Mike Malone and his wife found the vacation condo of their dreams in Florida. They were in touch with a real estate agent who was handling the deal when suddenly their condo purchase turned into a nightmare.
The Malones received what appeared to be a legitimate email from their real estate broker requesting that they transfer nearly $500,000 to a bank account so that they could close on the purchase. And they transferred the funds.
The Malones called their broker to confirm she received the funds. She hadn't. Unfortunately, upon further review, the email turned out to be a fraud, not to be from their broker at all. The email address was off by just one letter—a letter "y" as it happened. The bank account belonged to a hacking gang based in Nigeria.
Getting convincing-looking email accounts and using them to induce people to wire money to a criminal-controlled account is business email compromise. Investigators credit this type of scam with the theft of billions of dollars over the past few years.
Despite more interaction with the hackers—they diverted some of the Malones' telephone calls, accessed their email and even blocked Internet access—the story has a happy ending. A Secret Service financial fraud team investigating the crime quickly froze the criminals' accounts, recovered the Malones' cash, and made arrests.
So good luck to the Malones, and may they get that dream vacation condo after all. Their story has some important lessons to teach us. First, you don’t have to be careless or foolish to fall victim to this kind of scam.
What reasonable person, for example, expects an international criminal cartel to do such close research into the purchase of a simple vacation home? Yet they do, and they were able to shape their phishing scam to fit the facts of this family's plans.
And who close-reads every email address for small misspellings or substituted characters? Criminals use homographic fraud all the time. And who hasn't got so used to communicating by email that follow-up and confirmation seem necessary?
But in the case of wire transfers, never go by email or text alone. Always confirm by phone or in person.
Winston Churchill said that in war, truth is so valuable it must often have a bodyguard of lies. With social engineering we see just the opposite: lies receive a bodyguard of truth.
The opposition does its homework, and every organization should train its people to see through that plausible story and into the underlying deception. Interactive, new-school training is an affordable way of developing that kind of insight. And never, ever, let your employees think you'll ask anyone for a wire transfer with a simple email. CBS News has the story, share it with your friends, family and employees: