In a new twist on the traditional email spear-phishing attack, scammers are now using forms on company websites. The information submitted in the form appears to be accurate and can be tied back to a real person. When a company responds, the scammer tries to order products on credit or with a purchase order number. Unfortunately, this particular scam is hard to detect. Even if the information looks fake, some companies feel they cannot take the risk of offending a customer by asking if the request is real.
In the sample below, Kelly Loll is a real person who does have a purchasing related role at Florida International University. A quick internet search would seem to confirm the form comes from a legitimate customer. However, there are some subtle clues that the request is fraudulent. The domain used for the email address, fiu-uniedu.net, is not a legitimate FIU domain. Also, the phone number shows up as unsafe or a scam related phone number on several websites. We contacted Kelly to make sure, and she confirmed our suspicions were correct.
Education, awareness, and a healthy amount of skepticism are the best defense against any type of phishing attack. Employees should get in the habit of looking up names and email addresses that are submitted via forms and be alert for information that does not seem to match. If still in doubt, looking up the person’s information (do not use the information provided in the form) and contacting them to ask if the request is legitimate is better than taking a risk.
If you have questions, concerns, or think you may have been the victim of a phishing attack, contact us at 303.757.0779.
