A few weeks ago I shared an article with my customers and followers on LinkedIn about boss fraud ( https://krebsonsecurity.com/2015/03/spoofing-the-boss-turns-thieves-a-tidy-profit/) as a reminder of the risks that we face today. I was surprised to receive the following detail back from one of my customers. This story validates my vigilance when it comes to educating my clients about the risks to their businesses.
As told to me by my customer, names redacted.
This stuff is dangerous and can be hard to catch. I just caught one here a month ago. We had a purchaser at the University of ABC buy $50k from us. Naturally, $50k of one part gets a look but everything checked out. Was for the University, originated at a University email, all references checked out, etc. Customer service had even talked to purchasing at the University several times. No red flags at all. Just before it processed, I got a little nervous and asked Customer Service if they had talked to the purchasing agent. They said they had and showed me documentation. Turns out they were all inbound calls. So we pulled her record on the University web page and got her phone number at the University. They didn’t match.
Evidently what had happened was pretty elaborate. The University in all of its brilliance had posted all of their standard credit forms online along with super detailed contact information. I’m not sure if they were spoofing the emails or had broken into her email, but they were sending out emails from her address. The phone number was fictitious, but the credit information was all valid. The shipping address landed the product at a freight forwarder. If we had processed, we would have had $50k of inventory gone out of the country and a receivable with the University we could have never collected on. Big bullet dodged.
The article that was mentioned above and this story highlights the ever-changing threat landscape today. If you have questions about your companies IT security, please contact me: [email protected] or 704-200-2025.