Even though I now work at an IT company that does a lot of great work with cyber security awareness, I always fancied myself to know the difference between a legitimate email and a phishing attempt (a fraudulent attempt to obtain sensitive information/gain data of monetary value by disguising oneself as a trustworthy entity in an electronic communication).
Being overly cautious when it comes to most things, I have never fallen victim to a phishing, spear phishing, or social engineering scam. *knock on wood*
However, yesterday I received an email from my "CEO" that almost caught me. I'm used to seeing examples of phishing attempts that include almost comical threats and broken English. The one I got yesterday had only minor grammar errors and at first glance, looked OK. This is the initial email I received:
Looks like a pretty legitimate email, no? Martin (our CEO) is someone that I do report to, and funnily enough, he was in and out of meetings all day yesterday. If you read quickly, Martin's first and last name are correctly spelled, there is no obvious translation from another language, and no mention of bitcoins...
It wasn't until I looked at the email associated with Martin's name that I realized this was not coming from him. I screenshot it, sent it to Martin and we decided to email back and see what sort of phishing attempt it was for educational purposes.
Hey Martin! Sure I can help. What do you need?
I can't imagine how excited the scammer was that they had seemingly reeled me in. Promptly, they replied:
This is exactly what we thought they would be looking for. A common ask from scammers is for gift cards; their hope is that a company will purchase them, scratch off the code on the back, and send them the codes, effectively transferring the cards and their monetary value to the scammer. Since it is a simple task, a lot of their victims follow through without knowing they were set up. We have personally had the unfortunate experience with a client who had an employee send gift card codes to her "boss". She was not familiar with this sort of scam which is why she complied. It is also why I wanted to post this blog, as a warning of sorts.
I continued to reply with:
Yes of course. I can head out and pick some up.
Right away I was met with:
Bingo! Our suspicion confirmed. I wanted to end this charade by asking them:
Sounds good Martin. Are you able to call me quickly to confirm another work item I want to cover with you? Then I'll head right out.
Like clockwork, they replied:
This is where I decided to end our correspondence. I wanted to share with our readers in hopes of creating further awareness on phishing attempts like this. As mentioned before, it is not as obvious as most attempts. The following is another email we have received, and it is more obviously a textbook phishing scam:
The one from yesterday is subtle, and asking just enough of you to not raise any flags right off the bat. Google Play cards worth no more than $1,500? Doable. However, depending on the size of your organization, this could be a devastating mistake to follow through on. Plus, the scammer sent it from someone that I personally would answer to in a normal circumstance.
If you ever receive an email like this, do your due diligence. Check the actual email associated with the sender. Lorenesimps@gmail.com is very clearly not Martin. It doesn't hurt to also use another method of communication to contact who you think the email is from. With me, I slacked Martin and confirmed that this was not him.
Take the time to review every email you receive, no matter how hectic your day may be. Taking those extra few seconds to verify may just save you from an even more hectic result.
Samantha Parrett | Sales & Marketing Coordinator