If it’s any consolation to those being done, companies get done too, in a similar fashion. I know of one that was taken for 9 figures…
Yep, they are very sophisticated, our Financial Controller gets emails from what looks like our CEO demanding she urgently pays a supplier whose been harassing him about late payment etc.n They've researched the org structure, know who everyone is and their roles etc. Not been successful so far. As a result all incoming emails have "FROM EXTERNAL SOURCE" plastered all over them, to try to stop people using near identical email addresses etc..
... then a hacker gets a valid set of credentials from another source, shared passwords from a pastebin maybe, telnets onto the email server and sends an internal email bypassing that safety guard at a stroke. And the recipient implicitly trusts it because all external emails are labelled, right?
I'm sure there are other safeguards in place, not least the fact we never have any money and rarely pay our suppliers, so making a payment is a major decision which wouldn't occur by email. The fraudsters obviously don't know we've been running on fumes (or often less) for some time...
Oh, I don't doubt it. Point was, really, that that solution isn't as foolproof as it might first appear and could even lull users into a false sense of security. And granted, my hypothetical scenario is considerably less likely than the risk from random phishing emails.
Thought I'd update. It's pretty much as tallpaul explains except rather than use the letting agents email address for example tails@STWagents.com They've just made a similar email address something like tails@fraudster.com, his with has not seen the email has changed as you often just see the name and bingo £1k lost.
He's still trying to secure the rental as he's moving next week with 2 young children, so he doesn't seem hugely upset.
Question for the security geeks, what can I do to protect myself in such scenarios. Always call before making payment? I'll 100% be checking email addresses as mine just shows the name and not full address.
It must be very very lucrative for those involved if they can handle the guilt.
Did the fraudsters ask for payment to be made to different bank details? They will have had access to the letting agent's emails, so would have been able to get a genuine invoice/request for payment, and then carry on the email chain from the new email, and request payment of the deposit to their own bank with the edited invoice.
Question for the security geeks, what can I do to protect myself in such scenarios.
I guess, first of all be frosty about random changes. "Oh, yeah, we suddenly need to use a different bank account because my mum's dog died last week." Right.
Secondly, you can implement 2FA without clever technology, we do this all the time. Say I need to give a trusted colleague his credentials to a system, I might Skype him the username and ring him up with the password. Or other more secure methods. Point is that this is easy to do and all the info you (or a hacker) needs isn't in the same basket.
Did the fraudsters ask for payment to be made to different bank details?
Oh yeah she full on sent the money to the fraudster. She thought she was paying a deposit to the landlord. I'm not sure on the current setup but I thought you'd pay the agent or the deposit scheme.
Thanks cougar
They’ve just made a similar email address … his wife has not seen the email has changed as you often just see the name
Email clients that don't show the address are a pain, although it can often be changed in the settings. Worse are those (like Outlook) that make it difficult or impossible to see the full headers. You don't have to be that techy to recognise that the email hasn't come from where it should have. It would be useful if somebody wrote an email client that would interpret the headers and just flag up oddities.
Question for the security geeks, what can I do to protect myself in such scenarios.
send a small payment.
telephone the party receiving it (not using the phone number read from the emailed invoice you're paying), confirm they have the money
send the rest.
I'd always go for 'actually talking to people' over a possible misplaced confidence that you've got adequate measure in place to prevent fraudulent emails etc finding their way to you. It works for non-technical people too - they don;t have to worry if they can decide if bobthebuilder@ is the same as bob-the-builder@