One of my clients was the victim of a cyber-crime, and I reported it to the FBI’s Internet Crime Complaint Center. Today I will discuss how the process worked.
My client called me to help her after someone posing as her intercepted a payment on an invoice that she sent to one of her customers. The way this worked is that some time in the past, her business email account had been hijacked, and this allowed the attacker to log in and read her incoming and outgoing emails. There were several instances that after she sent her invoice by email, the hijacker followed up with an email that told the recipient of the email to send the payment to a different address. My client works in Wisconsin. The email from the hijacker asked that the payment be sent to an address in Florida. Unfortunately, the customer did just that, and my client never received the payment.
She was savvy enough to realize that she needed to change her email account password, and did so. But the thefts continued, so she called me. We checked her email account for a “forwarder” and found that her emails were being forwarded to another email address too. So the attacker was still aware when new invoices were being emailed.
Since they no longer had access to her email account, they created a look-a-like email account on a public email service. My client’s email address looked like name@mybusiness.com. The attacker’s new email address was name.mybusiness@mail.com. This was close enough to fool another customer of hers. Fortunately the customer had saved the email and we were able to get the email address that the attacker was using, as well as the mail address in Florida.
The email hosting company was able to send us the email address that emails were being forwarded to. The name is this email address appeared to be connected to a plastics company located in the Philippines.
None of these thefts, even in total, represented a large sum of money. Reporting the crime to the local police did not really do much for her, since it was a small dollar, cross-jurisdictional crime, there wasn’t really much they could do.
I suggested that we report this to the Internet Crime Compliant Center (IC3). There reason is this: even though her finance loss was small, a scam like this is usually run against dozens if not hundreds of victims, and all of those small crimes adds up to a big felony. If the aggregated amount reported by all these victims gets large enough, the FBI will eventually investigate. Additionally, the FBI has the ability to partner with law enforcement in other jurisdictions, even in foreign countries.
We are still waiting to see how this all works out, and as the situation develops, I will be sure to write a followup story.
ShareOCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com