“Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., passphrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.” Indiana University
The article by Indiana University is a good article and provides a lot of good information. This blog is about our story and real world scenario that almost cost us $15,000.00.
We received an email from the person shown in the email above. It was good timing because we had just finished registering to resell the technology listed in the email. The buyers email and desire for our services appeared legitimate. The email conversation was logical and appropriate through most of the engagement. We initially had no reason scrutinize the request or pending transaction.
It Was Just to Easy
The prospected wanted to buy about $15,000 in Cisco technology for Florida International University (FIU). The technology matched the network we would expect to see at an organization like FIU so we moved forward without suspicion. After providing the quote via email our contact immediately emailed us a W-9 in order to setup an account with us Net 15. We had yet to speak on the phone and we immediately received a W-9 with instructions to create the order so he could send us a PO. At this time the red flags started to go up.
- Seldom in business do deals move this quickly at these price points or dollar amount.
- Net 15 is an unusual term for a large organization normally requiring net 30
- Net 15 gets the vendor excited about rapid payment but leaves enough time for the criminal to make off with your goods.
- Volunteering a W-9 before one is requested seemed aggressive toward getting the deal done.
- IGTech365 most often has to provide the W-9 to the customer so we can be entered into their accounting system for payment.
Once we became a little suspicious we decided to call FIU’s purchasing department directly using the phone number on their website, which we Googled. It turned out the name was real but the real person was on vacation. Our next step was going to be to get the PO number and call the purchasing department and verify we had a legitimate PO #.
Once we knew we had a phishing scam in play we noticed the email was not quite right. The email has a “u” in front of the .edu. Since we hadn’t seen this before we checked the website again to see if this was used in other emails and it was not.
If we had shipped the order on a PO we would have certainly lost a large amount of money. These scams are usually time sensitive so the seller or individual has less time to figure out what is going on. If he had played it slowly like a real deal would have, he may very well have slid under the radar and gotten away with it.
The last thing is to always trust your gut. It is exciting to image a large sale or being left $5 million from a prince in Africa but somewhere in the back of your mind you know something is wrong. Slow down, think about, research online and be sure you are covered. You can even call the credit card company to verify the person and charges.