Spear Phishing in Italy

by | Aug 1, 2018 | Business, Cybersecurity

Smart Dolphins IT Solutions provides live, instructor-led training on cybersecurity best practices. The story here was avoidable.  

However, uninformed employees represent the weakest link when it comes to cybersecurity risk at small to medium sized businesses today. A simple and cost-effective defense against cyber-attacks is to invest in employee training. In this blog post, we share the details of a local spear phishing incident that took place to a Victoria, BC resident on vacation in Italy. 

Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

— Kaspersky

The following incident occurred to a Victoria, BC businessperson. The names and location have been changed to protect the privacy of the individuals and the organization. However, it is law in Canada that a compromise must be made public.  

I was enjoying the tail end of my vacation in Italy when an e-mail notification came up on my phone. It was Wendy, the CEO!

My first thought was, “Why on earth is she contacting me on my holiday?”

But I know the CEO is respectful about holidays, so there’s no way she’d be reaching out to me on holiday if it wasn’t urgent. So I opened the e-mail on my phone.

Hi Paul,

This is very important. I have a huge opportunity that just came up, and I need you to purchase some gifts for a promotion. Can you go purchase some iTunes gift cards for me, and send me the codes.

Thanks,
Wendy

Great, she’s working on a big promotion – I trust her wisdom on this, but she has to know I’m on vacation. I’ll send her a friendly reminder, and maybe she can get somebody else on the team to take care of this.
Hi Wendy,

Sounds like you’re on to something great! I can’t wait to learn more. Just a reminder that I’m on vacation in Italy right now (and didn’t bring my company credit card), so can you check in with Kyle or David. I’m sure they’ll be available.

Thanks,
Paul

My thoughts returned to museums and fountains, as I went about getting ready for another beautiful day in Italy. Not more than a minute later, my phone buzzed again.
Hi Paul,

I checked with Kyle and David already, and they cannot get this done. This is really important. Can you please go to a local vendor in Italy and purchase the iTunes cards. I need you to buy them in denominations of 50 euros, and buy 20, for 1000 euros total. Don’t worry, we’ll reiumburse you when you get back home.

There’s codes on the cards you can send to me before you get back, so I don’t need the actual physical cards.

I’m sorry to bother you on your vacation, but this is really important!

Thanks,
Wendy

Let’s be honest, now … I wasn’t excited about taking part of my vacation day to do this, but I don’t want to let the boss down. She’s done a great job running our organization, and I trust her judgment. It’ll be an annoying distraction in my day, but that’s OK.

So my first stop of the day today won’t be a museum, but a convenience store I saw yesterday while touring the area around the hotel. I made sure I had my emergency credit card ready, so I could put an unexpected 1000 euro transaction on it.

I arrived at the store, and looked around. To my luck, they had iTunes cards on the shelf. And they had 50 euro denominations. I started counting out a stack. There were only 17. I wondered if this might be good enough, or if I should get some in 20 euro denominations.

In my best possible Italian, I asked the clerk if they had more 50 euro cards. He shook his head.

I could make a judgment call on this, and I’m sure it’d be OK, but I really didn’t want to let Wendy down if I got the wrong ones, so I decided to call her.

“Hi Wendy, it’s Paul. I’m at the store in Italy picking up the iTunes cards, and noticed they only had 17 cards at 50 euros each. Should I get the rest in 20s?”

“What?” came Wendy’s voice in return, sounding more confused than I expected.

“The cards you wanted me to buy. I’m here buying them, and just thought I’d check to see if 20s…”

“What are you talking about?” Wendy cut me off. “Aren’t you on vacation!”

“Your e-mail,” I replied, a little annoyed.

“I never sent you an e-mail,” she said.

It was at this point that I first realized something was wrong. Why am I standing in a convenience store in Italy buying iTunes cards denominated in euros for my Canadian company’s CEO?

When all the dust had settled, I realized I was within moments of giving 1000 euros to a scam artist who crafted an email pretending to be my CEO. What a way to ruin a vacation!

I learned that this scam was called “spear phishing”, and was increasingly common. When I went back to the original email, I glanced at the email address that “Wendy” emailed me at – it was not her email address. In the heat of the moment, I didn’t look there – even though it was obvious now.

Wendy was kind enough to remind me that these scams were everywhere, and not to feel bad about almost falling for it. My family and I headed off for a lovely day at the local museum, followed by a sunset at the beach. A beautiful vacation was had by all!

Your business is not immune from cyber-attacks! Even with an exceptional cybersecurity suite, you need to be aware that there are scammers out there, and they are targeting businesses like yours. 

To learn more about Smart Dolphins IT Solutions live instructor-led training and webinars on privacy and cybersecurity, visit our training page: https://www.smartdolphins.com/training/

In this video, vCIO, Ty Hedden explains how to spot an email phishing scam.