I'm an IT consultant in NYC, and no fewer than 5 of my clients have been targeted by such scams. Information on the structure of their company is gathered from their website and an email will be fabricated appearing to be a conversation between company president, controller, CFO, etc all with their real names and email addresses, sent to a company accountant or something requesting a wire transfer.
The final email will be sent from a very similar email domain: the scammers register a domain with a simple letter/number substitution that is VERY difficult to visually detect if you aren't looking. Many were registered with VistaPrint, who offer free registration of domains on a trial plan, or something. You can see a list of their recently-registered domains here http://vistaprinta.tk/, if you scan through it you'll see some misspellings and l/1 switcheroos. (I spoke with someone at Vistaprint who indicated that they are actively working on this problem, and they have taken quick action when requested).
When my clients ask me to take a technology approach on these matters, I encourage them to treat it as a process issue instead. Having adequate controls for issues like this (phone call required, second approver for large wire transfers, etc) is better than any futile spam-blocking action we could take.
At Microsoft, when an email has an internal sender address it will not get delivered unless that email did in fact come from an internal Exchange server.
In 1998 I was able to use SMTP to send an email "from Bill Gates" (only sent it to myself for my own personal amusement), but the trick stopped working later.
Which brings it back to being a process issue: if folks are diligent about verifying (whether that's a phone call or clicking on a name), then this is harder to pull off.
There are a lot sent along with an email besides the To/From names. The name is pretty easy to spoof, but the SMTP request and timestamps is much harder. Also most reputable senders now use SPF, a type of DNS record, to verify email servers. But email usually trusts by default, unless your servers are very locked down. You can still send 'unverified' email, but its easier to trip spam filters if you send too much.
I ran into something like that when demonstrating our report delivery at a company. I remember saying "Now notice I change the header to say it comes from [person in room] which of course the e-mail server will reject... oh, my... well, I guess it doesn't...". I was 'encouraged' to have a talk with the e-mail team.
In 1993, I had a summer internship at Apple. After I returned to the university that fall, I sent a fake email from Andy Grove (the CEO of Intel at the time) to my new friend at Apple.
I did this just by opening a telnet session to the SMTP port at apple.com and manually typing in SMTP commands and associated text.
Apple's SMTP server happily delivered a fake email from agrove@intel.com from a system at ucdavis.edu.
It took me a long time to find the error in thompsonenteprises.com but half a second to recognize that kinneyconstructiion.com is wrong. I wonder if businesses are more at risk due to their name alone (some are more difficult to manipulate into hard-to-spot alternatives).
All this talk about email forgery... so why isn't all all of this email authenticated with GPG? This type of authentication is a solved problem.
Yes, in the general case PKI is a broken and web-of-trust is hard to bootstrap, but protection against scams like this don't need to solve the general case. Distributing keys internally isn't hard. Even some communication external to the organization should be easily authenticated with pubkey crypto - it's not more difficult than the business contracts everybody already uses regularly.
Why is everybody trying to solve this with email headers or fallible human judgment?
The same reason basically all other email is not authenticated with GPG: it is a usability nightmare. Even many technically apt people find it too much of a headache. It has no chance of universal adoption in the C suite, and without that kind of adoption, it can't help to prevent things like this.
What is hard about authentication? This was trivial along time ago with mutt and it was still trivial in recent years with thunderbird+enigmail. If your complain is that your favorite email client doesn't support pubkey authentication, complain to the vendor.
The only thing that should even be relevant re: usability is the need to occasionally enter a password. This is even minimized with gpg-agent (or similar), which we can assume is something that would be setup by IT anyway along with everything else related to email.
> C suite
Then educate them about the need. Even better, educate the lawyers about why authorizing large purchases (i.e. the type of scam currently being discussed) without proper authentication is an unacceptable risk.
> it can't help to prevent things like this
While you cannot fix a stupid CxO, the problem of deciding if a particular email claiming to to be from that CxO authorizing a purchase order is actually from that CxO is easy.
