How This Scam Works, and How to Recognize and Avoid Becoming a Victim of These Types of Scams

Everyone,

A dangerous email scam, known as a “confidence trick” is becoming more prevalent. This is not a high volume attack. It is targeted to specific company employees by name, attempting to trick them into transferring money to someone pretending to be a trusted associate.

Scams like this one employ social engineering techniques to convince the target that someone they trust (like a CEO) is asking for the money. Unfortunately the success rate is high enough to encourage ever more of these.

Learn how this scam works, and how to recognize and avoid becoming a victim of these types of scams. ______

Is This a Phishing Attack?

Some people may refer to this as a “phishing” attack, or (because it is targeted to specific individuals) a “spear phishing” attack. In a phishing attack, the scammer tries to get the victim’s login credentials to steal money or information from their account.

That’s a different type of confidence trick from this one; the scammer here is trying to get the target to transfer money directly. ______

How This Scam Works

The scam we’ve seen is very convincing and thus dangerous. The criminal not only knows the name and email address of the victim (e.g., the CFO or Comptroller) but also knows the name and email address of someone the victim would trust, such as the company president. Information like that can be obtained easily from many places, including social networking sites.

Armed with that information, the criminal registers a domain name that looks like the target company’s; for example: mywigdets.com Instead of mywidgets.com Then they send an email to the target that looks like it’s coming from someone else in the company, for example: [email protected] Instead of [email protected]

The email asks for a wire transfer and might even reference some personal information the scammer learned about the target (e.g. from their LinkedIn page or their kid’s Facebook post) to further gain their confidence.

What We Are Doing

No antispam system can block every single spam email, especially these carefully crafted small-volume attacks. However, we believe that we are doing far more than most. Our filter blocks the majority of these emails, but variations will likely emerge.

What You Can Do

If you get an email asking for money, passwords or personal information, remember these simple rules:

• Never click links in an urgent-sounding email. If you think there may be a problem with your account, type the address that you know and trust manually into your browser. • Confirm requests for money or information in person or on the phone. Never use the phone number shown in the email - that could be fake as well. • Don’t be fooled by personal information. A lot of information about us and our families is now all over the Internet, thanks to social networking. It is very easy for someone to gather it up and sound like they know you.

Everyone must be ever more careful with passwords and financial information. It is especially important that management and others with access to company resources are aware of spear-phishing scams and these confidence tricks.

Not Just an Email Scam

This type of scam is not limited to email. These criminals might contact you by phone, by texting, by Instant Messaging, by emailing to your personal accounts, via Facebook, LinkedIn or any combination. We can only encourage you to become more vigilant every day, as we are.