Phishing at a new level (another company hit by this)

Update 02/23/2016:

I was speaking with another of one my customers ( a similar, small hi-tech firm)  and they have also been hit with the same kinds of precisely targeted emails to their Accounts Payable person.  In their case, the one email said it was from the president and a second attempt said it was from the CFO.  They told me the one from the CFO “even sounded like the way she talks.”

Note: In reviewing these emails you can look at some of the message fields to get more information.   Select a message in any view in your mail file and use ALT-ENTER to bring up the Document Properties box.  There you can use the second tab to examine field values.

Compare the From field to the SMTPOriginator field (it will have one if it originated outside of your organization), and the ReplyTo field.   Also, look at the $MessageID field to get info about the server it went through.

OR is you have the email open (which is a judgement call whether or not you want to risk opening it),  you can use View >> Show >> Page Source to view the message headers to see this information.

 

You can report these types of attacks to:

FTC  –  www.ftccomplaintassistant.gov

FBI Internet Crime  –   ic3.gov

 

Advertisements

Phishing at a new level (at a 2nd company)

They are getting sneakier at this…

One of my customers is a small, high-tech firm.  Their financial officer got an email from the company’s President, specifically to her asking for her to wire him a large sum of money, right away.    The body of the email said something like:

Cathy,

I’m traveling and need you to wire me $260,500 immediately to ____  .  I’ll fill you in on the details later, but I need you to send it right away.

John

 

It was completely personalized, marked urgent, written in grammatically correct English, and the From field had John’s correct email address (the SMTPOriginator and ReplyTo had a different email).  Talk about targeting!   Fortunately, she would never do that without speaking to him, but I could definitely imagine this working if the small company had an unpredictable boss.

To prevent this in the future, I’ve set their anti-spam service to block any inbound messages that say they are from their own email domain (since, those should only be going outbound).

Also, some of the emails used an email address where they added an extra lower-case “l” in the mail domain portion, in this case, butted up to an “h” — so it was barely noticeable.    (ex. johndoe@abcdefgh.com was used as johndoe@abcdefglh.com ) .  So, I also blocked several with similar domain misspellings.)

Thought others might want to be aware of this one, too.

——————

Update 02/23/2016:

I was speaking with another of one my customers ( a similar, small hi-tech firm)  and they have also been hit with the same kinds of precisely targeted emails to their Accounts Payable person.  In their case, the one email said it was from the president and a second attempt said it was from the CFO.  They told me the one from the CFO “even sounded like the way she talks.”