Remember, we only need to solve the internal case, where it is easy to setup PKI. I believe there are even several solutions already available[1] for directory services and key management. Run some sort of local directory service and a local CA and a decent email client should make authentically completely transparent for internal emails.
Configuring it to use pgp (way before gpg existed) was a bit of a challenge years ago. I certainly wouldn't recommend it to most people today. At the time, most email programs required some technical knowledge to setup, so the difficulty is relative.
My point is that these solutions have existed for a long time, even in what many would now call the "earlier" years of email. Even decades ago it was common to have the setup within and organization handled by IT.
// mutt still wins over more "modern" email software in a lot of ways
Yeah, it does, but tell that to the 99.99% of people who don't even know what a "terminal" is. I feel this kind of argument is the worst unintentional straw man: "we don't need to fix this problem, because there's a perfectly fine, super obscure solution".
We need to fix this problem for the accountants, not the IT guys.
Sorry if my comment seemed snappy. I actually am a current mutt user -- so I know its advantages. It's awesome when it is set up.
I think you're getting downvoted in this thread because while you're trying to make a distinction between difficulty of setup and difficulty of use, the waters have already been poisoned by so many people that (wrongly) say "FOSS tools like mutt are easy to set up" that people are lumping you in with that group, even though that's not what you're saying.
What interface design? The only thing that should be visible to most people is some sort of alert that explains that an email was blocked because the signature was missing or invalid. Everything else should be setup by IT.
The MUA should find (and verify) the key in the directory service and automatically handle the signing/signature-verification.
You might need UI to use signatures with external email, but that is a separate problem.
I one time was interested in setting up a command line email client - mutt with procmail or something along those lines. Three hours later I hadn't gotten it working and gave up.
If you had finished setting up mutt, you might have noticed that authentication is handled for you when you use mutt. This is about internal emails, where most people will have someone else setup their email.
I'm not even recommending it mutt (or any other specific MUA) as a solution today. These are simply examples that demonstrate how simple authentication can be.
If you want me to believe that internal pubkey authentication (probably based on a directory service provided by the IT department), then you are going to have to explain how most orginizations are able to handle stuff like internal addresses books, which are also provided by directory services (LDAP, Active Directory, etc). An address book requires far more UI than authentication, yet it is a common feature.
The usual: it's a social problem, not a technological problem. Cryptography is the solution to almost everything that people complain about with email, but, there you go.
I just stopped doing this, because the only tangible impact was people asking why my emails had weird incomprehensible junk in them. Admittedly this usually took the form of mild derision rather than outright hostility.
Why don't firms flag all email from external domains as "EXTERNAL" (All subjects are prefixed before being transferred to individual email boxes)?
We have that where I work, wouldn't that help? That way an email with the CEO's email but with a slightly off email address would show external, where every other email within the company has no such flag.
Argh! Sorry this got flagged as external. Stupid IT guys. Anyway, we're about to close a major deal that will make us all rich, please wire blah blah blah.
Heh, reminds me of how someone I know trolled Second Life: you can name objects after other people and have them talk, which lets you "put words in their mouth". The devs apparently thought that they could fix this by making objects speak with green text, while human players had white text.
So what this guy did, was name an object after someone, wait for them to be away from keyboard, and then say: "Hah! Guys, check this out! I made my text green lol. Anyway, [offensive remarks...]"
As with most other aspects of this scam, your suggestion would require a certain lack of critical thinking on the accountant's part: how would the sender know that IT had flagged their email as external before the email was sent and flagged?
how would the sender know that IT had flagged their email as external before the email was sent and flagged?
The recipients who fall for it don't think about that. They think "oh crap, the big boss needs this done". Critical thinking about and questioning of decisions from higher up is strongly -- one might even say violently -- discouraged in many large organizations.
"Sorry, I'm travelling, so all my email has been flagged as external lately."
