Social Engineering, Money Mules, and Job Seekers

Social Engineering AttackersA small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.

The scam began with a gig economy job offer. “A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home,” the CBS explained. “They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.”

All a prospective “cash processor” needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need “proximity to a bitcoin machine.” If the aspiring cash processors did an Internet search for their prospective employer, they would “find a professional website, with information matching what was provided in the employment agreement.” And it came with a Nova Scotia address, just to lend verisimilitude to the scam.

The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.

“It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account. She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with. ‘It was just kind of like a mad scramble to try and figure out what was going on,’ said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.”

The Royal Canadian Mounted Police has the case under investigation, but of course it's better to avoid being victimized in the first place. New-school security awareness training can give any team appropriate skepticism about social engineering, however small-scale or subtle it may appear.

CBC has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews