Costly results from email hacking

Posted: May 23, 2015

Costly results from email hacking

John M. Haddad

I’ve written several blog posts about the importance of strong passwords, and in particular, using both strong passwords along with two-factor security. When I speak to many of my clients, family and friends about this, they say that using a strong password (with alpha, numeric, symbols … 8-10 characters or more long) or using two-factor security is an “inconvenience” that may cause them a little more work when logging in.

I wanted to share a true story I encountered from a business associate that I was working with and how one of their customers lost $8,000 as a result of their email being hacked. The business and the names of the individual are fictitious, but the sequence of events are all true. Let me explain how this consumer got totally fooled by a clever hacker.

Setting the stage

Let me set the stage. The fictitious company is ACME Construction. The owner’s name is Bill Canton. Bill’s email address is bill@acmeconstruction.com.  ACME was hired to do construction of a new sunroom for a homeowner named Mary Evers. Her email address is maryevers@yahoo.com.  During the course of email communications between Bill and Mary, Bill sent this email to Mary:


From: Bill Canton <bill@acmeconstruction.com>
To: Mary <maryevers@yahoo.com>

Hi Mary,
Hope all is well with you. Attached, please find the proposal for the new sunroom addition as we discussed. To move forward, please sign a copy of the proposal and submit with the requested deposit as specified in the proposal. Once we receive the proposal and deposit, we can proceed with ordering all materials and schedule a timeframe to begin construction.

We look forward to working with you.

Thanks … Bill

Bill Canton
Owner
ACME Construction
www.acmeconstruction.com
(781) 478-9999


A very legitimate email between a small business owner and a client. However, within a day of Mary receiving the email, her email account was hacked. Someone was able to “guess” the email password (more than likely because it was not strong) and log into her account without her even knowing it.

The hacker takes over

fake email addressThe hacker first looked for financial opportunity by reading Mary’s emails and lo and behold, saw the correspondence between Mary and Bill. The hacker saw a way to potentially scam money from Mary.  Here is what he did.

  1. First, he created a fake email address in Gmail for himself that made it look like it was Bill’s email address. He created the email address billacmeconstruction@gmail.com.
  2. Then, he started corresponding back and forth with Mary using the bogus gmail account, and of course, added Bill’s signature to the end of each email to make it look like it was still Bill that was corresponding.

Mary didn’t think twice about looking at the “from” email, because she thought it was still Bill continuing with the conversation. So, as stated in the proposal, Mary was ready to send a check for the deposit to ACME construction, however the hacker got to Mary quickly and sent the following email to her:


From: Bill Canton <billacmeconstruction@gmail.com>
To: Mary <maryevers@yahoo.com>

Hi Mary,
How was your weekend?i received your mail.But,am sorry for letting you know that right now we cannot receive any payment Via Check due to the Bogus Check lately from our client. My Bank Account is undergoing inspection and this might take days for it be rectified.I will appreciate if you could make the payment through Wire Transfer/Direct Deposit into our Sales Director’s Bank Account so we can immediately order materials from the company.Kindly get back to me so i can forward you Bank Account for you to make the payment to.I am sorry for the inconvenience this might cause you.

Let us know if you have any questions.

Thanks … Bill

Bill Canton
Owner
ACME Construction
www.acmeconstruction.com
(781) 478-9999


 

phishingblog-postRight away, red flags should have gone off for Mary. First, looking closely, the email address of the sender is now different. That might not be too obvious, as we don’t always check the from email address. However, look at the way the email is written.

The original email from Bill used proper English, but this last one was written a bit messy. Again, may not be too obvious if you are assuming that this is still Bill communicating with you.

Mary wrote back to the hacker saying that she was sorry to hear that Bill had been burnt by bogus checks and asked the Bill (the hacker) to send her the information for direct depositing the money.  Keep in mind, that since Mary was now communicating with the hacker, the real Bill at ACME Construction had no idea that any of this was going on.