I'm not saying that this doesn't require a lapse in critical thinking ability; just that kind of lapse required is a pretty common everyday one, which non-technical people make all the time.
Any emails that you reply to or forward will get trashed re:[EXTERNAL]fwd:[EXTERNAL] etc... Eventually people will disregard the flags because of the noise. It's a very narrow circumstance where this would actually prevent fraud. You're looking for someone who would normally wire $BIGDOLLAR without verifying it, yet also pay attention to warning flags which are almost always present.
You don't win this battle by trying to block all the possible ways in. Instead you create one approved process for handling $BIGDOLLAR transactions.
You just can't stop stupid in this case. It relies entirely on fooling a single person with the ability to initiate the wire. If the company doesn't have that vulnerability then they just move on.
Everyone seems so interested in a technical way to stop this, but you can't code your way out of stupid accountants.
I think stupid accountants is too harsh here. If you miss that the I in your bosses email address is really a 1 (do you even look at the email address?) How would you know any better?
What's stupid is the business processes that allow an accountant that much power over wire transfers without some kind of secondary approval. That's just vulnerable to all kinds of things, like an accountant wiring the money to the Cayman islands and leaving for a country with no extradition treaty.
>>I think stupid accountants is too harsh here. If you miss that the I in your bosses email address is really a 1 (do you even look at the email address?) How would you know any better?
Accountants are paid to be extremely detail-oriented. If your accountant can't tell between a 1 and the letter "l", how can you trust him/her to not miss that the amounts he/she is keeping track of and paying don't have extra (or missing) zeroes in them?
edit: not sure why this is controversial. Then again I do have high standards when it comes to hiring people into positions that require paying attention to details.
That's not a very good list of countries you would want to reside in. You also stand the risk of having the transfer blocked. The article states that a majority of transactions that get initiated still do not go through.
I agree it's not just a stupid accountant, but they need to be responsible when the weight of the job is on their shoulders.
I'm a software engineer, very aware of the insecurity in email, and I could have made that kind of mistake easily. What hope is there for an accountant? No the business process is flat out broken, and its not fair to blame the accountant here. The problem is higher up the responsibility chain.
My university did this for about two weeks. This was a major issue for students because they used it for their primary email address. It was a completely useless flag for us (though maybe not the IT folks who had turned it on) because it was on 9/10 emails. This is an implementation issue though, and perhaps could be more cleverly solved.
Was thinking the same thing. What if the email client colour-coded emails? Everything from inside the organisation would be surrounded in a green border, everything outside in red.
How about altering the FROM and CC/BCC email address on incoming email to add [EXTERNAL] to that address? That way subject lines do not accumulate a long number of prefixes.
This would be useful, not just for fraud, but also just normal business conversations too. Sometimes I've been surprised that the customer is on the email thread (lots of names on the To/CC line). Making it clear about the externals would make this a lot harder to happen.
Shouldn't companies have controls in set when large amount of money is being requested for transfer? Controls that does not involve using email as final approval.
Emails are regularly used for approving large transactions. You can have dedicated approval systems but they are often more of a problem than a solution. When the approver is away you have complex and slow delegation procedures when you are not completely stuck. When people are travelling they can't approve anything while they can on a blackberry. And you need to email people to chase them anyway. These systems are just adding to the corporate bureaucracy.
Common sense should be the first line of defense. Even by email, managers should not approve a transaction they know nothing about. And if one approves somethings after having only talked to complete strangers, it's hard to fight raw stupidity. The first think I would have done in this story is fire the accountant.
> "My accountant was called on Friday morning," she tells the BBC. "Someone said: 'You're going to get an email from the president, and she's going to give you instructions to conduct a very confidential transaction and you're going to have to respond to whatever instructions she gives you'."
This should have thrown up so many red flags for anyone. Crazy.
It's just a numbers game. There are suckers born every minute. There are an unbelievable number of accountants out there who couldn't put together these obvious signs.
