How scammers use your good name to do bad things
As a technology company, we often get approached by businesses and individuals looking to purchase some new computers or other tech products.
Recently I was quite excited to see a request for quote from the Australian Catholic University who were chasing pricing on a bulk order of new laptops.
ACU is not a customer of ours (however we would love them to be!), but we supply hardware to anyone that needs it and make a buck or two in the process.
The email I received:
Now first of all, the Australian Catholic University are all over it and already have a scam warning for this very email up on their website and second of all, this kind of scam can happen to any business.
There are plenty of ways to tell this email is not legitimate, but most of the time nobody slows down enough to check. And besides, all they wanted is a quote for hardware pricing. We have all our pricing on our website, so it is hardly a state secret.
So I sent them a reply email with our online store information and had an almost instant reply in return:
Now for those wondering what the grift is, the scammer wants me to sent him 12 laptops with 30 day payment terms. I actually ran up an official quote and sent it through with the hope that I would get a purchase order in reply. I suspect that the PO would have a shipping address on it that didn’t have anything to do with ACU, and I also suspect that I never would have been paid should I have sent the laptops.
Sadly I never got the PO. I was hoping to get the shipping address so I could have then tipped off the police. Although chances are the address would have been impossible to link to the scammers in one way or another.
The fall guy…
Apparently I had been speaking with Andrew Dowling in procurement. A quick google search shows me that Andrew is in fact a very real, and very accomplished individual with his very own profile loud and proud on the ACU page.
The signature on the scam emails I was receiving contained the name, department, address, company, phone number and ABN (although Andrew only grew a second name after a few exchanges), and each of these items is data pulled right from Andrew’s profile page.
The giveaway is the email address. An official email would have come from firstname.lastname@example.org or something similar, but instead has come from email@example.com. Actually the initial email was firstname.lastname@example.org which I think was used so that the scam domain was blacklisted off the bat for spamming people.
ACU was not hacked. ACU didn’t do anything particularly wrong (except maybe make it a little too easy for their employees identities to be stolen). But it is interesting to remember that any personal information you put online can be used by someone else for pretty much anything.
How the scam was done…
This is not a sophisticated scam. Anyone can register any available domain name, and plenty of phishing emails have been successful because they appeared to come from a legitimate source just by substituting a few letters in the domain name.
A quick note that I did what I could to try and make sure this exact scam doesn’t happen someone else. I did a whois lookup (privacy was enabled) and notified the domain registrar that the domain is being used for running scams. Whether anything is done about it we will see (I doubt it). I also called Andrew Dowling directly and received a call back from his IT team who asked for a copy of the emails, but I don’t think there is much they can do, as their systems were not compromised in any way.
How does this affect my business?
Your business should have policies and procedures in place internally for how payments and stock movements are made with new vendors and customers. If you need help developing these we have a whole course on cybersecurity for small businesses that mainly focuses on mitigating these threats.
The other problem is: how will your customers react to an email that appears to be from you, but isn’t? If they regularly pay invoices you send them, will think twice about an email that appears to be from you requesting a change of banking details?
How easy is it for someone to fabricate an invoice or PO that looks like it came from your business?
What details about you, your team and the clients you do business with is available online?
Scammers be scammin, and your business is a target.
We really recommend our cybersecurity for small business training course. It is only an hour long, is delivered in person, and everyone in your team can (and should) attend. Get in touch with us through our website www.riverina.digital, or call (02) 6986 6435,