The hacker is ready for the sting

The hacker now has Mary’s trust and was ready for the scam.  The final email from the hacker, back to Mary was as follows:


From: Bill Canton <billacmeconstruction@gmail.com>
To: Mary <maryevers@yahoo.com>

Hi Mary,
Thanks for the understanding and am sorry for getting back to you late.Here is the Bank Information:

Bank Name:Bank of America
Beneficiary Name: An K Wu
Routine No: 123098472
Account No: 238947263781

Kindly,get back to me with the receipt of the payment

Thanks … Bill

Bill Canton
Owner
ACME Construction
www.acmeconstruction.com
(781) 478-9999


email-spoofing1324967863Again, red flags. Why would you transfer money to the account of Bill’s sales manager. And the term “Beneficiary Name:” seems like an unusual term.  Usually you will use “Account Name:”.  And finally the name of the sales manager, An K Wu, seems very suspect.

I think you can figure out the conclusion of this story. Mary did a transfer into that account for a sum of $8.000.  When she completed the transaction, instead of just replying to the email from the hacker, she wrote a new email directly to Bill at ACME Construction to let him know that she had transferred the money to his account. Bill subsequently wrote back to Mary to tell her he had no idea what she was talking about. Bill told her that he only accepts checks for payment.  That’s when Mary found she had been scammed. It was too late. She tried calling Bank of America to cancel the transaction and report the scam, but they told her that it was too late and there was nothing they could do.

Summary and lessons learned

It is my hope that this story will help you and others to show diligence when doing business via email. More importantly, I hope it highlights the importance of email security. This type of scam goes on every day. The hackers will try this hundreds of times in the course of the day, hoping to land one big payday. They have nothing to lose and all to gain.

Here is what you need to do to help prevent this from happening to you:

  1. Use a strong password.  This has been stated repeatedly in all the press, however, people still use passwords like the name of their children or dog.  Hackers have software that can generate common words and try logging into your account hundreds of time per hour.  See my blog posts on New Year … New Password … Make it STRONG and My journey to stronger online security for tips on using strong passwords.
  2. Use two-factor authentication.  Most email services (like Gmail and Yahoo Mail) give consumers the option to use two factor authentication.  It sounds complicated, but it really isn’t.  In addition to entering your password, you will be ask to enter a six digit code that typically is sent to your mobile phone.  This provides a second layer of security.  So even if a hacker guesses your weak password of fido, he will not be able to log in because it will ask him for a computer generated code that only can be obtained by you on your mobile phone.  The hacker will get frustrated and move on to another email account to hack.  For more info on two-factor authentication, see my blog posts on Two-factor authentication and More on Two-factor authentication.
  3. Use diligence when reading and replying to emails, especially when finances are involved.   Look for red flags in the email that give you suspicions about the email.  In the case above, we highlighted several red flags that Mary should have questioned.  If something doesn’t seem or feel right, take action.  Like most things on the internet, we take what we read as true and trust most interactions.  There is nothing as reliable as using the good old telephone to call someone instead of emailing, especially when unusual circumstances arise.

My journey to stronger online securityDespite my advice to many of my clients, family and friends, some put these security measures on their “to do list” … when they have time.  As a small business owner or a consumer, these steps need to be your top priority.  If your email is hacked, it will cause a major disruption to your business, as well as damaging the credibility of your company.

Please don’t wait until your email account is hacked.  Take action today to protect your email login by following the lessons learned from this story.

Posted in ,

View other posts

Email Spoofing

Share this post

Recent Posts

JohnHaddad3

About the author

John M. Haddad
John Haddad is the Principal and Owner of Bisinet Technologies, LLC. He has been in the Information Technology (IT) field for over 40 years. Over his career, he has held positions in all aspects of technology … programming, systems analysis, project management, infrastructure support, systems architecture, IT Management and web development. He continues to work with many small businesses and non-profits in the local area to provide technology consultation, web design and cloud solutions.