Spearphishing gets personal as woman scammed out of £50k house deposit

library
crime | hacking | security

A London woman has been scammed out of almost £50,000, thinking she was sending it to her solicitor as a down-payment on a house purchase, after crooks apparently gained accessed to her email account and monitored her online conversations.

58-year-old Vivian Gabb, a self-employed single mother, was in the process of buying a house when she received an email purporting to come from her solicitor, asking her to change the account information she used for making payments to the firm and requesting that she send the sum of £46,703.20 (about $73,000), which she was already expecting to have to pay, into the new account.

She made the transfer as asked, but four days later realised that the funds had never reached the intended recipient. By then it was too late for banks to retrieve the money, as the account it had been sent to had already been emptied.

She believes the crooks must have been monitoring her email to know precisely how best to trick her into handing over her savings.

Types of phishing scams

Email phishing scams fall into two broad categories. The “normal” variety is all too familiar – a mass mail is spammed out to large numbers of people, with a message generally along the lines of “please log into your account by following this link”.

The hope is that if enough people are targeted, at least a few of them will turn out to be users of the bank/shopping site/whatever the mailer is posing as, and, of those, some will follow the link and hand over their login details to the scammers.

The popularity of this type of scam is the reason we try to discourage businesses from including direct links to their login pages in emails sent to customers.

Spearphishing

The more targeted variety, usually referred to as “spearphishing”, requires a little more effort. The victim is first carefully researched to find out enough about them, either as an individual or as an employee in a particular role in a given business, and is then sent a carefully-crafted email made to look like something they would expect to receive and take action on.

It might be a request seeming to come from a superior asking for some sensitive or useful piece of information, or perhaps a message posing as an update from IT, carrying a malware-laced attachment.

One particular variant, as seen in this incident, pretends to come from a supplier or third-party contractor, “updating” details of the account they use to receive payments from you. Of course, the details provided are for a bogus account in the control of the phishers.

It’s generally assumed that such spearphishing is only really a danger in businesses and other large organisations, where access into protected networks, privileged information or doctored payments can bag large enough rewards to merit the work that goes into setting up the scam.

However as this case seems to show, the bad guys are willing to spend considerable time prying into the affairs of everyday individuals in the hopes of finding a way to sneak some of their cash.

Protect your email

There are some ways to mitigate this kind of risk, starting with protecting our all-important personal email accounts.

Given the huge amounts of personal and often highly lucrative information that can be gleaned from our email accounts, it’s vital that they are locked down as securely as possible.

One of the most powerful tools to prevent people getting unwanted access to our accounts is of course two-factor authentication (2FA). All the major players in the email space offer some sort of 2FA, and if yours doesn’t, you really should consider moving off that service.

Even when we’re fairly sure our accounts are well secured, there’s always a danger from social engineering tricks.

Whenever we receive important information via email, it’s vital that we double-check the authenticity of the source and the information.

Particularly when dealing with large sums of money, it’s worth the effort to contact the other party directly for confirmation, using a known and trusted address or phone number rather than one provided in the message being questioned.

It’s always easy to be wise after the fact of course, and these words won’t be of much comfort to Ms Gabb.

Fortunately friends and family rallied round to help her complete her house purchase, but with both police and banks suggesting there’s not much they will be able to do to retrieve the lost money, it looks like she’s going to be heavily out of pocket as a result of the scam.