Sophisticated Scam

How the Scam Worked

This scam was a textbook example of social engineering. The scammers used publicly available information about ComTech, including details about our CEO, Mike Farlow, to craft a targeted email that appeared legitimate.

The email was sent to our accounting department and included:

• A fake invoice for $55,000 claiming payment for coaching services.
• A W-9 form with matching details, including a fake Social Security number and signature.
• A fabricated email chain between our CEO and the vendor, adding an extra layer of believability.

By appearing professional and legitimate, the scammers aimed to bypass skepticism and create urgency for payment.

Investigating the Scam

When faced with a suspicious email, the first step is to verify its legitimacy without opening attachments. For demonstration purposes, we examined the attachments and found:

• The attached Invoice: Contained a professional layout, an invoice number, and detailed payment instructions. However, the supposed services were entirely fake and never happened.
• The attached W-9 Form: This document was similarly well-crafted, featuring consistent details that aligned with the invoice, including a fake signature and Social Security number.

The scam was convincing, but one critical red flag stood out: our CEO had no prior interaction with this vendor.

The Scammers' Goal

The goal of these scammers was simple: deceive the accounting team into transferring $55,000.

Key tactics they used:

• Urgency: By emphasizing "past due" and "urgent" in the email, they attempted to pressure the recipient into quick action.
• Legitimacy: They relied on the professional appearance of their documents to gain trust.
• Smaller Amounts (Sometimes): Many scams request smaller sums to avoid triggering suspicion, though in this case, the amount was significant.

Lessons Learned and How to Protect Your Business

This incident highlights the importance of awareness and proactive measures to prevent scams. Here are the key takeaways:

1. Coordinate and Verify

Train team members to pause and verify requests before acting. If an email involves an unusual payment or sensitive information, reach out to the person or department referenced in the email through a trusted channel. Avoid replying directly to the suspicious email.

2. Recognize Red Flags

Watch for signs that something might be amiss, including:

• Emails claiming "urgent" or "past due" payments.
• Attachments that were not expected.
• Inconsistent email addresses or sender information.
• Payment requests that deviate from normal procedures.

3. Provide Employee Training

Education is one of the most effective defenses against email scams. At ComTech, we offer our CyberHero Academy that includes a two-hour training session for businesses either in-person or virtual.
This training equips employees to:

• Identify phishing emails and suspicious documents.
• Understand how to respond to potential threats.
• Protect sensitive company information
• and more!