3 minutes
Securityplus FCU shares how it avoided being scammed
Securityplus Federal Credit Union was recently targeted by what seemed to be a fairly intricate “spoofing” scheme. Spoofing occurs when an intruder attempts to gain unauthorized access to a user's system or information by pretending to be the user. Our spoofing incident led to a request for $14,500 to be wired to a person at another financial institution.
The technology involved wasn’t overly sophisticated; however the highly targeted nature of the fraud attempt was unusual. Our controller, who handles wire transfers, was sent what looked to be an email from me. My email address came through our Outlook platform exactly as a legitimate email from a staff member would appear. The email was sent on a Friday at about 12:45 p.m. and, interestingly, I was at an outside meeting at the time. The email was disguised as being sent from a mobile device and used high pressure language to get our staff person to act quickly to transmit the $14,500 via wire. Fortunately, she checked with me and the funds were never sent.
There were red flags with language and grammar and, frankly, the communication wasn’t written in my voice. Although this type of thing happens all the time, the unique aspect of this was the fact that fraudsters ran a program to make the email look exactly like it came from inside our organization. Plus, the fraudsters used my email address and the email was sent directly to the person I would contact to handle a wire.
From a technical perspective, here’s how the fraudsters pulled this off. The person who crafted the email did not try to alter the “Envelope Sender” field, which in most cases is monitored by our security system to prevent spoofing attempts. Instead, they altered the “From” field, which is used to craft the email before it’s delivered into a mail client. Altering the “From” field allowed the communication to pass through our email security filter.
The perpetrator also altered the “Reply-To” field. Had the controller replied to the email, the response would have gone to the fraudster, not back to me. In this case, if the controller clicked on the properties of the “Reply-To” address, she would have seen that any reply message wasn’t designated to go to me. But most users would not take that extra step of clicking on the properties when replying to an email they believe to be authentic.
Once the IT department received word about the attempt, staff immediately started to dissect the inbound message to see how the fraudster could bypass the security measures in place. The “Envelope Sender” data was placed into a blacklist senders list to eliminate additional inbound messages from that sender, although we knew that the subject could change this in a matter of seconds. To remediate this issue, we ultimately added an additional condition to our spoofing rule, to filter the “From” field in addition to the “Envelope Sender” field. This change would now trigger the filter when the fraudster attempted to spoof either field, blocking the fraud event.
We were fortunate not to be victims of this crime. All the education we’ve done about detecting fraud and watching for red flags certainly came into play. We are sharing our experience with others to help prevent this ever growing crime from impacting our industry.
CUES member Brett Noll, CME, is CEO and Mike Keener is IT manager of $359 million Securityplus Federal Credit Union, Baltimore.