Originally published in the Honolulu Star-Advertiser, December 31, 2019
It’s usually the custom to think of all the good things on the horizon as we approach the new year. Unfortunately, as 2019 comes to an end, the severity and sophistication of online scams are increasing at an alarming pace. If folks aren’t careful, 2020 is poised to be the year of the scam.
One con that is becoming more prevalent is a very targeted form of phishing, even more so than the so-called spear-phishing swindles of the past. Under this type of scam, bad guys target specific information about an organization, including reporting structures and business processes. What is scarier, and becoming even more prevalent, is the crooks are also discovering and trying to take advantage of business relationships. This trick also sometimes targets high net-worth individuals.
In such scams, the initiator uses a cleverly disguised email address, similar to a real address, but with subtle changes that are easily overlooked. The fake addresses are clever and clearly custom-made for specific domains. In addition to character substitution, such as the number 1 for the letter l, bad guys also drop a vowel that might go unnoticed, most often an i. Other tricks include using all caps and substituting the number 5 for the letter S.
The point is that the crooks are not using random email addresses and simply disguising the display name. Rather, they are going a step further, targeting specific domains and registering slick fakes.
Once the villains have gathered this info and set up their fake emails, they go into action. A common scam involves electronic funds transfer, usually in the form of requesting a bank wire. But rather than email a bank directly, a mark is selected and instructed to wire the money. Since the reporting structure and the business processes are known, the mark is specifically selected as one who often conducts wire transfers.
Another common scam involves instructing a mark to change wiring instructions for a particular recipient, when the scammers think a wire is imminent. Under this scam, the damage isn’t actually done until a real wire is sent out.
Under such scams, the crooks often generate a fake email trail to make it look like someone else already has approved the action. For example, “see below, your boss asked this to be done.”
Victims fall for these scams because they are initiated from an apparently real email address and follow a pattern of business conduct that has been going on for days, weeks, even months. In the online criminal world this is known as a “long game.”
How do the bad guys gather this info? Often, it’s due to emails leaking out. Sometimes it’s by design, where scammers compromise an email system or a network, including public wifi hotspots. Other times, it’s simply a matter of cc’ing too many folks with an entire email trail.
Information is also gathered via public sources such as an organizations website or press releases. Of course, folks like to announce they’ve cut a big deal as a demonstration of success, but many times such releases contain information that can be used in the future. For example, if an evildoer sees that developer X has a relationship with financier Y, that could make them a target for a future scam.
What then, can folks do to make themselves less susceptible to such cons? Back in the day, we just used to tell people that they need to be very diligent with their emails, especially if they are in charge of money.
Nowadays, that’s getting a lot harder. Internal business processes need to be hardened. For example, secondary approvals should be obtained before wiring funds, changing wiring instructions or other actions involving money. Such approval should not be solely via email. Higher-ups in any organization should never reprimand a staffer who seeks confirmation of such actions. And, of course, regular education of such scams is a must.