Thieves recruit housewives in elaborate corporate scam

And the scam attacks keep on coming, reinforcing how important it is to require proper procedures and verification for financial transactions.

In the latest one, the CFO of a company receives a series of emails from “the CEO”. Fortunately, he recognizes that they are bogus, and never replies. The scammer becomes progressively more impatient and demanding in further messages.

From: “Bob CEO” <bob.ceo@company.com>
Reply-To: “Bob CEO” <grandefromage@hotmail.com>
To: ray.cfo@company.com

Ray,

I need to know if you can still process out an Domestic transfer today.

Bob

Sent by iPhone

From: “Bob CEO” <bob.ceo@company.com>
Reply-To: “Bob CEO” <grandefromage@hotmail.com>
To: ray.cfo@company.com

Ray,

I'll need you to make a transfer of $22,500 to AAA Limo Service Inc

account below.

Bank Name: Big Name U.S. Bank
Bank Address: 2832 S. Muletta St. Amarillo, TX
Account holder Name: Molly Moulari
Account Holder Address: 1313 Money Mule Drive, Muleshoe, TX
Account Number: xxxxxxxxxx
Account Routing: xxxxxxxxxx

Confirm to me once the transfer has been completed.

Bob

From: “Bob CEO” <bob.ceo@company.com>
Reply-To: “Bob CEO” <grandefromage@hotmail.com>
To: ray.cfo@company.com

Ray,

I have a meeting to attend right away i will not be able to sign it

that is why i want you to get it done. Record the payment on file as

the Debt the company owned AAA American Luxury Car Service Inc.

kindly email me the FED wire confirmation as soon as you complete the

payment.

Bob
Sent by iPhone

From: “Bob CEO” <bob.ceo@company.com>
Reply-To: “Bob CEO” <grandefromage@hotmail.com>
To: ray.cfo@company.com

Ray,

I'm waiting for the FED reference of the transfer, Can you confirm if

the transfer has been sent out?

Bob

Sent from my iPhone
[‘web bug' image to detect if the email was read]

The scam is the usual – the crook knows who the CEO and CFO are, and forges the From address to makes the messages appear as though they are originating from the CEO. He addresses the CFO by name. And, there's a Reply-To header to divert responses to a bogus email address controlled by the thief. In this case, he didn't bother to register a fake domain; he simply registered a throw-away Hotmail address.

One interesting twist is that the routing and account number actually belong to a big-name bank in the United States, not an entity unreachable by U.S. law enforcement.

However, in all probability, the name attached to that account, Molly Moulari, is an innocent American who has been duped into helping the scammers.

This is a fairly elaborate ploy in that it requires two scams to be successful before the criminals make a dime. Molly is the unknowing victim of the first one, known as the “Money Mule” scam, which began when she answered one of those “Work from Home Processing Payments” spam emails. She was “hired” and instructed to set up a legitimate bank account in her name. The crooks then ran a second scam – like the one against the CFO above – to trick someone into transferring money into Molly's account. She then does “her job”, which is to transfer the money on to the crooks, minus her commission. By using the money mule, the crooks hope to avoid the suspicion that a foreign bank might raise. Meanwhile, Molly will be left to twist in the wind when the FBI comes knocking at her door.

Multi-part scams are becoming more prevalent. An organization’s best line of defense is a vigilant employee base and good procedures. Most of all, everyone should be aware that they should never, ever perform any financial transaction merely on the basis of unauthenticated email – especially if the email has a return address that isn't the company's domain.

For more information on this topic, check out these articles:

For information on Barracuda email security solutions, take a look at our Barracuda Email Security Service and the Barracuda Spam Firewall.