fb

I got a call from a client today that really shook me. Apparently, one of their employees sent an email to their bookkeeper, asking if they could change their direct deposit to their new bank.

Bogus Email #1

The bookkeeper replied to the employee, sending a form to be filled out…

Bogsus Email #2

The employee then filled out the form and returned it, so the bookkeeper changed their bank for direct deposit.

Bogsus Email #3

Looks legit, right? Well it’s not.

The Employee Had NOT Requested a Payroll Change!

Using remote access software, I logged into the employees computer, checking their email and sent mail, looking for the communication between him and the bookkeeper. There was nothing there.

No record of the original sent email request, or any of the followup emails or bogus documents. There was nothing relevant in their sent mail, nothing in their in-box, and nothing in the deleted items folder. Everything looked just like it would if it had never happened.

Immediately, I assumed that the bookkeeper MUST have fallen for a phishing scam,  where someone had “spoofed” the employees email address. IUsing remote access software, I was able to log into her computer, so I could see the original email request, and all of the following correspondence from the employee.

As I attempted to show her how she got fooled, viewing the actual mail header that comes with every email, I verified that it looked legitimate. According to the mail header, the email had actually been sent by the employees mailbox, which was hosted by Microsoft Business.

I was able to log into their Microsoft for Business admin center and do a message trace for all communication between the two employeesn and the bogus message exchanges actually did take place!

Microsoft Message trace

So What Really Happened?

In this case, someone got ahold of this users email address and password, then monitored their email for a while, likely using some sort of algorymic software to “read” all of their emails looking for certain phrases, like “direct deposit” or “payroll”.

Once the hacker realized that they were actually in communication with the companies payroll / bookkeeper, they proceeded to go through with the email requests, filling out the form to change the direct deposit, and then immediately deleting all evidence from the in-box, from the sent mail folder, and even from the deleted items folder.

Scary, am I right?

The moral of this story?

1. Use a secure email password. One that is at least 8 characters total, even more is better. Make sure the password contains NO “real” words, which could can be found in a dictionary. Finally, use at least one capital letter, at least one lower case letter, and at least one special character, like a # or $ sign.

2. Use up to date antivirus and malware protection from a reputable company, and dont click on strange links. That’s probably how the user got their password stolen in the first place, by clicking on a link that came by email, ultimately installing malware.

2. For ANY sensitive financial transactions, always verify by picking up the telephone and calling. I hate to say it, but we simply can’t trust email confirmations any more.

Share This