01858 4554260800 310 0056

The latest on what we are doing.

Published 15 February 2016

Adrian Fowler

Adrian Fowler
Managing Director

Subscribe to receive useful IT articles relating to your business

Email Scam to make false payments

This is actually happened, what is scary is the almost believable nature of what turns out to be a con.

A member of the finance team of a reasonably sized company receives an email from a senior director requesting a couple of payments to be made. The member of the finance team replies by asking for the details of who to pay and how much.

The ‘senior director’ responds with the names, account details and the amounts. All perfectly normal.

Just before the ‘confirm payment’ button is pressed, into the office walks the REAL ‘senior director’, and the finance member calls out “Just are about to make those payments you requested.”

“What payments?”

That nearly cost the company £16,150.

Be vigilant

Having analysed the emails, at first glance they look extremely convincing. The initial one requesting payment, claiming to be sent from an iPhone because of the ‘Sent from my iPhone’ text at the bottom was believable – as the real senior director does in fact have an iPhone.

Furthermore, the email was sent from the correct source to the correct person. In this case the managing director would normally request and authorise payments, and the correct person; who happened to be someone in the finance department.

But a couple of observations should raise suspicion if you know the behaviour of your work colleagues. The senior director historically never signs his email with his first and last name, always his first and often a shortened version. This should have raised suspicion.

Secondly, there were a couple of grammatical errors, not normal for someone of the senior directors’ education and intellect. Again, suspicion should have been raised.

The figures given by the ‘senior director’ where stated with a suffix of GBP. This isn’t normal behaviour for a director of a company who deals inside the UK, normally this would just be written with the pound sign prefix. Another suspicion.

The finance person replied to the email which requested payment details was never received by the real director.

Have we been hacked or have we been spoofed?

Digging further into the origins of the email requesting payment, it is evident that the email was sent from a person called Alba Rosa, who operates from a business located in the United States called Brillante Home Décor. Digging a bit deeper we discover the domain is hosted with Godaddy.

First things first, we reported the offending domain to Godaddy as they host the domain. Whoever is sending fake emails is responsible for their email systems and they need to lock down their email so it can’t be compromised in this way.

The email headers had been edited by the offending senders to change the actual reply-to address but leaving the familiar reply-to address visible. So in other words, just because it looks like you are replying to the real senior director, you are actually replying to an address ‘reply-ceo000@host.com’, which is a free mail service any wood-be scammer can utilise.

So in conclusion, the email address of the real director was spoofed by some overseas scammer.

Issue warnings

All staff need to be vigilant. In particular cases where an email has been sent to pay a new supplier, firstly you need to ask yourself before paying the supplier, have you an invoice for this request? What is the payment for?

Read this email from the director. Does it look like an email they would send?

Check your email system

It could be your email system is relaxed to the point of allowing this sort of email in and out. In all cases, email systems should be locked down to not allow email to be sent from or received that fail to meet certain checking standards.

If you are worried about attacks like the one described above, call us on 01858 455426 for advice and help.

Share this post

© Apograph Ltd 1993 - 2022. All rights reserved v2018.1.0. Website designed, coded and hosted by Apograph Ltd.