The Confidence Trick - Email Scam Alert
There's a new email scam going around. Watch out for an email scam that requests a money wire transfer. The emails are addressed to specific individuals and look like they come from someone else at the same company. They are from a scammer trying to fool the targets into transferring large sums of money.
About The Wire Transfer Scam
This wire transfer scam email will come (or appear to come) from someone in your organization. And the body will usually be short - for example:
Or it may appear like this:
In this attack, the scammer not only knows the target's name and email address, but also the name and email address of someone else in the company whom the target might trust. The scammers have registered email domains that are very similar to the recipients' (for example: xyzwigdets.com instead of xyzwidgets.com) and send the email from the fake domain. Instead of coming from email@example.com, the email comes from firstname.lastname@example.org. The scammers are betting that some people won't notice the slight difference in spelling and thus, won't suspect anything.
Another alternative is the scammer will "spoof" the email address and make it appear that the email is actually coming from the email address inside your organization. Spoofing email is VERY easy to do, and again, most people will not notice even if they hit reply and the email address is now "changed" to a reply-to address outside your organization.
A Slow Con - No Dollar Amount at First
This is an old-school trick that we don't often see in email scams. The scammer cons the victim slowly, first gaining their trust and then moving in for the kill.
In some of the emails, the first message is not only ordinary, it doesn't even request a specific amount of money. It merely asks the victim if she/he could initiate a wire transfer today. The victim, thinking it's coming from a co-worker who might ask for a wire transfer, replies to the scammer, who then engages in a brief email exchange, eventually asking for a specific amount. The scammer even confirms the money went through, probably to prevent the victim from becoming suspicious and reversing the transfer.
How to Protect Yourself and Your Company
Despite the increasing frequency and danger of email scams, there are some things you can do to protect yourself and your company from these criminals.
Train Everyone at Your Company (Even the Boss)
No antispam system can block every single spam message. That is particularly true for sophisticated, low-volume targeted attacks like this one.
You should also train everyone at your company on how to recognize spam, especially the variety most likely to get through. And you should keep them up to date on the latest threats.
Here are some general rules everyone should know to help avoid becoming a victim:
- Use common sense, behave in the cyber world like you would in the real world. Confirm things like requests for money through independent channels other than email. Call the person using a phone number you trust, or activate your sneakernet and walk over to their desk.
- If it sounds too good to be true, then it probably is. No Nigerian prince or Chinese banker is going to send you an email out of the blue and offer to pay you a small fortune to help them with a financial matter.
- Don't click, browse. One common scam is to ask you to click on a link in an email to login to your account or download a file (like an invoice). No legitimate business would ask you to do that, except in very limited circumstances, like when you have asked to reset your password. If you are concerned about your bank, credit card or other account, type the web address that you already know and trust into your browser to go to the real login page. Don't click the one in the email. It's probably a scammer's page that will steal your password and your money.
What is a Confidence Trick?
In a confidence trick, a scammer tries to gain your trust to get you to voluntarily give them money. This is an old type of scam that also occurs via phone, text and in person. Sometimes the scammer doesn't make the request right away, first they either befriend you or impersonate someone you already trust. That's what is happening here.
Isn't this a Phishing Attack?
Not exactly. Phishing is a different type of confidence trick, but they are similar. Both involve some sort of false pretense or lie to steal from you.
In a phishing attack, the scammer steals your username and password to an account, and then logs in as you to steal your money or other sensitive information. It does involve some deceit, usually some fake urgency regarding your account and a link to a fake login page.
What About Spear Phishing?
In a spear phishing attack, the sender knows and uses your actual name in the email message, which makes it seem more legitimate. This scam looks like spear phishing because the email addresses the target by name, but it's not trying to get login credentials; the scammer is requesting a wire transfer.