Oh phish! Check that business email again | Ahmedabad News


Hitesh Shah, 47, rented two cranes for two days from a Vadodara-based construction equipment rental firm on August 13.
Four days later, he got an email from the firm’s official business email account with an invoice for Rs 7.2 lakh instead of Rs 3.6 lakh.
He called the firm and got another email which mentioned the revised amount. Hitesh deposited the money into the Maharashtra Bank account that was mentioned in the invoice attached with the email. Later, the firm said they did not get the money in their HDFC account.
Hitesh realized he was phished by a fake business email which also had business email IDs of individuals Hitesh knew in the firm, but he failed to see that there was an ‘s’ missing in the company’s website domain name in the IDs.
You might think you’re savvy enough to spot a phishing email, but what if the message comes from someone you know and trust, like a business email from a firm, your boss or your supplier? “The scam is called business email compromise (BEC), and it involves impersonating a trusted entity, such as a colleague, a vendor, or a customer.
The goal is to trick the recipient into transferring money, divulging confidential information or performing some other action that benefits the attacker,” said Dhaval Shukal, sub-inspector, Cyber Cell, Gujarat CID (Crime). He was speaking at ‘Hacked’ cyber awareness session organized by TOI and Cyber Cell, Gujarat CID (Crime), on Sunday at Shilp Shaligram in Gurukul.
“In Shah’s case, it appears that the fraudster may have h a c k e d an employee’s email account in the crane rental fir m and then emailed Shah,” he said. So how do these scammers pull off their con? Shukal explains that they use various methods to spoof the sender’s identity, such as compromised accounts, lookalike domains or brand display name imposters.
They also use generative AI to craft well-written messages and avoid the poor spellings and grammar that one sees in phishing emails. “However, the most devious tactic they use is to exploit weaknesses in the payment process of businesses. Instead of asking for a specific payment, the BEC actors ask the victim to provide “the outstanding balance” or “owed amount.”
This technique attempts to redirect the amount mentioned in an unpaid invoice, which has been fully or partially approved by the appropriate internal stakeholders, to another account,” explained Shuka

Source link

Comments are closed.