Angry Boss Phishing Emails Prompt Fraudulent Wire Transfers

chicksdaddy writes: Lots of studies have shown that assertiveness works in the professional sphere as well as the personal one. It turns out to work pretty well in the cyber criminal sphere, also. Websense Labs has posted a blog warning of a new round of spear phishing attacks that rely on e-mail messages posing as urgent communications from senior officers to lower level employees. The messages demand that the employees wire funds to a destination account provided in the message.

According to Websense, these attacks are low tech. The fraudsters register "typo squatting" domains that look like the target company's domain, but are subtly different. They then set up e-mails at the typo squatted domain designed to mirror legitimate executive email accounts. Like many phishing scams, these attacks rely on the similarities of the domains and often extensive knowledge of key players within the company, creating e-mails that are highly convincing to recipients.

The key element of their attack is – simply – "obeisance," Websense notes. "When the CEO or CFO tells you to do something, you do it." The messages were brief and urgent, included (phony) threads involving other company executives and demanded updates on the progress of the transfer, making the request seem more authentic. Rather than ask the executive for clarification (or scrutinize the FROM line), the employees found it easier to just wire the money to the specified account, Websense reports.

Websense notes the similarities between the technique used in the latest phishing attack and the grain trading firm Scoular in June, 2014. That company was tricked into wiring some $17 million to a bank in China, with employees believing they were acting on the wishes of executives who had communicated through e-mail.

Assuming the consequences of one's decisions

[Thanshin]

You can't raise an army of slaves and then expect them to act as free men.

You have to put autonomous thinkers and obeying sheep on their correct places; and there are plenty of both. If you put a sheep on the wrong post, don't go now crying about a problem that you created yourself*.

*: Or your boss, if you're one of the sheep.

Re:Assuming the consequences of one's decisions

You basically tell them "These are the procedures to authorize any transaction; follow them or be fired.

That directly makes me think about that cities IT head, who did just that and refused to tell the password to the cities computers when asked to do so with a group of unknown/unsecure people present.

I do not know if he's still in jail (yes, he was locked up as a result of that by standing orders refusal), but he's certainly without a job and without any prospects to get another.

In a good environment rules and regulations are there for everyone. In the run of the mill environments rules and regulations are only there to pester underlings with (very handly when fingers need to be pointed), and to be violated with impunity by bosses. 'Cause their work is ofcourse "too important" to be cramped by them.

And there you are : underlings who get wise to how the shit flows (and how they, if they consider to become "whistleblowers" and decide to contact the bosses boss, become outcasts or simply jobless), and as a result do not hold themselves responsible for anything a boss asks.

As someone else here already said, if you're out to breed sheep than do not expect them to try to protect you when you get attacked by a wolf.