Spear-Phishing E-mail Scam

Stealing from Small- and Medium-Sized Businesses


bob-holtfreter-50x50.jpg   Taking Back the ID   

Kerry Dewey was a finance officer for a small nonprofit in the Pacific Northwest. She was having a bad day, but it got worse when her local bank called her to inquire about the validity of a recent funds transfer for just under $10,000 from the nonprofit’s account to an account at an Alabama bank. Moments before, the Alabama bank had contacted Kerry’s bank because its policy is to investigate any transfer that’s close to, but less than, $10,000 – an amount that fraudsters commonly use to avoid currency transaction reporting.

Kerry’s bank stopped the transfer after she assured them that no one in her organization initiated the funds transfer. The episode prompted Kerry to review the nonprofit’s banking transactions in the past few days. She uncovered five other illegitimate transfers that totaled close to $50,000, and each transfer went to a different payee. Fortunately, her bank was able to contact the banks where the funds were transferred, and those banks were able to stop the transferred monies from being withdrawn by the fraudsters. Kerry had opened a very dangerous e-mail.

This case is fictional, but it’s representative of a relatively new “spear-phishing” e-mail scam that has recently emerged as a significant source of revenue for cyber criminals. In a typical phishing e-mail scheme, a fraudster spreads his net wide by sending a corrupted e-mail message to millions of individuals. However, in a spear-phishing scheme the fraudster narrowly directs an e-mail to an individual or individuals within a company of a particular industry. (Hence, the directness of the “spear.”)

In both schemes, the fraudster’s goal is to develop a genuine looking e-mail message intended to convince the potential victim to give up crucial personal information. In the spear-phishing scheme, the fraudster wants to convince the recipient that the message is coming from someone who is in a position of authority in the company – for example, a network administrator – who’s asking for confidential information. 

For full access to story, members may sign in here.

Not a member? Click here to Join Now. Or Click here to sign up for a FREE TRIAL.