Here’s a fun example of a phishing attempt that was reported by one of our clients. This one was a bit more nuanced than the standard email phishing attack. It began with the attacker submitting details on our client’s website "Contact Us" form.
The administrative assistant received the inquiry and sent a standard email message back to what could have been a prospective new client. She then received the following email in response. (All individual and company names have been changed.)
From: Guido Sventurato <guidocentralmacastinginc@gmail.com>
Sent: Thursday, September 5, 2024 2:02 PM
To: Jessica Leporidae <jessica@outsidebostoncpa.com>
Subject: Re: Your Inquiry and Our Intake Form RequirementHi Jessica,
I appreciate the prompt response. I am a Casting director at a movie production company. We are currently in the process of working on a new movie project.
We are looking for a professional bookkeeper to serve as a consultant and provide guidance and support to the Actor. The bookkeeper will help the Actor understand the fundamentals of bookkeeping, including setting up an online account, creating and sending invoices, and receiving payments via Quickbooks. This will be done through Google Meet or Zoom.
The schedule for the bookkeeping consultation is as follows:
Day 1: Setting up an Account Online, Creating and Sending Invoices, Receiving Payments.
Day 2: How to prepare 1099s and file electronically.
The consultation is rescheduled for the 9/12 and 9/13, running from 5PM to 7PM each day. We have allocated a budget of $2,500 per day, totaling $5,000 for both days, which will be paid in advance. Should there be a need for a slight adjustment in the budget.
Please confirm if you are available and willing to offer these services .
Thank,
Guido Sventurato
Suspicions
Note a few suspicious points about this message:
- The email address is a free Gmail address that includes the company name in the mailbox (not the domain) portion of the address. This isn’t uncommon. Many very small businesses use this approach, but it is somewhat of a red flag.
- The date of the message and the proposed date for the start of the engagement are within a week of each other. This creates a sense of urgency that might override the recipient’s normal logical thinking process.
- The message is tailored to the recipient’s type of business. This is more of what we call a spear-phishing attack, because it’s targeted (as opposed to a more generic phishing attack).
- There are a few typos, which I have highlighted in the message. Typos aren’t generally the best way to positively identify a malicious email because, real people do make spelling and grammatical errors, attackers often use AI and other tools to fix their errors, and most recipients just aren’t that good at proofreading. However, mistakes can serve as a red flag in conjunction with other evidence that the message might not be legitimate.
The Right Response
The administrative assistant, in this case, recognized that something seemed fishy about the message, and checked out the purported sender of the message and his company. She looked up the real email address for the person and sent the following message:
From: Jessica Leporidae <jessica@outsidebostoncpa.com>
Sent: Thursday, September 5, 2024 1:51 PM
To: Guido Sventurato <gsventurato@centralmacasting.com>
Subject: Notice-Your InquiryHello,
I am reaching out as our accounting firm recently received an inquiry from someone claiming to be you, but we noticed the email address didn’t match the one listed on your website. I have provided the email we received below.
We just wanted to reach out to verify and to give you a heads-up that this occurred.
Please contact our office should you have any additional questions or need any further assistance.
Best,
Jessica Leporidae
Administrative Assistant
Outside Boston CPA, LLC
I want to reiterate that she did not reply to the message. She found the real email address and sent a new message to that address. This is important. You can’t confirm the identity of an email sender by replying to the same email address that sent the message. You’d be surprised how often people don’t realize this in the moment.
The Payoff
The administrative assistant’s suspicion was rewarded when she received the following message from the owner of the company:
From: Guido Sventurato <gsventurato@centralmacasting.com>
Sent: Friday, September 6, 2024 5:08 AM
To: Jessica Leporidae <jessica@outsidebostoncpa.com>
Subject: RE: Notice-Your InquiryJessica –
Thank you for the sharp eyes, and I am sorry that you were targeted by these bad actors. Their scheme appears to be to send the $5k payment, and then make a claim that they needed to reduce services by 50%, and seek a refund. Only after you have refunded them do you discover that their initial payment was bogus.
Sadly, you are the 4th or 5th accounting firm that has connected to share this story.
Unfortunately, there is little to nothing that we can do about this – we cannot get Google to kill the bad email account. Apparently impersonating someone is not considered much of a crime.
Again, sorry that you had to waste your time.
Guido Sventurato President
gsventurato@centralmacasting.com
Conclusion
This type of phishing attack is difficult to defend against with technology alone. There is nothing inherently bad about the email address (just a normal Gmail address) or the message (no attachments or links), so automated email protection systems are not going to stop it. It was really the quick thinking of the administrative assistant that uncovered the ruse before it went too far, costing the company money that they wouldn’t have been able to recoup.
About a year ago, this same client had an employee who fell for a gift-card scam. (An attacker impersonated the company owner and asked this employee to purchase Apple gift cards and send the card info to them.) Since then, we implemented our security awareness and phishing recognition training with this client’s employees, and the owner credits this with helping to thwart this attempt:
“I think our training just paid off. 😊Feel free to use this as a case study.”
If you’re concerned about your employees’ susceptibility to phishing and other expensive security failures, talk to us about our security awareness training program. This program is available to anyone, not just existing clients, and we’ll give you a free month to try it out. Just fill out our Contact form and we’ll be in touch.