A good look at a sophisticated phisher

Phishing is just a con artist trying to swindle you over email.  There's nothing new about it, and will probably always exist.  

Most of us are familiar with the low effort, shotgun approach to phishing: a poorly written email with bad grammar and the haphazard links sent to millions of people.  The errors are intentional because they filter out the smart people who would not fall for the bait and waste the phisher's time.  Most of these get caught in spam filters and deleted, but if only 1 in a million people click the link, the con artist makes money.  Some phishing rings send out millions of email campaigns per day, often using compromised computers and systems.  

Fewer of us have been exposed to focused, high-effort phishing, and the recent arrest of a prolific conman shows an interesting story.  Mr. Abbas helped provide phishing crime rings with money mule accounts where they could funnel high-value fraudulent transfers.  Other crime groups performed the actual phishing - breaking into someone's email, watching for a while, then taking over when there was an opportunity to irreversibly initiate or divert a major payment.  

Mr. Abbas' role is critically important to the success of the con because important for the high-value fraud attempts because a bank's anti-fraud department will notice if most of us get a $14 million wire-transfer.   To be successful, the con needs a place to put the money, and Mr. Abbas was familiar with fraud detection processes.  He was also probably well-connected with business owners who regularly received legitimate 14-million deposits and were willing for their accounts to be used to divert funds.  Mr. Abbas was apparently able to charge a high margin for his service.  

Some commenters mention being on the receiving end of similar cases; scroll to the end to read how the con artists hid their tracks in their stories.  

Don't despair

There are easy things you can do to substantially reduce your risk of fraud from both the low and high-effort phishing. 

Low-effort phishing can be reduced by:

  • Using a managed email service with great spam filtering
  • Using a password manager

 

High-effort phishing can be reduced by:

  • Making your email hard to break into
  • Using consistent payment methods
  • Consistently advertising how you will let customers know if you want to change how you get paid