Email scam targets firm members with access to bank accounts
A number of firms have reported a new kind of scam targeting firm staff that have access to bank accounts. The scenarios have all been slightly different, but the common aspect appears to be using legitimate email addresses of senior firm members to dupe another member of the firm staff (or other firm) into either divulging account information or actually sending funds.
Here’s how the scam appears to work.
The fraudsters research the names of various lawyers and staff at a firm. A “spoof” email is written by the fraudsters and sent. The email appears to come from a legitimate address at the firm. This doesn’t involve actually hacking the email account. A fraudster can put anything in the TO: and FROM: fields. Replies to the email will go to the legitimate account in the FROM: field, so fraudsters word the email in a way that doesn’t invite a reply. Instead, the emails contain account transfer instructions or include instructions to send information to an email address in the body of the note.
These scams have targeted firm controllers and lawyers. In both cases, the controllers thought the request was odd or out of line with the firm’s protocols, and made further enquiries that exposed the scam.
The danger is that a staff member may not feel comfortable challenging a senior firm member and simply go along with the email instructions. In some emails, a fake series of previous emails were included to make it appear that it was the latest in a series of back-and-forth communications.
Other emails have been from one firm to another, and again the unusual content of the email quickly exposed that it was a fraud attempt.
Here’s an example of one of the emails. The name in the sender line of the email was a real member of the firm, and “Attorney XXXXXX” was a real lawyer at another firm.
In regards to an Acquisition that we are currently working on, Attorney XXXXXXXX will get in contact with you. If you can please devote your full attention and comply with any requests that he makes. We will need to proceed with several payments in regards to this operation. He will further explain to you how to execute the wire instructions following the regulatons in place.
Over the last few months, we have been working, in coordination and under the supervision of the CSA. This is very sensitive, so please only communicate with me through this email, in order for us not to infringe CSA regulations.
You have my full approval to proceed with any payments that he may request on my behalf. You need to keep this matter extremely confidential as you are the only one currently aware of the situation.
You will need to maintain complete silence and work exclusively with XXXXX.
Any questions you may have must be addressed directly to him.
We are going public with the acquisition next week. I will personally meet with you and James a couple of days prior and expect to be fully updated on your progress.
Thank you for treating this with your utmost attention.
Because emails can easily be spoofed, there isn’t much that firms can do prevent this from happening. It appears the fraudsters are using information publically available on firm websites to try to tailor convincing scenarios. It is useful to remind staff to be alert to emails that request information or actions related to bank accounts that seem odd or that don’t comply with firm policies for accessing those accounts.
This kind of fraud attempt is known as a “spear phishing” scam. Traditional phishing scams involve sending mass emails in the hopes that a few targets will be duped, and are described in the article Would You Take the Bait on a Phishing Scam? from the cybercrime issue of LAWPRO Magazine. A “spear phishing” scam is targeted more specifically and uses the names of people or companies the target knows. You can read more about it in this article by Norton: Spear Phishing – A Scam, Not a Sport.
April 13, 2015 at 2:53 pm, Nick said:
You’re not the only one. We received the same email as your example just now. Addressed to our accounting department. So many things wrong too. 1) not worded anywhere near how our CEO talks, and 2) the recipient was in a meeting with the CEO when it popped up. Oops.