The case of how the FBI turned the tables on cybercriminals using the very same tactics demonstrates how powerful the art of social engineering and deception can get a victim to act.
This story starts with cranes and ergonomic lifting manufacturer Gorbel who were scammed out of $82,000 using a simple fileless CEO scam. The accounts payable team was sent an official-looking email from an account purporting to be the CEO. The scam worked, Gorbel was out the $82K, and the FBI was brought in.
But, it wasn’t enough to take Gorbel for tens of thousands of dollars; no, the cybercriminals wanted to take a drink from the same well a second time, again purporting to be the CEO.
With the FBI engaged, the scam email was addressed by Gorbel’s accounts payable team who stated the new request in the amount of $128,000 was paid. At the FBI’s request, the scammers were provided with a fake domain – fedextrackingportal.com – which would capture the IP address of the cybercriminals and automatically provide an error if a VPN was detected (to ultimately acquire the real IP address of the cybercriminal). 6 IP addresses were recorded.
In another case, the FBI used Word docs and video files crafted to phone home to the FBI as a way to obtain IP addresses.
In each of these cases, the FBI used a few tactics of a scam against the scammers that demonstrate how effective these tactics are in fooling your users into participating in an attack:
- Emotional Connection – the FBI took advantage of the scammers desire to see the scam through
- Context – the FBI used the payment scenario created by the scammers to insert actions the scammer must take to proceed
- Malicious Links – while the FBI’s link didn’t perform any malicious tasks, or download malware, it did have an ulterior motive: to collect the scammers IP address
- Malicious Files – again, while only purposed to obtain IP addresses, the FBI used Word docs programmed to provide details on the scammers
These same tactics are used every day in phishing attacks all over the world. Educating users on the tactics used, scam details, how to spot a scam, and how to maintain a constant mental state of security vigilance is necessary to keep your organization from becoming a victim. Security Awareness Training provide organizations with this education, additionally phish testing users to act as a feedback loop on the effectiveness of the training and your user’s application of it in the workplace.
CEO Fraud Prevention Manual Download
CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
PS: Don't like to click on redirected buttons? Copy and paste this link in your browser: