We regularly encounter sophisticated phishing schemes hackers attempt on our customers. We hope to prevent this from happening to as many people and businesses as possible. That’s why we want to share with you one particular example today.
By highlighting the level of sophistication of the attempt, and its discovery, we hope to raise awareness on phishing scams in general.
The anatomy of a phishing scheme
One of our financial services customers was almost a victim of a particularly damaging phishing scheme. Luckily, our IT security solutions did their job! If they hadn’t, there could have been serious consequences.
As for this particular scenario, there are three actors:
- Financial Services Firm: Receives bank wires on a regular basis for the facilitation of the purchase of products or services.
- End Client: A user that is purchasing the products or services.
- Broker: the person or company that is connecting the Financial Services Firm with the End Client.
Both the broker and the financial services firm deal with each other and other brokers and firms on hundreds of transactions a day. That’s why this fraud attempt likely involves a high level of social engineering.
(While you’re here, click this link to read about a new cybersecurity threat for healthcare services)
This attempt consists of an email that appears to come from the broker to the end client with wiring instructions. The forwarded email includes what looks on the surface to be an email from the financial services firm. To make it look even more authentic, it includes an actual employee’s name and a signature block identical to the one used by the financial services firm’s employee.
Finally, the email references an actual transaction involving all parties.
Content from the actual email is below but excludes actor information:
Broker to End Client:
“Read messages from the (financial services) company below, Looks like we are moving forwards and expected to close early smoothly.
Am currently handling a (service) for a client right now but we really need to move forward, email me back to know if you will be able to wire the balance of down payment to the (financial service) company today and I will forward the wiring instructions to you immediately.
I will be checking my email constantly to be able to respond to your email promptly.”
Forwarded Financial Services Firm to Broker included in the email to the end client: “Congratulations to your buyers for the purchase of the (service or product).
We are currently doing our final (service) process to close this (service or product) smoothly, as you already know we require the balance of down payment as signed on the contract to be wired to us at their earliest convenience (Today if possible).
Please find attached the wiring instructions”
So, the phishing artist here knew all three players in the transaction. The attachment in the email were instructions to wire money to an actual Wells Fargo account.
Three signs of a phishing scheme
Three things gave this away as a fraud attempt.
- A change in the wiring procedures that seemed somewhat out of place.
- For all of the scheme’s sophistication, the grammar was poor and not typical for the actual players involved.
- The signature block of the financial services employee used a .corn (c o r n) instead of .com (c o m) for the email address.
This fraud is still under investigation so the true source of the detail of the transaction is unknown. However, there are several possibilities:
- Public information: Transactions performed by the broker and financial services firm can be publicly known due to necessary filings by state and local governments.
- Social Engineering: Both the financial services firm and the broker are small enough in size that the pool of possible employees involved in a transaction like this are small and finite and could possibly be derived. Simple phone calls to each firm posing as the end client can put all the pieces together.
- Systems Hack: We have already ruled out the financial services firm. Still, there is a possibility the broker’s email system was compromised.
If it wasn’t for all parties being so diligent, this story could have had a much different ending.
After researching this particular fraud attempt we discovered that this is a known scam that started out as targeting executives in large companies. Visit this link to learn more about it.
Want to learn more about how we can prevent these situations from happening to YOUR business? Click here to learn more about our cybersecurity services.
Did you learn a lot from this post about phishing scams? Here are three posts to read next:
This article was first published in 2016 and was updated in 2021 just for you.