The Nigerian Prince email scam is so five years ago. Now when we receive them, we chuckle. Today, a much more tactical scam called "spear phishing" is being perpetrated with success. The reason it works is because of familiarity.
According to the FBI:
Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive.
Below is a Spear Phishing attempt recently sent to a staff member of one of our customers. This email looked official - like it was from her boss; it even used her boss' email account. Fortunately, she thought it unusual and double-checked with "Bill" before sending.
OK, I want you to process a Transfer for $18,870 to the details below
Account Name : Stacey louise Collins
Account Holders Address : 814 Parkview circle Hewitt TX 76643
Bank Name : Chase Bank
Bank Address : 800 Hewitt Drive Waco TX 76712
Bank phone Number (254)666-1336
Account Number : 731923392
Routing Number : 111000614
E-mail me once you get this message and also when you have process the transfer e-mail me the confirmation slip.
Sent from my iPhone
After our client called us and we confirmed that it was a scam, they went on to send a few more messages. The hacker followed up with another email; “It looks like the transfer went through, but I have not received the confirmation number yet. Please get that to me ASAP.” They responded with “Of course. Call me and I will give that to you over the phone, rather than by E-mail.” The scammer went on to say “ Will do. Am in a meeting right now, but will call afterwards.” As you can see, this is a real person responding in real time. Scary.
So how can you fight this kind of scam? Really there is only one effective way: training. If you'd like to learn more about how to get your company's security in order, contact Mike Miller