The Simple Email Scam That Can Earn Fraudsters Millions

I wanted to write this blog to warn our readers about a new scam doing the rounds, and suggest a theory on how it managed to happen.

Picture this (purely hypothetical) scenario: –

I own my own mining company, Mining UK. I set myself up a website (mininguk.com) and I’m doing very well. I’ve built up a loyal staff, and have a very trusted employee who handles my accounts and payments – they’ve been with me right from the start and know how I work.

When I go out and win an order, I need to buy in new mining equipment for each job, and so there’s no delay, everything needs doing the same day.

So, as I as I walk out of a successful meeting I jump on my phone, email my employee, and they swing into action – I can usually have stuff onsite next day (that’s the power of email and the internet for buying).

On one occasion, I’m out trying to win a contract and my employee gets the following email:

My employee immediately puts the gears in motion. The money is transferred quickly.

But herein lies the issue. Did you spot the deliberate mistake? Look a bit more closely…

My company has fallen victim to a simple scam (it’s been about for a while as the links below will show, but as ever it’s become much more sophisticated recently).

In the old days, scammers blasted out 1000s of emails in the hope of someone biting. However, a new breed is emerging. They don’t indiscriminately email out; they target very specifically.

In case you didn’t spot it, look at my website and then the email address – there’s a missing ‘m’ on .com, it’s actually .co, which is Columbian (really).

This email didn’t come from me, or even my system. It came from a domain which was only set up hours before using anonymous hosted email sharing systems, and usually registered offshore (Bermuda seems to be a favourite, I assume because of all the money these guys are making).

The scammers looked at my website, got my name as the owner/financial director, went onto LinkedIn and found my connections and found the name of my trusted employee who does my accounts. They found out various facts about me and my business and what we do. They then acted.

The email comes in as if from me, hoping no one would notice this minute detail. You may think, “I’d have noticed that” but my poor employee, who gets dozens of emails from me, customers, other staff, friends, websites they have subscribed to, was so busy reacting to each one, they never noticed this.

And knowing how I am with timescales, they jumped right on it – £20,000 is not an unusual amount of money for me to be asked to be paid out; it’s a regular occurrence.

It wasn’t even questioned, no call to me to make sure (although I have seen instances where the person has emailed a reply and got something right back a few minutes later from the scammers).

By the time I wander back in the office and we talk, and realisation dawns that I didn’t ask for this, the money is out of our bank account and into theirs. The transfer was actually made within minutes.

By the time we notice, the domain is gone, the hosted email is gone (not that that would have been much good anyway) and the scammers have moved on – one hit and they’re away – they don’t make constant attempts to keep trying. It’s a lucrative scam.

Here’s some good articles which describe the different ways this can happen:

http://content.met.police.uk/Article/Mandate-fraud/1400013159214/1400013159214

http://www.channel4.com/news/fraudsters-reap-millions-with-simple-scam

The thing about this scam is its simplicity. It doesn’t require access to my system, so there’s no need to hack past my firewalls or guess my password. It just uses knowledge, freely available online, about me and my company, and the hope that whoever gets the email does no more than a cursory glance at the name, sees my name and just goes straight into autopilot (they know what I’m like if I don’t get what I want!)

So who is at fault here? Is it the employee who saw the email and didn’t check? Is it me for the way I use my email, and the demands I put on my staff?

Or is it technology? We all rely on emails constantly these days, and I’m sure I’m not the only one who receives in excess of 100 emails a day, sometimes from people sitting 4 desks down (of which I am also guilty of doing)?

As well as emails to me, I’m copied into conversations other people are having about something I’m only very vaguely connected to, but I need to read them in case I need to do something. I spend a good portion of my day just keeping my inbox in check – if I have any more than 20-30 unread/answered emails by the end of the day I break out in a cold sweat.

I can go to a meeting for an hour and come back to 60 emails – 15 of these are about one thing, in 3 different threads.

This is a good article about the shift to people starting to push back against the constant deluge of emails we all receive every day – http://www.bbc.co.uk/news/technology-31531877 – and some going even further and talking about banning internal emails completely – http://www.bbc.co.uk/news/technology-32622224 – you do sometimes wonder at what point we stopped talking and started using email as the default mode of communication.

It used to be walking round and having a chat, but now it’s quicker to email (because we’re all too busy catching up on emails to chat).

As we are all more and more connected to the internet, we are less and less connected to each other (am I the only person to sit at the kitchen table and play online pool against my 10 year old son, who usually beats me, rather than go out and play actual pool?).

As much as technology enhances our lives, without control it can go that bit too far and there’s a backlash starting. It’s small, but growing and I for one (as a self-confessed tecchie) am interested in knowing how it’s going to develop…