E-Mail Spoof Hackers
There are so many variations of fraud by use of the Internet to illicitly extract money from people. Other areas we describe and have prosecuted as shown on our site include dating or romance scams, outright identity theft, gift card scams, investment fraud, and estate mishandling just to name a few. This is certainly not an exhaustive list. Internet thieves and hackers are so creative, we are surprised regularly by new and innovative scams.
Another egregious fraud is when a hacker is able to redirect a large money payment usually from a business to the tune of hundreds of thousands of dollars to his/her account.
Definition of “Spoofing”: Spoofing is when a person or employee receives an email from someone imitating a trusted source.
The signal that one is being spoofed is an email that apparently has the specifics of the sender, the receiver, and other details such as a certain purchase or shipment of goods. And it usually comes in the form of an Invoice or other request for payment. To confirm the truth of the person asking for payment, one has to verify the exact email address of the sender. The spoofer or hacker may use the real name of the business or vendor, but the domain name will have a slight and barely detectable variation.
The scheme has been to change an email address ever so slightly so that the payer does not notice the slight variation. Some examples are:
Actual: email@example.com Hacker created: rmorris@lous_hardware.com
Actual: firstname.lastname@example.org Hacker created: email@example.com
Actual: firstname.lastname@example.org Hacker created: email@example.com
In other words, the email address is changed ever so slightly so that the business wires money to an account associated with the fraudulent email address, and not the true one. This can result in the illicit transfer of hundreds of thousands of dollars to the fraudster, but there really is no limit. The fraudster sets up a transient account at even a reputable bank, and simply absconds with the money.
How does an e-mail spoof or hack occur? Email addresses are simple to view and imitate. Some people’s and businesses’ domains may be a public domain site, i.e. Twitter, Instagram, Facebook or LinkedIn, and are easily viewable. And certain similar domains are still available to purchase. Another risk is that a PC, phone or IPad can be infected with malware which stores data and searches and even contacts lists.
Still another issue is unprotected public Internet systems such as publicly available Wi-Fi. The moral of the story always is to be very selective in disclosing personal information, contacts, or accessing websites that are not verified.
In our experience, banks are not paying attention. Somehow, they are setting up accounts with little or no real verification of identity of the accountholder to allow this fraud to occur virtually anonymously. At very least, through litigation we have been able to gain information regarding the fraudster. In certain instances, we have been able to claw back a portion of the funds. The point of litigation is to one day get information from the bank to actually pursue the real scammer.
Who is guilty of this fraud? It can be an “inside job”: one by a current or former employee with knowledge of the payment history and vendors of the business. If successful, the person can abscond with enough money to leave employment and fade into obscurity.
A second type of fraudster, is outside the business. The fraudster need only know an email address of the business to create the spoof email and divert funds in the manner described above. This type of person is obviously less traceable, and has no tie to the payor of the funds.
The main hope is to track down the fraudster(s) with use of the depository bank information. That requires a lawsuit against the bank, typically only for that information. Otherwise, it is unlikely that money can be recovered directly from the bank.
In terms of self-defense or preventative measures, it is crucially important that accounts payable employees or owners of businesses verify, cross-check or otherwise insure that all of the receivers’ information is correct. This includes e-mail addresses, account information, confirmation numbers and the identity of the recipient(s).
We have found that even when administrative employees and owners are careful, this type of fraud can still happen.
If your business is a victim of this kind of e-mail spoof hack, feel free to call us at (212) 835-1532 to consult and discuss our fees for filing litigation. We take cases in and around the five boroughs of New York City, Long Island and certain counties in the upper counties of New York, as well as counties and federal Court in New Jersey.