In Focus: Quadruple Email Scam Scam

Cybercriminals rely on email scams. But anyone who thinks that criminals only send clumsy phishing attempts with poorly written, faulty emails is mistaken. Criminals sometimes put a lot of effort into planning, designing, and executing email fraud. The experts of the Incident Response Management Team have recorded an increase in these attacks. To show you how sophisticated some of these attacks are, we present the following case. You will see the attackers send fake emails, misuse the names of well-known companies for their scam, invent products, create fake websites, copy real companies, and more.

What happened?

One company was allegedly contacted by email from Unilever Netherlands, a large consumer goods group. In reality, however, it was a request from an unknown third party for a larger number of a very specific type of pump. Attached to the e-mail was a tender. Since the company did not have this type of pump in stock itself, they looked for other suppliers and found what they were looking for. The company ordered the pumps from this supplier and at the same time sent a non-binding offer to what they believed to be Unilever Netherlands.

The supplier immediately got back to us with the confirmation that he could deliver the desired pumps. However, he demanded payment for the goods in full in advance. It was a high five-digit sum. As there was an increased risk, the company asked for a 50% reduction in the down payment while obtaining a vote from its financial partner to verify the supplier’s legitimacy. The result was positive. Unfortunately, this analysis was flawed.

After the company had also obtained further information about the supplier, the deposit of approximately €26,000 was transferred. After receiving this sum, the supplier contacted us again and asked for the full sum regardless of the agreement. The company no longer complied with this demand, because in the meantime they realized that they had fallen for a scam.

How did the attackers proceed?

In order to lull the victims into a false sense of security, a very well-known company – in this case a world-famous consumer goods company – is used to make contact. The initial e-mail was an inquiry for a product, a specific pump. If you searched for this pump on the Internet, you quickly found what you were looking for and were directed to a very authentic-looking company website that carries exactly this product. But both the make of the pump, the product number and the company that supposedly had these pumps in stock were fictitious or fake. The websites of the alleged suppliers, including the company name, domain and logo, were also created, registered and forged for the purpose of fraud.

How could the fraud have been recognized?

In these cases, absolute caution is really advised. Because the fraudsters proceed in a highly professional manner. To solve the case, Perseus’ forensic experts analyzed the entire communication between the victim and the attackers and were able to identify indications of fraud. In order to be able to recognize these indications yourself, a trained eye is required.

Here are our tips:

Examine the sender profile of the emails carefully. The sender name can be easily manipulated. At first glance, it looks as if the email comes from a reputable company, such as Unilever. However, the sender address often does not match the sender name. Even small signs such as a transposed letter or another domain at the end of the email can be an indication that fraud has occurred.
Be vigilant with generic, non-person-specific salutations. In the present case, for example, the recipient(s) were placed in “Blind Carbon Copy (BCC)”. The victim was therefore not explicitly contacted, but the e-mail was probably sent to several unknown recipients.
Examine the recipient’s address. Well-known and reputable companies mostly use simple email addresses. Unilever’s communication, for example, takes place via @unilever.com and not via @unileverbrasil.com or @unilevernetherlands.com. Another indication that this is not a serious request.
The IP address used to send the e-mails can also provide further indications as to whether fraud has occurred. For example, by tracing the company or organization to which the IP belongs or from which country the e-mails are sent.
Analyze the website carefully. In the present case, the fraudsters created a homepage on which the desired pumps were offered. The criminals used a name of a real company and adapted it slightly. The company name ended in -tech. The attackers use the -tec extension. The logo looked confusingly similar to that of the real company, only here too the ending was changed from -tech to -tec.
Get in touch with a company with which you have no business relationship personally and always verify legitimacy. This is especially true for financial transactions.

This is our advice to companies that have fallen victim to fraud!

Report the incident to the responsible Central Contact Point for Cybercrime (ZAC) in your federal state. In this way, foreign investigative authorities can provide support if necessary and the path of the money can be traced.
Criminal complaint to the police.
Train your employees and make them aware of digital threats from the Internet.
Tip: Perseus offers you a sustainable prevention package with online training, phishing simulations, danger warnings and other useful tips and tools for everyday life.
Check to see if the scam has affected other parties or if there is a potential for other parties to be affected by the scam. If this is the case, get in touch with the organizations.
Evaluate the incident in detail and question existing processes and structures. If you find gaps, close them and optimize your business processes.
Tip: Rely on external support from experts for implementation. Perseus can advise you here.

Download the case study to learn:

How did the attackers proceed in concrete terms?
What were the consequences for the parties involved?
What tips do our experts give companies that are affected by attacks of this kind?
What measures should be taken to prevent these attacks?