Normally I write about flight data and technical stuff, and try to avoid anything relating to business. Today is an exception and I hope you will allow me one digression to “get this off my chest”.
Since we started Flight Data Services our web site has carried notes about the people in the company. After all, the core of a company is the people who work there and anyone interested in the business will be interested in the people. OK, our “Meet the Team” section of the website grew as the company expanded, but if you wanted to call up, it was still possible to look up the background of the person you were going to talk to.
A week or so ago we took down this page, and here is why.
Someone who had received (or obtained) an email from someone in Flight Data Services looked at our email addresses and worked out that we use a simple format of email@example.com. They looked up our finance officer, commercial manager and my email addresses and created a very plausible email. The clever part of this fraud to create an email which looked like it had come from me then been forwarded to the commercial manager to obtain approval, then came back to me and I had added the bank details to help things along. Little pieces of embellishment such as “Sent from my iPhone” at the bottom of messages made it look even more plausible.
With the words “Let me know once payment is completed” our finance officer made the payment, thinking this was urgent. He dutifully informed me that online payment had been completed as I had asked.
Spotting the Fraud
I was curious about an urgent payment that I knew nothing about, and when shown the email trail I found the error. I have a Samsung phone.
Once we smelt a rat, we could find other clues within the email, but it was, I have to admit, very well crafted with the right level of familiarity and authority, use of first names etc..
We immediately spoke to our bank who asked the sum of money concerned. At £9,867 it fell just below the £10,000 threshold for additional automatic transaction checking which, they said, was normal for this type of fraud.
The banks concerned have acted to return the funds and any further action is with them. To make life a little more difficult for the fraudster we have taken staff details off our web site although I have to admit that this feels like bolting the stable door after the horse has bolted.
It is sad that, in a world where social interaction is becoming more important and computers enable immediate worldwide communications, we now have to hide our identity and thereby make communication more difficult.