Spear-phishing scam targets teacher identities

Judy Miller was a successful high school teacher who was known for her technology expertise. She was always eager to lead continuing-education workshops in her school district for other teachers and administrators. But she dropped her guard recently and became a victim of a new spear-phishing scam that had been targeting teachers in New York.

She realized that she'd been scammed when her bank returned one of her checks for insufficient funds. Bank personnel told her that most of her account balance was depleted from a recent unauthorized fraudulent withdrawal. Luckily, the bank reimbursed her for the loss.

The bank employee asked Judy if anyone had recently asked for her personally identifiable information (PII). She said the school superintendent had emailed the month before asking her to verify her Social Security number and bank account information because the district was upgrading its employee direct-deposit system.

Judy never suspected the request was fraudulent because she trusted the superintendent who regularly corresponded with employees via email.

This case is fictional but representative of a January spear-phishing scam reported by the Identity Theft Resource Center (ITRC).

According to the ITRC, fraudsters sent emails to New York teachers from two school districts purportedly from their superintendents asking them to send their PII, including Social Security numbers. One employee complied. Instant compromise.

Phishing schemes, the most common of fraudsters' mechanisms for stealing PII and using it for identity theft purposes, come in two types: mass driven and custom made. A fraudster directs a common mass-driven phishing scheme to thousands and even millions of possible victims.

A custom-made spear-phishing scheme (ITRC calls it "boss" or "CEO phishing"), directed to specific individuals (hence "spear"), can be successful because the recipients trust the supposed senders — immediate supervisors.

Cybercriminals can determine the bosses and their subordinates by visiting websites of organizations or hacking into their networks and easily finding their email addresses. According to the ITRC, they "take over the boss' email account" and send the inquiring messages to subordinates. As the ITRC asks, "What employee is going to ignore and delete an email from the boss?"

The ITRC offers the following advice: "With the increase in awareness of scams, fraud attempts, and identity theft, cybercriminals have to get more and more sophisticated in order to keep up. At the same time, the tools the scammers have at their disposal — such as the ability to hack into an email network in order to send out message[s] that appear to come from someone in charge — are also easier to come by, meaning they don't have to have any specific hacking training in order to pull off these scams. Consumers have got to stay on top of the matter and protect themselves, mostly by remembering to never give out their personal information over email or online without knowing where it will end up."

Fraudsters expand into new areas after they find successful variations. So, teachers, you've been forewarned. School districts should diligently forewarn their employees.

All is vanity

Why are email scams successful? Well, most of us think we could all use a little more money or good luck. And we all have egos and are a bit vain, so under certain circumstances we can be gullible and susceptible to trickery.

Fraudsters know that some email readers still will succumb to "new found inheritance" or "you won a lottery" messages.

According to the ITRC: "Email scams come in a wide variety of formats and mechanisms, but they essentially all work in one of a handful of ways. The goals include: gaining access to your PII by having you fill out the 'necessary' forms; gaining access to your money by having you send in a 'shipping and handling' fee or to pay the required taxes before receiving your prize; or having you click on a link to see what you've won, only to have the link contain malicious software that infects your computer and steals your information."

The ITRC offers the following signs that the email is a scam:

• "Money for Nothing — NO ONE is going to contact you out of the blue and give you loads of money. It's nice to dream about, but it's simply not the reality. They're also not going to contact you online from a free email address."
• "Dear Sir or Madam — Think about it … if someone was genuinely going to give you millions of dollars, wouldn't they know your name?"
• "You've Alredy One! — Typos and poor grammar are dead giveaways that something isn't right about this email. If the sender's job is to inform people all day long that they're now millionaires, wouldn't they spell it right?"
• "Hurry, This Offer Is Only Good for the Next Ten Seconds — Sorry, but if you're the verified winner of a large sum of money or even better the recipient of an inheritance, there's no ten second deadline. If your long lost great-great-aunt stipulated in her will that you had ten seconds to respond, something funny's going on."
• "Just Send Us the Processing Fee — If you ever win anything that requires YOU to pay money, it's a scam, whether in an email or in real life. Winners don't pay before receiving their prizes; even multi-million dollar lottery winners pay a portion of the winnings to the IRS after claiming their prizes."
• "Funny, I Don't Even Remember Signing Up for this Contest — That's because you didn't. Scammers got your name from any number of online sources. They send out these emails to thousands of people a day, hoping to get a bite. Don't take their bait."

Along with the "bait" to reel a victim in, the fraudsters include an element of panic in their message e.g. "to get this deal you have to respond quickly so click on the following link to start the process". They don't want the victim to take a lot of time to think about the situation i.e. they want him to act on an impulse and meet the demand of the message.

The good news is that, of all the fraudulent scams, phishing schemes are the easiest to curtail. The key is education. Of all of the top 15 data breaches in 2014, many of them involved the use of very simple phishing schemes. For example, in 2015, banks in Russia and Ukraine lost more than $1 billion when employees in charge of transferring money became victims of a phishing scheme, according to Withdrawal Pains: Banks Lose $1 Billion in New Hack, ExpressVPN, Feb. 23, 2015.

These data breaches could've been prevented and billions of dollars saved if victimized organizations had trained their employees in fraud awareness programs.

More help for the community

I hope you'll share this information with your family, friends and clients and also include it in your outreach programs. Education is the key! Understanding how phishing schemes work will sharply reduce their success. This, in turn, will lead to a reduction in data breaches and identity theft.

Cybercriminals take advantage of any opportunity to develop schemes to rob consumers and organizations of their resources. Organizations must step up their efforts to develop ongoing fraud awareness programs to educate their employees at all levels. In addition, it is imperative for all ACFE chapters to develop ongoing programs that address these issues and make them available for a minimal or no cost to the public.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns or if you have any questions related to this column or any other cybersecurity and identity theft questions. I don't have all the answers, but I'll do my best. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.