A phone call from a stranger and an email from an account that has her name in it... it was probably CEO@imstealingyourmoney.ru
Agreed with my sibling post, that email would probably get flagged and dropped as spam before it got to the accountant.
I've seen an email like this aimed at the company I work for and it was something like ceo@yourrcompany.com (just one letter was doubled from the real domain).
If it was flagged as spam it would probably be due to a misconfiguration on the fraudster's end. There might be some anti-spam systems that might be looking for this now but I've yet to see it listed as a feature.
What major email service would allow that email to pass through into the accountant's inbox with no warning? I guess if you're stupid enough to transfer the money, you're stupid enough to ignore the warnings on the email.
Why would an email service know that conpany.com is a scam address of company.com? If they were spoofing addresses then it may be detected, but if they are using a valid domain with a random letter changed you are out of luck unless you have common sense and pay a lot of attention.
There are many things that can be done to prevent this and likely often are. I've set my mail client to color the subject line of messages differently if the from address is in my addressbook or not. However, I don't know how common it is for mail clients to do things like that by default so there may be many people who don't have any obvious sign that something is wrong.
ETA: I think some slight variations on the domain name could also be filtered out completely, but I'd guess it would be hard to catch all of those that it is difficult to visually detect without also filtering legitimate mail.
There is a huge cultural/generational component to it. There are some people who you just cannot wire to be suspicious. Either hire the right people or build security into your processes.
That's funny, my first thought was to fire the accountant as well. Then I thought about it, who has more experience with these scammers than the accountant that screwed up? I would wager they would never fall for it again if they were any sort of reasonable human being- whereas a new accountant has probably never even heard of this scam and you're vulnerable all over again.
What I would do, though, is get my lawyer involved to write up a new contract that would make them liable for every last penny should this happen again.
> What I would do, though, is get my lawyer involved to write up a new contract that would make them liable for every last penny should this happen again.
No accountant would work for you with that stipulation, the risk/reward calculation doesn't make sense.
Not true, my accountant has a contract where she is responsible for any mistakes or miscalculated taxes etc so she has to pay them. She does have a registered accountancy office though and insurance against this sort of thing though so the risk for her is also minimal.
That doesn't sound like an in-house accountant (i.e. an employee) but that you are engaging an external accountant to work for you - completely different commercial relationships.
And they typically have liability insurance anyway. Your contract is not worth the paper it's written on if the accountant is unlikely to be able to ever repay the loss.
"When called into Watson's office, the fellow said "I suppose you want my resignation." Watson looked at him and replied: "Are you kidding? We just spent ten million dollars educating you." "
Accountants who have let this happen should put the fact on their resume or CV. It will make them more appealing to hire since they are not likely to repeat that kind of mistake.
"Expertise in security processes and stipulations for large transactions and accounting operations", there you go. If they ask in the interview, say it happened to a colleague sitting next to you and you learned a lot from it.
Does the professional body fr accounting not have anything to say - if a Medic is grossly incompetent they can get struck off for life - as can bankers if they realy screw up
Emails should not be used to approve six figure cash transactions. An account reconciliation or approval of PTO? Sure.
You can easily set up your online banking to require one individual to intiate a wire transfer, and a separate individual to approve the transaction. This is a very basic financial control.
My guess is the companies falling victim to this don't have any formal controls in place.
It all depends on the size of the company and the stupidity of the accounting/purchasing department. The article describes the fraud ranging from modest to sizable. It's not uncommon for many business to have 50k transactions every week. You don't want to go around getting approval for every transaction every day. It's not uncommon for many businesses to have 300k transactions every month.
The business that lost 30m+ I don't understand... It must have been multiple wires over a period of time. They found some vulnerable accountant with the power and just milked them over time.
Not all transactions are created equal. Six figure cash disbursement transactions should require approval.
And any company that has so many six figure cash disbursement transactions that approving them is an administrative burden is the type of company that most needs this kind of control in the first place.
I have seen emails regularly used to approve 9 and 10 figures transactions. But the approval always knew about the transaction, had talked about it with the relevant manager. And often would double check with the manager they trust that everything is in order.
