Last week I received some news that I never wanted to hear, one of our customers was targeted for an email scam which cost them big time and we were being tasked with working out the who/what/where/why.
The scam went something like this - our customer was involved in a legitimate transaction whereby they were going to pay a third-party a little over $80k. Everybody involved knew this transaction was about to take place, it was expected, in fact it was routine so it came as no surprise to our customer when they received an email detailing the specifics, including the bank account details of where the money was to be transferred.
The customer become concerned when they started receiving reports that the money they had paid had not been received, our client checked and double checked the bank account details and assured the other party that the money had been transferred, the funds had left their account the day before and the account number that was paid in to matched what they had been told, surely the money would turn up soon enough they thought.
What they didn't know at the time was that someone had intercepted the original email, the one that detailed the bank account details, and had substituted the legitimate account numbers with their own. The trap had been set weeks before the transfer ever took place.
When it came time for the money transfer our customer quite happily paid it directly in to the scammers bank account without having any awareness at all that they had been scammed.
So how was it possible for the scammer to change the contents of the email? That was the next question we had to find the answer for.
After a bit of digging around it became obvious what had happened, the person at our customers office who received the initial email (the one with the bank account details) had fallen victim to a phishing scam some time prior, potentially months earlier. We haven't been able to find traces of the initial scam but it would have looked just like all the others out there, our customer received an email purporting to be from their 'email administrator' telling them that their account was due to expire or that they were required to update their details or some other such thing and then directed our customer to a fake website whereby she typed her email address and password.
Now that the bad guys had her email password all they had to do was watch and wait for an opportunity to arise, they might have been watching for months or only a few days, we will probably never know.
Normally when telling such a story I like to finish by telling you that the good people of the world came together, found the scammer and recovered the money but I can't tell you that because it didn't happen. The money was transferred to a Suncorp bank account in Queensland and promptly disappeared. With a bit of luck, the Police investigation will eventually catch up with the criminals and our client might even get some of their money back, but I wouldn't bet on it.
So, what's the moral of the story?
Cyber security starts with the computer operator, all the security systems, antivirus software and firewalls in the world could not have prevented this attack. There are only two ways I can think of that could have prevented this- more vigilance on the part of the computer operator so as not to be duped by a common phishing scam and better business procedures to ensure that the bank account details were verified before the transfer.
The customer that was scammed is not a big business, losing over $80,000 is going to have a huge impact on them and is sure to result in many sleepless nights. I hope that the law will eventually catch up with the bad guys and that our customer can somehow recover from this.
Before publishing this we sought our customer's permission to tell their story, they hope, as do I that by telling you what happened you can prevent it from happening to you too.