Just last month, an integrator graciously shared his cautionary tale of cybersecurity woe with Commercial Integrator’s sister-site CE Pro so that others will learn from it.
Sophisticated Cybersecurity Scam Begins with Email Hack
Like many cybersecurity scams, this one began back when the integrator got a phishing email that asked for his Microsoft Outlook365 password back in May.
“I get phishing emails all the time, but I remember this particular one because I didn’t even know what my Outlook password was. I had to ask my wife,” he recalls.
After inputting his password, he was migrated to a web page that wasn’t even related to the original subject.
“I didn’t think anything about it at the time. I just closed the page and forgot about it,” he remembers.
Over the next several weeks, he was engaged in some detailed back-and-forth emails with a local custom homebuilder regarding signing a contract for a $115,000 project. It was a brand-new relationship and one he was very excited about. The equipment deposit was to be for $62,000. The builder informed him that he cut his checks on the first and 16th of every month so the deposit would be forthcoming.
“It was about one week before Snap One was due to raise its prices, so I emailed the builder that we needed to get it done this week to take advantage of the lower equipment costs,” he recalls.
Knowing that $62,000 deposit was on the way in a few days, the integrator went ahead and purchased all the equipment for the job. (Something he normally never does before he has the deposit in hand.)
A few days after the first of the month when the check had not arrived, the integrator sent a courtesy email to check in with the builder. No response. So, a few days later he called the builder to inquire about the status of the deposit. That was when the builder informed him he had wired the money to his account per the “instructions in his latest email.”
“My heart just sank,” recalls the veteran integrator. “I had not sent him any emails asking for a wire transfer.”
Peeling back the onion of discovery on how it all happened, the integrator’s IT team determined that the sophisticated hacker (eventually determined to be based in Sweden) had gained access to the MS Outlook email on a Saturday, a day of the week when any activity is less likely to be noticed.
Once inside the dealer’s email, the swindler had written code that automatically moved any correspondence between the builder and the integration company into a hidden folder in the dealer’s MS Outlook. That is why he didn’t see any responses from the builder to his emails after a certain date.
Inside the hidden Outlook folder, he later discovered all the correspondence that had taken place between the hacker and the builder. The thief had found both an old W9 and an old subcontractor form in his email and sent both of those documents to the builder just to make it seem like the transaction was legit.
Later, the hacker reached out to the builder asking if he could send the money via a wire transfer instead of writing a check. It was all very meticulous.
When the dust had settled on the cybersecurity scam, the homebuilder was out $62,000 and the integrator was out the money he plunked down for the equipment. The bank that handled the wire transfer won’t even put a “fraud alert” on the bank account, according to the dealer. Both he and the builder are in the midst of discussions with their insurance companies regarding any fraud insurance they might have in place as part of their policies.
“You hear about stuff like this, but think it is the kind of thing that happens to someone else. I am totally embarrassed,” says the dealer, who is resigned to the fact that any future relationship with that builder is in serious jeopardy.
“A $115,000 job is a big deal for us. We are only a $1.2 million company,” he adds.
Looking back, multiple mistakes were made by both the dealer and the builder that could have detected the cybersecurity scam.
“There were all kinds of red flags. The emails were in broken English, the W9 that the hackers sent to the builder had another builder’s name on it, they didn’t call us to verify that we had requested a wire transfer,” says the distraught integrator.
He says the builder recognizes that most of the mistakes were on his end. According to the integrator, he believes the builder has fired the employee who blindly made the wire transfer without a phone confirmation.
That integrator’s story is probably not that unique. According to CE Pro data, 73% of integrators are doing absolutely nothing in terms of protecting themselves or their clients from hacks.
CE Pro thanks this integrator for sharing this incident so others cannot befall prey to these insidious hackers.
This article originally appeared on Commercial Integrator’s sister-site CEPro.com