> Emails are regularly used for approving large transactions.
In a corporation at least you can require an electronic signature, which requires you to provide your network credentials. Of course you have to have implemented this.
I have to electronically sign my PTO requests, for example.
I was considering it [PGP] last year for company emails but the largest sums I deal with is £100s, if I was controlling £1000s plus based on email transactions I'd think signed emails (in both directions) would be absolutely required.
Very few people verify signatures. Most implementations are impossible for most people. Including a signature may increase risk by leading to false sense of security.
No, it means that there is a way with which you can verify whether you can trust or not.
Yes, I understand how you meant it. By I really can't understand ordinary people can even come to "your" conclusion. How can people be so stupid (sorry for my harsh wording) not to be able to understand that a digital signature just means that there exists a possibility to check whether the message is authentic (and this has to be done if necessary) instead of being authentic?
It's the same reason why email accounts have 2,000 unread inbox messages or 30 notifications at the top of their phone. You get so used to seeing the notification that you begin to ignore it. In this case, you see a string of non-readable text that makes up some weird "signature" at the bottom. The conclusion? "Oh. The signature is there. It's been authentic every other time I checked. Why wouldn't it be authentic on the 101st check?"
Humans are the hardest vector to defend in an attack. Never underestimate the laziness of people - even when a simple solution exists to combat the problem at hand.
But shouldn't one's email program handle all that in the background, so you get the equivalent of a browser's padlock icon showing whether authentication has been successful rather than getting the PGP (or whatever). Yes, there will still be ways around people but this seems like it should be a standard and basic part of all email programs now.
This is probably the most elegant solution to a PGP signature.
> this seems like it should be a standard and basic part of all email programs now
I can't speak with authority on this, but it feels like this would be adding overhead to something that doesn't necessarily need it. Email is supposed(!) to be relatively simple. I can think of many cases where you would definitely want to have PKI integrated into your emails, but I can think of just as many cases where it's unnecessary overhead in email clients as a standard. However, I admit that I could be wrong.
I agree that it would make sense to add this functionality to the core of the email program. But this is a UI problem (i.e. it makes things that have been understood more comfortable), but does not change whether or not you have understood what a signature means.
If you've done any serious gaming, especially an MMORPG, you've seen this scam a million times. Register an account with a name something like "Mod Steve" or "Blizzzard Rep" and just private message every rich player you see. Claim to be a service rep, say you need to verify their password for security or whatever, and 5% of the time they'll give it to you.
I made a lot of free money on runescape doing this back in elementary school. "Jagex Modz 1"
Leaving aside the infamous laws against "unauthorized access", if you pulled that scam on any gaming platform that had a real-money market, that could easily be interpreted as theft.
> Leaving aside the infamous laws against "unauthorized access"
Why should that be unauthorized? Unless it's written in the T&C that you must not use a pseudonym which impersonates a company official, he had used the system in a legitimate way and did not exploit bugs or bypassed access controls.
I believe he is referring to logging in as the other to transfer their goods once they have mistakenly given you the password. That's the unauthorized access, not naming yourself something that is similar to a moderators name.
Exactly. Phishing someone's password and not using it might be a T&C violation, but shouldn't necessarily be illegal (you might, for instance, be doing a study on user gullibility, or be part of a red team checking the security policies of a partner or supplier). Actually using that password, on the other hand...
When I've edited others, I've always gone to great pains to get rid of the extra that.
You'd think that that...
is equal to
You'd think that...
And 'you'd think that' won't risk distracting any of your readers.
The problem comes when I'm actually writing. I tend to read my writing out loud to myself before I post it, and when I actually say things out loud, the double that sounds better.
I have two conclusions:
- My editing is all about hypocrisy.
- It's hard to get out of the habit of writing how you speak.
I think the original reads OK, but the antecedent to "that" was unclear anyway and should have been spelt out.
