Nigerian Prince Revisited: The Spear Phishing Wire Transfer

The Nigerian Prince email scam is so five years ago. Now when we receive them, we chuckle. Today, a much more tactical scam called "spear phishing" is being perpetrated with success. The reason it works is because of familiarity. 
 
According to the FBI:  Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive. 
 
Below is a Spear Phishing attempt recently sent to a staff member of one of our customers. This email looked official - like it was from her boss; it even used her boss' email account. Fortunately, she thought it unusual and double-checked with "Bill" before sending.  
 
OK, I want you to process a Transfer for $18,870 to the details below 
 
Account Name : Stacey louise Collins 
Account Holders Address : 814 Parkview circle Hewitt TX 76643
Bank Name : Chase Bank
Bank Address : 800 Hewitt Drive Waco TX 76712
Bank phone Number  (254)666-1336
Account Number : 731923392 
Routing Number : 111000614
 
E-mail me once you get this message and also when you have process the transfer e-mail me the confirmation slip. 
 
Thanks, 
Bill
 
Sent from my iPhone
 
After our client called us and we confirmed that it was a scam, they went on to send a few more messages. The hacker followed up with another email; “It looks like the transfer went through, but I have not received the confirmation number yet. Please get that to me ASAP.”  They responded with “Of course. Call me and I will give that to you over the phone, rather than by E-mail.”  The scammer went on to say “ Will do. Am in a meeting right now, but will call afterwards.”  As you can see, this is a real person responding in real time. Scary. 
 
Sure, in certain companies, it may be common practice to request wire transfers without much thought. Fortunately, this sort of thing was not common practice our customer and they saved $18,870 and learned a lesson. 
 
So how can you fight this kind of scam? Really there is only one effective way:  training. If you'd like to learn more about how to get your company's security in order, contact Mike Miller.