Spoofing, Phishing and Spearphishing - How to Protect Your Business and Clients

June 16, 2016

The original definition of “spoofing” was, “to imitate (something) while exaggerating its characteristic features for comic effect.” The film “Scary Movie”, for example, was a comedic spoof of the slasher movies that predated it.

The form of “spoofing” that recently has affected the yacht brokerage business is far from funny, however. One Florida Yacht Broker Association member gave an example of a recent case that involved his brokerage firm.

“About six months ago, we had a closing coming up. The broker emailed the client with instructions for sending the proceeds to the bank by wire transfer,” he said. “Then, someone from an outside source sent another email to the client that looked like it came from the broker saying, ‘Please disregard these wire transfer instructions,’ and sent new instructions.”

The bank listed in the second email was in Hong Kong, which made the client wary and prompted him to call the broker and ask what was going on.

“The broker knew nothing about the second email,” said the FYBA member, speculating that the spoofer might somehow have been tracking emails with “wire transfer instructions” in the subject line.

The broker called the police to report the scam, and his firm immediately examined its internal security systems as well. “We changed everything we could, including everyone’s email password, and thought we’d stopped it,” the FYBA member said. “Since then we’ve gotten another spoofing email that included a Wells Fargo bank in Texas.” That email looked more authentic than the first one, but the brokerage firm had put a security procedure into place that requires verbal confirmation between the company and the client prior to any wire transfers taking place. “We never put ‘wire transfer’ in the subject line, and any wire transfer must be verbally verified. We call the bank and the client to confirm it,” he said. 

Billion-dollar cyber crime wave

Other brokerage firms have reported similar incidents, and of course, yacht brokers are far from the only victims of email spoofing scams. They are a type of “phishing” cybercrime called “spearphishing” − the hacker term for highly targeted email scams, according to Keith Perfect, Director of Development for IT provider Advantage Services in Fort Lauderdale.

“There’s also ‘whaling’, where it looks like the email came from the CEO to the CFO, saying, ‘I need money deposited right now’ or something like that,” Keith Perfect said. In the case of CEO scams, the FBI estimates that companies have been defrauded of $2.3 billion so far.

Keith likens the phishing crisis to a nuclear arms race. “There’s new technology to stop it, and then the other side develops new tools…,” he said. He doesn’t hold out much hope that the authorities will be able to stop it anytime soon. “They police, the FBI, they can’t get these guys.”

Instead, Keith advises yacht brokers to become more aware of the types of email scam out there, and to be more skeptical. “They need to slow down and not believe everything they read in email,” he said.

Here is a list of tips that Advantage Services provided to help your company avoid spoofing, phishing and spearphishing:

• Look closely at the grammar in the email. “If there are weird spellings; the grammar’s off, then something’s wrong there,” he said.
• Don’t click on any links! A common scam that yacht brokers have experienced is to receive an email saying something like, “I am interested in the 150-foot Christensen you listed. Please click here for my contact information.” Perfect said, “The brokers do it, and they get viruses or let the hacker into their system.”
• Always get a verbal as well as email confirmation prior to a financial transaction. “There needs to be a phone call at some point; make it part of the process,” he said.
• Discuss phishing and how to prevent it with your IT services provider.

“If everybody is more aware, they can help to protect themselves”