Many of you know that I’ve been involved with a local con-running group for a very long time. For a number of years I’ve been the treasurer. So it isn’t uncommon for me to get emails talking about money and payments and whatnot. I got one today, ostensibly from the current President of the organization. It appeared to be from his personal email address to my personal email address. But immediately I knew this was a fishing attempt! A good one, and a fun one too!
Here’s the text from the email.
Can we get a wire transfer sent out today? I’m expecting to receive the account information for an outgoing wire transfer shortly and I’ll need you to see to it that the payment goes out today. Kindly get back to me as soon as possible to let me know when to forward the wire instruction to you.
Okay. First of all, we never wire transfer anything. Who does that these days? I think I’ve done one of these once in my life, when transferring the down payment on the house. So anything with a casual wire transfer strikes me as…. fishy. Or, more accurately, fishing. Second, the purported sender doesn’t ever sound like this. ‘Kindly’ and ‘Best Regards’ are not his usual vernacular. (Not that he isn’t a nice guy, he really is!) And isn’t the phrase ‘get back to me as soon as possible to let me know when to forward the wire instruction to you’ unusually awkward?
Anyhow, I take a peek at the headers. Definitely not from this person. From what looks to be an unsecured personal mail server that allowed for the forgery and doesn’t respect SPF headers. The reply-to: obviously can’t go back to the actual President, or to the personal mail server, that wouldn’t get back to the scammers. So they set a reply to address of ‘boardcommitee@gmail’.
At this point, I’m almost impressed. Someone (and at this level it probably was a person, not an automated bot) found our organizations’s website, found the list of board members, and set up a pretty reasonable attempt to fish. Someone had to learn enough about us and our organization to set this up. But our organization is made up of a pretty social bunch of people. All these board positions are -volunteers-, all engaged in the same hobby. And we’re a pretty technical bunch, not likely to fall in to going along. So I jumped over to instant messaging and shot a message over to the purported sender and even further confirmed this was not a real thing. But I can see how it -might- have worked on another organization.
Final results? Fishers go home empty handed, and I get a fun story to tell.