A US TV star has lost nearly $400,000 in a classic email fraud scam after a fraudster persuaded her bookkeeper to wire funds to a new bank account.
Multi-millionaire Barbara Corcoran describes herself as an “NYC real estate queen” and is one of the investors on popular show Shark Tank. However, on Wednesday, she took to Twitter with the brief message, “Lesson learned: Be careful when you wire money!”
In fact, it was her bookkeeper that had been tricked into wiring the $388,000 funds into an Asian bank, according to reports.
A fraudster reportedly spoofed the email address of Corcoran’s assistant, telling the bookkeeper to wire the funds to a German company called FFH Concept.
It’s unclear whether this was a legitimate supplier or a new organization, but the scammer apparently responded to an initial query for more information with a detailed explanation about the invoice.
That indicates they put in plenty of work ahead of time researching Corcoran’s business.
This modus operandi is similar to the business email compromise (BEC) or CEO fraud scams that netted scammers a staggering $1.8bn last year, accounting for half of all reported cybercrime losses. That’s up from around $1.3bn in 2018, according to the FBI.
Peter Goldstein, CTO and co-founder of Valimail, argued that firms cannot rely on human intuition alone to stop such scams.
“The phishing scam impacting Corcoran’s company clearly debunks the myth that phishing emails are easy to spot. Many companies invest in employee security training to prevent this kind of attack, but as this incident proves, humans are not able to identify malicious emails reliably,” he added.
“Hackers leverage impersonation and heavily researched social engineering tactics to appear as trustworthy senders, and their fraudulent messages are often indistinguishable from legitimate ones.”
Goldstein recommended investing in technologies which validate and authenticate sender identity. It’s reported that the email address used by the hacker was almost identical to that of Corcoran’s assistant but missing a single 'o' — a common tactic to trick recipients.