Gone phishing – it could happen to anyone

Radar spoke to two people at different-sized companies who had fallen prey to successful phishing attacks. Below are the details of how it played out. Scary but true – could it be you next?

Scene 1

Felix is in sales – he had joined a new company three months prior to this incident. It is 10.20pm on a weekday night and he has taken a potential client to dinner. They shared a bottle of wine. Felix is tired and he checks his phone. He has an email from the CEO! It says, “I’m in a meeting and I can’t pick up calls. Let me know when you are done, I need you to do something for me.” It looks like the CEO, it has his name and the sending email is admin@ ceoconnectzone.com. Felix says he will help as soon as the client has left.

The boss sends another email, “I want to give away a couple of gift cards to some clients. Let me know if it’s possible to help arrange them promptly so I can advise on product and denomination needed.” Felix is keen to please. It seems a bit odd, but he is new and does not want to let the boss down.

He receives another email; “I need them tonight, I want you purchase iTunes gift cards from the store – £900 worth. I need gift cards of £100 face value, that’s £100 X 9. Making £900.”

Felix starts to try to find somewhere local that sells the vouchers and sends this email back to the boss, “I have been in the biggest supermarket around Warren Street. They only sell £25 iTunes vouchers and have around £350 in total. PCWorld/Curries might have them, but they are closed (I have checked). I have called Tottenham Court Road and they only do small vouchers, I also called Camden and they do not do £50 or £100 (and close at 11pm). It seems that the only option, if we do not go for the £25 ones, is to wait until tomorrow. Please advise if you want the £25s?”

The CEO responds instructing Felix to buy the vouchers with a value of £25, and purchase the rest on the following day. In the meantime, he asks that Felix sends him the code for each card. But it wasn’t the CEO…

That night, Felix tells his wife – she says it sounds like a scam. The next day, the CEO confirms it was not him. Felix contacts the police; they say this happens all the time. He contacts Apple and complains about their controls and the non-traceable element but they say they need more information to pursue it.

How does Felix feel after the event? He lamented, “this was all heat of the moment, they caught me with a customer and I felt the urgency of, what I thought was, a boss I did not know well. Perhaps it would have been easier to detect if it had been in my inbox on my work PC rather than on my phone. I did feel ashamed and it felt horrible. I guess they worked out I was new in the company from LinkedIn and guessed my email address.”

The reality is that this is just a numbers game for the cyber criminal; the timing was right and Felix took the bait – a simple, successful phishing expedition. The email looked credible but the domain was in fact different by one letter (“u” instead of “o”) which could have been detected by machine-learning algorithm, and pushed as a warning to Felix.

Scene 2

Beth Fraser is a hardworking CEO and founder of a tech company. The accounts administrator, James, who does not report to Beth, gets an email from her with a sending email address – ceo_exe@aol.com. The email reads, “Hi James, Are you in the office? I need you to process a CHAPS payment to a new payee today. Kindly let me know how soon you can get this done, the information needed to process the payment, as well as the available cash balance in the account at this moment? Thanks Beth.”

James responded that in order to process the payment he would need an invoice and the employees bank details. He confirmed the current balance of the company account as £520,098.77. Beth responded, “Hi James. Thank you for your candor. We’re expecting a payment for £71k from a client “Bindon Services Ltd”. Kindly check if it is in yet? You will find both payee details and amount below for same day payment. Both payments should come out of our account. 1 Amount: £28,489.44 Lloyds Bank Pls Ringit Solutions Accntnum: 4567138 Sort Code: 245690. 2) Amount: £48,492.03 Lloyds Bank Pls Dandy Limited Accnt num: 23459051. In addition; I am a bit indisposed at the moment and will only be able to communicate invoices and proper coding by the end of the business day. Kindly process payments and keep me posted. Thanks Beth.”

James processed the transactions and emailed Beth to confirm, attaching evidence of the payment to the email. Once again…the emails James received were not, in fact, from Beth. It was a scam.

We talked to Beth after the scam was uncovered and these were her observations: “I had never asked James to transfer money before as my CFO managed him, but I was the CEO and he was just following orders. I would generally not use certain words “kindly” or “candour”, but he did not know me so could not have known that. He let the scammers know how much we had in the bank account so they knew how much they could be aiming for. The bank (Barclays) reacted very slowly and did not make any attempt to retrieve the money, block the payments or help in any way.” Beth had to inform her shareholders of this incident – the £77k hit to her company was a bitter pill to swallow. She is sure she and her employees have learnt a very expensive lesson and hopes it never happens again. In future, machine based detection would assist someone like James alerting him that language, salutations and phrases used were not typical of the CEO, Beth, and this may be phishing. This is especially useful in situations where there is no direct reporting or close relationship between the communicants.