Confidence men know that a good Con will work over and over. So repeatedly we see old cons being applied in new ways using technology. So why is this important? Because it is one more threat to our safety and our identity. The problem is most people don’t think it can happen to them which is what the conman is counting on.
The latest old Con to resurface is exploiting the invoice play. Before technology a conman would present an invoice to a clerk and get them to think it was either authorized or that they would get in trouble if they checked because it was urgent. Well it is back in the latest email/phishing scams that are directed at certain employees at a company. The term for these attacks is “spear phishing“, cute huh? The first of these attacks surfaced two years ago but they were far and few between. But with some refining they seem ready for the mainstream and so they come in bulk.The these scams, the phisher find the name and email address of a company’s top executives, usually available on their website. Then a custom email is crafted specific to those people and their function at the company.
Most of the emails take two approaches. In the first, the email purports to be from the Better Business Bureau alerting the recipient to a complaint posted on “their” website. The web site is actually a phished (fake) version of the Better Business Bureau site. Once there the executive is lured further into entering identity and financial information that can be used to defraud the company. In the second approach, an email is sent to the executive(s) of a company about a delinquent invoice or bill. In most cases an assistance reads the executives’ email and in most cases these emails will be forwarded to the accounting or accounts payable person without the executives knowledge. Since the email is forwarded internally from an executive email the recipient might trust the source and either pay the receipt electronically or visit the accompanying link to garner further information about the invoice.
This may not seem like much of a risk to many people but it does illustrate nicely the risk of inferred trust I speak with parents about so often. This is really a play on social engineering, when you gain a little information about someone and use that to gain more. Inferred trust means that you give the appearance of knowing X so you can exploit Y, given that Y trusts X. So this age old ploy is now being crafted as an email. Just remember though to be successful it requires a few people to either not think or trust the source. We think these things can’t suceed but remember that there are still people falling victim to the Nigerian scams! SO be careful our there…