Computer Security Threats

Posted by: Bob Bayn on Dec 18, 2015

Impersonating Administrators for Fund Transfers

Are you ready to detect and deter this sort of attempt to defraud the University?

The scammer gets an Administrator's name, email address and unit name from some USU webpage.  The scammer then looks for a Finance person in the same unit and gets their email address, too.   Then they forge an email message like this:

From: Fred Administrator [mailto:Fred.Administrator@usu.edu]
Sent: Tuesday, December 8, 2015 7:07 AM
To: Hector Finance <hector.finance@usu.edu>
Subject: Re: Fund Transfer
Reply-to: Fred Administrator <administrator@educeo.nk> [this does not display in your email viewer]

Hector,

I need your help to make a fund transfer for a research project.  Please reply as soon as you can

Regards,
Fred Administrator

"Well, I wonder what Fred has in mind", thinks Hector, so he hits "reply" and does not notice that the reply is going to a forged address for Fred Administrator <administrator@educeo.nk>.

Fred,

I'm here.  Please send me the details and I will get the transfer going.

Hector

And the scammer replies back, still impersonating Fred Administrator:

From: Fred Administrator [mailto:Fred.Administrator@usu.edu]
Sent: Tuesday, December 18, 2015 9:09 AM
To:
Hector Finance <hector.finance@usu.edu>
Subject: Re: Fund Transfer

Hector,

Kindly arrange to transfer $9,500 to the account below;

Bank Name : Nationwide Bank
Bank Address : 2239 Tower Bridge Road London NE3 9NB, United Kingdom
Name on Acc : Herkimer Osgoode
Account number :29447125
Sort Code : 085216
Swift code :XMGFRW12
IBAN :GB50NBCB093274462199
Beneficiary Address : 13 East Walk, Leicester, GE2 3NA, United Kingdom

Reason for transfer: Research costs

Dr. Osgoode is a Senior Research Assistant based in the UK. Let me know when it is sent. I will send supporting documents before the week runs out.

Regards,
Fred Administrator

No harm done yet, but the scammer thinks he has set the hook in Hector.  If Hector can complete the task, say bye-bye to $9,500!

But, if Hector is an Internet Skeptic maybe he DID notice that the reply-to address was different and he was playing the scammer.  Now he has a response with banking details and that information is useful to law enforcement, and to the bank that is hosting that account.  Hector needs to preserve this email evidence and forward the bogus message AS AN ATTACHMENT (ctrl-alt-F in Outlook) to phish@usu.edu.  Then the IT Security Team can pass the info along to our FBI cybercrime contacts who will alert the bank to freeze transactions on the account and investigate in other ways.

Hector will feel the warm glow that all Internet Skeptics feel when they thwart mischief, and in this case save the University from a financial loss and help law enforcement as well.