(Photo courtesy of rcbatey at Flickr)
Normally, when e-mail scams are brought up, we think of unfortunate individuals falling for something that's too good to be true. A surprising discovery, found in federal court filings, proves that this isn't always the case.
Yesterday, Rebecca Boone of the Associated Press (courtesy of the StarTribune.com) reported:
Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.Apparently, Internet e-mail scam artists accomplished this by sending spoofed e-mails impersonating Frito-Lay and American Greetings:
The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.At first, it appears that no one at SuperValu questioned the account changes and approximately $10 million was wired into them.
According to the article, the scam was discovered quickly and the FBI intervened. SuperValu will not comment on how much money they actually lost.
Either this is a fluke, or it shows a growing trend, where businesses are being specifically targeted in e-mail scams.
This isn't the only type of e-mail scam that has been targeting businesses and organizations.
Stories about what is known as spear phishing have been circulating recently. Spear phishing differs from regular phishing because indivduals are targeted by name, and as reported in some of these stories, sometimes by both name and title.
Previous posts, I've written about spear phishing can be seen, here.
Please note that stealing money isn't the only goal in spear phishing. Sometimes the goal is to steal information (which is worth money), also.
Phishing has become more sophisticated in recent history. Besides using social-engineering (trickery) to obtain information -- malware (sometimes known as crimeware) is downloaded into a system by opening a e-mail attachment -- which steals the information automatically and on an ongoing basis.
Another growing trend is the sale of DIY (do-it-yourself) phishing kits in underground (normally Internet) forums. These kits are enabling less technically inclined criminals to get into the game.
This goes to show that educating employees (especially those with access to financial assets, or valuable information) how to avoid being scammed might be something worth taking a look at.
On a final note, we need to remember that the same type of scam could be accomplished via snail mail with convincing letterhead, or even via a fax. The best way to avoid scams is to be able to recognize the behavior behind them.
AP Story, here.