However, clearly this was written with an ear to humour so the extra "that" is essential - which is why you have your editing interface flag the double but not auto-correct it.
I think you may have missed my point (or I have missed yours). I was saying that same sentence works with both a single and double instance of the word "that". The italics was only there to separate the quoted text from my comment, rather than a typeface suggestion to the former poster.
Clever :-). Somewhat off topic, I said your sentence aloud to see if it sounded right (it did), and I noticed that I pronounce the two "that"s very differently. The first one is short and staccato-y and has kind of a shwah vowel sound—somewhere between "thuht" and "thit". The second is much more emphasized and has a strong A sound (like "apple").
It has to be an exceedingly naive filter if it won't catch "which which" as being highly likely to be an error and "had had" as being relatively common. False positives are of course possible [it's always possible that you're writing about writing errors], we're talking about an aid though - I'd imagine a company like the BBC would use an in-house spell-checker of some form to check that documents match the style guide and that finding unlikely word duplications could easily be included.
How often is "the the" or "which which" actually intended, less than 1% of occurrences?
Write me a sentence that you wouldn't want to flag as potentially erroneous that includes duplication of "which".
'"Which which is which?" he said'
... but I'd still want a human editor to focus on that. Surely with such a massive text output a news organisation doesn't rely solely on human focus to maintain good grammar and such? Am I really expecting too much?
Is this really that shocking? Just seems like the natural evolution of business scams, we still get the people trying to sell us warranties on our company vehicles and trying to sell us toner for printers we barely use (paperless office woo!).
You know the part that makes me laugh is if these people put their ingenuity into doing something useful for society, they wouldn't need to be stealing from everyone all the bloody time.
A surprisingly large number of SMBs in my experience don't have capital transfer controls, especially when the CEO is used to doing financial transfers on the fly. I can think of half a dozen reasonably-sized businesses I've worked with who would be vulnerable to this scam, even with their internal accountants -- a fraudster could call them up, tell them that they needed to draft some five-figure amount because the company got behind on its 401K matches or insurance, and the accountant would think, "Yeah, that sounds about right." And these are the companies who can least afford to get scammed -- they're low-margin companies moving funds around all the time because they're scrambling to keep the balls in the air, so a good-sized fraudulent transfer would cripple them.
I'm more surprised that the convicted fraudster is living in an Ashdod mansion off the beach, and evidently the current Israeli government isn't interested in repatriating him to France to serve his time. I mean, I know there's no bilateral extradition treaty in place, but the son of a bitch brags about what he did -- he doesn't even pretend to deny it!
A lot of this is because the move from 10 to 50 employees can happen in 2 years, is incredibly hectic in itself, chain of command can be a bit confusing and no-one even thinks something like this might happen.
And because the growth is organic rather than the artificial growth of a massive VC cash injection, most companies don't know what they don't know.
I'm sure a large portion of companies do have these controls. But it's just a numbers game. Honestly, I'm tempted to say a decently thought out attempt on my own employer would likely be successful if the amount was reasonable for our average purchase price.
Our CFO received an email like this, it appeared to be from the owner of our company. They even used owner.name@ourdomain.com as the 'from' address. We don't use that naming scheme for email accounts, and it was actually using a Yahoo address as the 'reply-to' address.
Subject: Transfer
Hi John,
Hope your day is going on well, I need you to process a Transfer payment swiftly,let me know what details would be needed, to get it done as soon as possible
Kind Regards,
Jane Doe
Very weird, not sure if a bot puts these together or if there's human involvement.
> Very weird, not sure if a bot puts these together or if there's human involvement.
It'd be easy enough to source a list of company names and owners of the companies then generate possible domains and possible email addresses for the owners but you ultimately need to know who should receive the email. This probably involves a human digging around on LinkedIn. I have no idea what's it like to scrape LinkedIn but presumably they make it difficult. The difference between using the correct email address for the CFO but incorrect one for the owner suggests it's a bit of both.
