Phishing at a new level (at a 2nd company)

They are getting sneakier at this…

One of my customers is a small, high-tech firm.  Their financial officer got an email from the company’s President, specifically to her asking for her to wire him a large sum of money, right away.    The body of the email said something like:

Cathy,

I’m traveling and need you to wire me $260,500 immediately to ____  .  I’ll fill you in on the details later, but I need you to send it right away.

John

 

It was completely personalized, marked urgent, written in grammatically correct English, and the From field had John’s correct email address (the SMTPOriginator and ReplyTo had a different email).  Talk about targeting!   Fortunately, she would never do that without speaking to him, but I could definitely imagine this working if the small company had an unpredictable boss.

To prevent this in the future, I’ve set their anti-spam service to block any inbound messages that say they are from their own email domain (since, those should only be going outbound).

Also, some of the emails used an email address where they added an extra lower-case “l” in the mail domain portion, in this case, butted up to an “h” — so it was barely noticeable.    (ex. johndoe@abcdefgh.com was used as johndoe@abcdefglh.com ) .  So, I also blocked several with similar domain misspellings.)

Thought others might want to be aware of this one, too.

——————

Update 02/23/2016:

I was speaking with another of one my customers ( a similar, small hi-tech firm)  and they have also been hit with the same kinds of precisely targeted emails to their Accounts Payable person.  In their case, the one email said it was from the president and a second attempt said it was from the CFO.  They told me the one from the CFO “even sounded like the way she talks.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s