The first step in protecting against phone scams is understanding how they work. That’s why we’re starting a new series on the blog, breaking down some of the newest and most popular phone scams circulating among businesses and consumers.
Imagine that you’re a senior executive at a law firm or hedge fund. It’s the end of a long week at the office. Just as you’re about to hit the road, you answer one last phone call. It’s your company’s bank. They tell you that they’ve detected fraudulent activity on your account. This sounds like it’s going to be a pain to take care of.
Fortunately, this counter-fraud team seems to have everything under control. They already have most of your information. They just need to verify a few details, including your online security code, and they can cancel the suspicious transactions. You give them the information they need and head home, making a note to check in on what happened when you get back on Monday.
When you arrive back at the office the next week, you log into you firm’s online bank account to check that the fraud transactions were canceled. Instead, you see that more than a million dollars has gone missing…
Here’s What Really Happened
It turns out that wasn’t actually your bank calling on Friday afternoon. It was an attacker. When you “verified” your online security details, you were actually giving the attackers everything they needed to take over your company’s account. After you left the office, they logged in and transferred the money out of your account. They know that Friday afternoon is when conveyancing transactions are completed, so by the time everyone returns to the office on Monday, that money is long gone.
It’s called the Friday Afternoon Scam, but it actually combines several popular scam techniques:
- Spear Phishing / Spear Vishing – Unlike many phone scams, which cast a broad, random net, spear phishing or spear vishing attacks are extremely targeted. The attacker will often do extensive research on a single executive in an attempt to steal intellectual property, financial data, or other trade secrets. Here, the attackers are specifically targeting CFOs and other high level financial executives.
- Social Engineering –Think of social engineering as old-fashioned trickery. Attackers use psychological manipulation to con people into divulging sensitive information. In this scam, the attackers call on a Friday afternoon, knowing that the executive will be distracted.
- Bank Impersonation – By pretending to be calling from the company’s bank, the fraudsters were able to gain the executive’s trust fairly easily. Attackers can impersonate a bank by doing reconnaissance work to learn which bank the company uses and spoofing that bank’s Caller-ID. Often attackers will transfer the call to a ‘manager’ in order to make it seem more legitimate.
Friday Afternoon Scam Examples
A London Hedge Fund Lost $1.2 Million in a Friday Afternoon Phone Scam – Last week, Bloomberg reported on this scam, which targeted Forelus Capital Management LLP’s CFO, Thomas Meston. As a result, Meston was terminated and is now being sued by the funds. The firm claims he breached his duty to protect the firm’s assets.
SRA Warns of ‘Friday Afternoon Fraud’ Risk – Earlier this year, The UK’s Solicitors Regulation Authority reported that it had been receiving four reports a month of law firms being tricked by Friday Afternoon Scams. Law firms reported an average $500,000 loss per scam.