24 Apr 2020

Anatomy of Phishing in this Pandemic – Spearphising is Great, Whaling Best

If you have money, savvy phisherman and whalers will find you. With most of the world hunkered down working from home, normal processes are disrupted, so this is a target-rich environment for scammers. They are lurking. Beware!

There are many people all over the world falling for these phishing lures. With the US Government doling out trillions of dollars, these phisherman see dollar signs, thinking about all of the money transfers that they can intercept and interfere with.

Today, it was announced that even some very savvy finance guys (with teams of lawyers) are sending money directly to the wrong people — three British private equity firms were tricked into making wire transfers worth a total £1.1 million (around $1.3 million) following some back-and-forth impostor emails.

These cyber fraudsters are smart; some very smart and willing to invest time and money to learn about you and your circle of business colleagues. One tactic (of many) is to buy a LinkedIn recruiter tool which educates them on the hierarchy within your company — it lets them learn who reports one level up to whom.

Armed with these insights into your inner circle — who controls the money and who can send money — the best of them send very cleverly designed emails asking their victims to do things at their bosses’ behest. People often jump at the idea, with a feeling of importance, that their boss (or even bosses’ boss) is thinking about them enough to ask for an urgent “favor”. They reply to the impostor email and engage in a back-and-forth.

These cyber fraudsters are also patient; some are very patient. This back-and-forth email exchange could last a few days or even weeks. Then BOOM. They ask for a (modified) invoice to be paid or gift cards to be purchased for clients or even something that involves a bigger ticket wire transfer.

Sounds crazy, but we hear the stories. One recent customer support guy was running all over town (yes, with his COVID mask) buying gift cards because he got a series of fake impostor emails from the CEO of his company asking him to buy them for a client. Unfortunately, he bought and sent them. Money lost.

The challenge with these tricky tactics is those who are targeted are often the ones least suspicious and most trusting about email content.

What to do? The E-Sign & E-Security (Free) Work-from-Home Readiness program includes all-important and world class e-signature and email encryption services. And now (recently announced), it also includes email security automation services: RMail Anti-Whaling for Outlook and, for advanced folks, RMail Gateway inbound-and-outbound phishing and threat protection filters.

Most staff have no idea how to spot an impostor email lure. Most don’t even know that they have been targeted and maybe have already sent money to the bad guys. In any case, at least ask your team to install in 2-minutes the RMail for Outlook or Gmail software for an additional layer of protection.