “Ray” an email with a large image that he felt appropriately communicated his opinion of the scam.

If the thief hadn't been quite so greedy, though, he might have gotten away with it. A smaller, but still significant amount of money might not have triggered alarms in Bob’s mind.

This is an example of a very targeted email phishing attack. The scammer did his homework; he knew the names and email addresses of the CEO, COO and Controller. He also seems to have known something about general business accounting – asking Bob to link the expenditure to “admin expenses.” Then, to mask his identity, set up a domain that was only one character different from the target company’s domain.

Quality email scanning software can prevent millions of phishing attacks from ever reaching your inbox, but none are foolproof. Carefully crafted scams like this reinforce the importance of remaining vigilant and informed, and having procedures in place to ensure that transfers of money and company confidential information are properly authorized. It’s a weak practice to rely solely on the basis of email, even if it appears to come from the company’s CEO.

Questions or comments?  Connect with us on Facebook, LinkedIn, Twitter or Google +. Check out our videos on YouTube.

If you liked this post, you might enjoy these:

Scroll to top
Tweet
Share
Share