Phishing

Email Fraud Investigation
digitpol Investigation unit

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. Spear phishing is an email spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information.

Phishing attacks, email fraud, scams, online fraud happens in most cases when cyber criminals find ways to hack into the email servers or accounts of small and medium companies, often targeting those with business in Asia countries. Cyber criminals gain access to email accounts and  search through email accounts looking for sensitive information such as outstanding, unpaid invoices or data relating to financial transactions and business between supplier, vendor and clients. When cyber criminals identify a sale or a due invoice, the fraudsters then send various fictitious emails from the hacked email account or an email address replicated to the original purporting to be in charge of the sale or due invoice to be paid, the fraudster is then asking for transfers of funds into a nominated bank account, usually giving an excuse that there is a problem at the bank and an alternative account needs to be used. It is common that the nominated account is in the same name as the company name or with a very slight change such as an extra letter. It is common the bank account to be in the same city as the victim or client.

The Common Trends:

Sale contract scam: fraudsters know from stolen emails about transactions between company A (the seller) and company B (the buyer). The fraudsters, pretending to be company A, send fictitious emails to company B, claiming that company A’s bank account has changed and requesting transfer of funds to the new bank account which is usually in the same region as the client, vendor or supplier.

CEO scam: pretending to be senior management officers of victim companies, fraudsters send fictitious emails to staff in the finance department, seeking the transfer of funds to overseas business partners or to make business investments on an urgent basis. The finance department staff are requested to transfer funds to a bank account.

The misspelt domain name.

This is where the cyber attacker will own the misspelt domain name, which closely resembles the victim or clients domain, but is usually off by one character.

From: "CEO Name" <ceo.email.address@examplle.com>

In this case, anti-spoofing will not identify these messages. Instead, regular expressions can be applied to the From: line in order to identify the misspellings. Below are two regular expressions for a domain called example.com. These expressions are useful not just for these scams, but phishing in general. For efficiency, the regexes assume the first character is never changed, which is a fairly safe assumption because otherwise the domain would not look similar enough. Simply copy the pattern and apply to your own domain(s).

Character Substitution Regex

This expression identifies a domain where one of the letters in the domain has been replaced. It works by checking each letter for substitution (for instance [^m] means "any letter but m").

@e(?:[^x]ample|x[^a]mple|xa[^m]ple|xam[^p]le|xamp[^l]e|xampl[^e])\.com

Are you effected by a Phishing Attack? 

If a phishing attack happens to you, you need to respond quickly. Phishing attacks and email fraud can lead to major disruption and financial disasters.

If you encounter or believe that you have been the victim of online or internet fraud (i.e. phishing, fraudulent text messages etc.), please send an email to info@digitpol.com Be sure to attach any supporting documentation such as copies of suspicious emails, text messages and questionable links/URLs.