IN the last six months, there has been a worrying trend towards the commission of payment scams that target employees of Sporting Clubs by attempting to convince them to transfer money to cyber criminals.
Commonly referred to as business email compromise (BEC) scams, they generally involve scammers sending emails that appear to come from senior staff at an organisation (hence sometimes being referred to as “CEO fraud”) and requesting that a sum of money be transferred to a third party’s bank account (controlled by the scammers).
Brian Krebs has written about these attempts in his blog, here and here. According to the Federal Bureau of Investigation (FBI), these scams have generated reported losses of $1.2 billion internationally between October 2013 and August 2015.
Two recent examples of these scams reported to us by our clients demonstrate the different types of organisations that can be targeted by these scams.
The first scam described below targeted a sporting club and demonstrates how a business email scam can be executed in a relatively simple and innocuous fashion. The second is an example of a slightly more complex version targeted at a financial technology company that required more effort to execute, and which ultimately needed execution of the company’s incident response plan to investigate and resolve the incident.
The First Scam – A Sporting Club is Targeted
The first business email scam targeted a small sporting club that had published the contact details and roles for all of its board members on its website. This meant the scammer had to exercise a minimum amount of effort in order to craft the scam – all the contact details and roles for the board members were clearly available. Initial contact was made by the scammer via email (posing as the President) to the Treasurer, John, to start the conversation.
Note the poor grammar (broken English), lack of context and detail in the email. It’s an example of a ‘shotgun’ approach to a business email scam requiring minimal effort from the scammer and taking advantage of the information about the club that was made publicly available.
When the Treasurer responded to the initial email advising that he was available to perform the transfer, the scammer followed up with a request for a specific amount of money to be transferred (as below). This request is typical of payment scams in that a false sense of urgency is created to seek immediate action before they are detected.
In this case, the Treasurer became suspicious and was quick-thinking enough to call the President to seek verbal confirmation of the transfer request. This gave the game away and revealed that the club was being scammed.
Hivint was contacted to provide further analysis and advice on the email scam, as the club staff members who were targeted in the scam were unsure if the scam indicated a system compromise or similar. Once the emails were received, a simple check of the email headers (below) of the original email identified the ruse.
As the email headers reveal, the “Authenticated sender” or real scammer’s email was different from the address shown in the actual email. A google search shows firstname.lastname@example.org to have been used before in scams.
In addition, the “Reply-To” address of email@example.com did not actually belong to the club’s President, and directed the target’s response to an email address controlled by the scammer. A check of the return email address when responding would also have given this away.