My accountant got one of these. We called the bank that we were to transfer to the funds to and talked to their fraud department. They wouldn't/couldn't do much, but the account was clearly in control of the criminal. Too bad no one cares, because they leave a trail and could easily be caught.
Unfortunately, they absolutely can't do anything about it. There are an endless number of scenarios in which an attempted reverse transfer could be fraudulent. If you suffered a loss they want your bank to worry about it.
As for tracking them, it's not as simple as you probably believe. Opening a business checking account or personal checking account anonymously is a lot easier than you believe. Withdrawing 10-50k is also not as difficult as you might believe. Moving hundreds of thousands to millions might be present an issue. You might be able to get some money back if it's that high dollar, but if you sent it to a shady country you're screwed.
Ideally email addresses would just have different colors - internal email green, external red (as verified domain spelling and by SPF/DKIM).
That would also help immensely with accidental leaks of internal discussions, which is something I have to constantly watch out for with gmail (google apps).
So it seems like this relies on sending email that purports to be from your boss. Aside from the other problems with procedure (like, why don't you get your boss on the phone?), isn't DKIM supposed to be a partial solution to these kind of fraudulent emails?
I can't believe 15000 firms have fallen into that trap. Shouldn't you first verify who you are paying to. Accountant should've verified with her by calling her. No transaction is that urgent that it has to be done in an hour.
It sounds like there's a real market for a simple 2FA system for approving large/urgent transactions like this. Something like Google Auth, but with a 30 minute window as opposed to seconds, to keep email viable.
Alternatively, the window could be made smaller if the accountant's 2FA client kept a short history of valid codes and timestamps.
Then again, without a systematic lockout (i.e. putting this restriction into the bank account itself) then the 2FA system could probably be socially engineered away just like any other safeguard.
I know someone who's dad lost tens of thousands through a text message scam. They asked for his password, and his hardware 2FA device code, and the code sent back to him as text message. He gave all of that to an anonymous person through text messages!
That's why firms should use email signatures for any email that is supposed to be assumed to be authentic. In other words: The boss should have to sign this kind of email with his private key. The public key distribution problem is solved rather easily in firms (i.e. this is job of the local admin) opposed to the open internet.
So not using well-known best pratices (email signatures created with private key) is simply stupidity and these firms get what they deserve.
I don't understand how you would ever think it's reasonable to make a large transfer based on just a strange email from your boss. At least get them on the phone.
Some CEOs run a company that way though. They will be blunt and impatient; often sending e-mails like "just get it sorted". I can completely understand how some might not even question the e-mails as being out of character.
Isn't this potentially a great idea for a start-up?
A SaaS solution which simplifies / streamlines companies’ internal (and potentially external) approval processes.. I am no expert in this area but a quick google search shows only solutions which look cumbersome and overly complex (or come as part of large and probably fairly inflexible CRMs).
I would probably target SMEs first, ie the sort of companies mentioned in the article.
Anyway, if anyone thinks there may be an opportunity here and wants to talk about this a bit more, drop me an email (address in my profile).
This account's comments are promotional to the point of being spam. Please stop posting them to HN. Discussions here are supposed to be conversations, not commercials.
I apologize if they came across as excessively commercial. I thought they were relevant to the discussion at hand. I will be more careful in the future.
The final email will be sent from a very similar email domain: the scammers register a domain with a simple letter/number substitution that is VERY difficult to visually detect if you aren't looking. Many were registered with VistaPrint, who offer free registration of domains on a trial plan, or something. You can see a list of their recently-registered domains here http://vistaprinta.tk/, if you scan through it you'll see some misspellings and l/1 switcheroos. (I spoke with someone at Vistaprint who indicated that they are actively working on this problem, and they have taken quick action when requested).
When my clients ask me to take a technology approach on these matters, I encourage them to treat it as a process issue instead. Having adequate controls for issues like this (phone call required, second approver for large wire transfers, etc) is better than any futile spam-blocking action we could take.