Email deception is almost effortless these days, and has became a run-of-the-mill scenario. An acquaintance of mine, Devorah Hyman * had been tricked into wiring $20,000 to a cyber thief, and by the time the mistake was noticed, the money was long gone. The loyal and competent controller of a small business, Devorah was left embarrassed and shaken by the episode. She’d gotten an email urgently requesting payment to a new supplier her boss had found at the expo he was attending. Although the email was signed “Isaac Cohen” instead of “Yitzy,” the name her boss usually went by, she’d figured he was using his secular name at the convention. “Isaac” had pushed her to rush the wire to make sure it went out before the bank closed, so she’d sent it right away. It turns out the email was from a scammer, and the money had disappeared through a web of international accounts. The mistake had only come to light when Mr. Cohen had returned.
Although Mr. Cohen was understanding and immediately forgave her, Devorah felt terrible. How had this scam happened, and what could prevent a similar scam in the future?
*All identifying details are changed.
Don’t be embarrassed
Devorah shouldn’t be embarrassed that she was tricked by a clever email deception, also known as a spear phish. Due to the abundance of personal information available online, it’s become almost effortless—and common —for criminals to customize their scams in ways that make them much harder to detect. Devorah had trusted the email request because it seemingly came from her boss, who also knew: 1. her email address 2. that she was the one who sent out wires, 3. that “Issac” was the one who would ask her to do so, 4. that he was now at an industry convention, and 5. he was looking for new suppliers. All of this seemingly private information made Isaac’s request to lock in a new supplier contract seem credible. Combined with the urgency requested by her “boss,” it’s not surprising that she was fooled. The use of detailed personalization and urgency are the key elements that make these spear phishing scams so devastating and, unfortunately, successful.
Be discrete
All of the information needed for this attack was readily available with just a few minutes of online research. Mr. Cohen had posted his intentions to attend the expo on social media, so the criminal knew he’d be there meeting vendors (and out of easy reach). Devorah was identified on the company website as the controller (who would very possibly be responsible for wires), and her contact information was posted there as well. Even if it hadn’t been, a scammer could probably have gotten her email address by calling the receptionist or connecting with her on LinkedIn . Scammers use these seemingly unimportant tidbits of information to attempt heists against easy targets around the globe. Often, the thieves are from developing countries, beyond the reach of law enforcement, and where even one or two successes annually leave them rich by local standards.
The missed red flag
The one thing the thief got wrong was what he could not have known from afar: that although Mr. Cohen went by “Isaac” online, in private correspondence, he used “Yitzy.” By explaining this hint away to herself, Devorah missed her chance to dig deeper and uncover the scheme. Had she delved in, she could have noticed that although the sender’s email display name (which anyone can easily change to anything) was “Isaac Cohen,” the actual email address (which only an inside hack can realistically compromise) wasn’t from her company’s email domain. In addition to being more guarded with its online information, the company could have used a required “double-check” system for large wires to help prevent spear phishing. Accordingly, Devorah would have texted her boss to confirm the request for an immediate transfer of funds and thereby uncovered the scam.
Double-check or else
A double-check system recently helped prevent a much larger and more sophisticated spear phish against a Lakewood investor and his attorney. The investor got an email from the lawyer’s assistant saying that he should wire the $400,000 required for an upcoming real estate closing. In this case, the email was indeed coming from the law firm’s domain, and the amounts requested and other details were all credible. Luckily, the client decided to call before wiring the money, and his lawyer said the money wasn’t needed until the closing the following week! The wire instructions were false—had the $400,000 been credited to the enclosed accounts, the funds would have been quickly sent overseas, never to be recovered. It turned out that an intern had downloaded a virus a few days earlier. This breach enabled the hacker to learn of imminent closings and send out emails requesting bank wires directly from an internal email account. Luckily, the client had been extra careful, or this hack would have proven very costly and painful for all involved.
Email is the criminals’ prize
Think of an email password as a master key to many of your accounts. Many people assume that bank account information is what criminals go for, but Mordy Fried, of Keystone Cyber Protection says that safeguarding email passwords is even more important. Passwords for the dozens of sites and technology tools we use for banking, storing customer files, e-commerce websites, phone systems, etc. can be reset via email. Therefore, if a criminal gains control of an email account, they can often hijack everything else and create all kinds of mischief. Email passwords should be unique, at least 12 characters long (a phrase is easier to remember), and not used for other sites. A recipe for corporate disaster is sharing email password company-wide, because one security fail exposes the entire company! The lawyer mentioned earlier used one default password firm-wide, and when the intern’s account was compromised, the hacker gained access to the entire company server. The bad guys tend to go after the easy targets, so a little prevention goes a long way.
I thank my brother Mordy Fried of Keystone Cyber Protection for his expert input and review of this post.