12 Feb A spoofed email from the president ordered me to send a direct deposit

Posted at 08:25h in Blog by

A new accounts payable employee receives an spoofed email from the company president.

Send a $20K direct deposit to this bank account… do it right away!

The true crime story is that this is an ongoing fraud effort. Our recent spoofed email cases include:

$18K in Kirkland,
$20K in Woodinville,
$250K in downtown Seattle,
$500K in West Seattle.

Spoofed emails are so realistic and well timed that they really seem genuine. They include real names and an Internet domain that is almost correct. For example, the accounts payable clerk gets an email from George, the company president. George’s real email address is geo@StartupInc.com. The spoofed email comes from geo@Startup1nc.com … Can you spot the alteration?

Public records listing George’s real email address make a look-alike easy to construct. Just add an “s”, switch “1” or “l” for “i” or change the location of a couple vowels. The fraudster buys the Internet domain startup1nc.com. Mail service for the new domain is set up.

A bit more research gives the email address for the victim: ap@StartupInc.com and possibly some schedule information about the president being out of town next week. The fraudster opens a new bank account that will hold the direct deposit for a day before shipping money overseas.

Our investigation of these sort of cases often follows a path to define whether the attacker is an insider or not. It also can identify other victims; this is important for getting the attention of law enforcement.

Our investigation of these fraud attempts can include:

  • Gather basic information about the fraud
  • Advise the client to immediately ask their bank to claw back the stolen money
  • Collect spoofed eamil headers from the computer that received the email
  • Build a timeline of known events, possibly ask the victim to send a trapped response to the fraudster email asking for a clarification
  • Check the whois database for details of the spoofed domain registrant
  • Use a service like the reverse-whois lookup of DomainTools.com to discover domains with similar registrant info
  • Apply a bit of magic to figure out which real domains are being attacked
  • Call owners of the real domains to see what they have experienced
  • Tell the victim to report the crime to police
  • Use this story as a teaching opportunity for employees

All of these steps can be accomplished quickly and will fuel the analysis necessary to figure out what is happening. Moving fast is critical for money recovery, law enforcement effectiveness and corporate sanity.

The good news

This sort of crime can be prevented with good financial procedures and employee education.

Our investigations are helpful in the recovery process.

The cost may be covered by insurance.

We enjoy working on cases of this sort… we are the eSleuths.