My brother Keven started a new job recently at a transportation and logistics company in Michigan. He’s an eager person in a new sales role that’s been looking for ways to prove himself. So when someone whom he thought was his boss reached out, he was happy to assist. But there was no request for help. The reality is that Keven was yet another victim of a highly targeted phishing campaign – one that countless people fall for every day.
Soon after Keven started his new job, he received an email from who – at a glance – appeared to be his boss. He’d only been on the job for less than two weeks, so he was eager to step up to the plate and lend a hand.
In his rush to assist, he overlooked some critical elements in the initial email, namely, the “From” field, where the sender’s address is presented. While the name was that of his boss, the return email address belonged to a scammer. The email was part of a targeted phishing campaign, and came with a single, simple ask: “I need your help and I need it quick, send me your phone number.”
By sharing his cell phone number, Keven gave the scammer a deeper level of control, as there was now a new level of established trust between Keven and whoever was pretending to be his boss. Moving things over to SMS also meant that Keven associated the number with his boss, and lowered the chance of the imposter being exposed.
As the messages below demonstrate, Keven’s willingness to quickly assist someone who he thought was his boss is the exact type of impulsive behavior and compassion the scammer was looking to exploit.
Now that the scammer had Keven’s cell phone number, he was able to SMS in real-time. The scammer gave Keven the perception that his “boss” was just incredibly busy and needed to get something from the store.
During the conversation, the scammer created a natural sense of urgency, insinuating that the request was a top priority and needed to be done immediately. Like others before him, and others that will follow, Keven took the bait and found himself at Walmart waiting for purchase instructions. A short time later, the instructions arrive. Keven is asked to purchase four $100 Apple gift cards.
The use of gift cards by scammers is a common approach. Their goal is to cash out the value of cards quickly, and either purchase items that can be resold, or purchase items for themselves.
As fate would have it, Keven got lucky. While waiting in line at the checkout, he started feeling uncomfortable about the situation. Yet, he wasn’t sure what to do. He purchased the cards as requested, but immediately after checkout, he got a ping on chat from his boss wondering where he was.
Responding to the message from his boss, Keven replied that he was getting “the four $100 gift cards you asked for.” His boss replies: “What are you talking about?”
Blood cold, at this moment, Keven realizes he’s been the victim of a scam. Security experts know it as a spear phishing campaign, but to the untrained, the exact cause of a scam doesn’t compare to the feeling of being victimized. Fortunately for Keven, he didn’t share the gift card codes with the scammer and he still had his $400, just in a different form.
When his boss found out about the situation that played out, he was empathetic to Keven and offered to buy the cards. This gracefulness is how employees should be treated when they are the victim of a phishing scam. My brother was embarrassed by what happened. However, he knows he’s not alone, and offered this story for me to share. His coworkers also decided to give him a new nickname – “iKeven.”
When it comes to combating phishing scams like the one Keven experienced, the first step is to slow down, and consider what’s happening. A request from out of the blue coming from someone who at first appears to be your boss – that isn’t an unusual or alarming situation. However, when the return email address isn’t your work address, that’s a red flag.
Another aspect of this scam included pressure and the feeling of power dynamics. As far as Keven knew, it was his boss making the request and he was eager to impress. A simple call or quick chat message to Keven’s boss would have confirmed the scam for what it was.
Situations like the one Keven faced are, unfortunately, common. In order to help educate users, it’s critical to have phishing awareness training as part of new employee onboarding, and organizations should stress to employees that they’re empowered to question or verify requests from anyone in management, and should be encouraged to do so. Especially when financial matters are concerned.