Scammers using business email compromises have discovered that one of the best methods of gaining a victim's trust before setting their hook is to befriend them with multiple emails.
Symantec researcher Binny Kuriakose noted in a blog that whaling itself is not new, but the lengths the attacker is now willing to go to set the stage have increased. One trick is to use casual language and ask simple questions, such as, “are you in the office” and then issue a bevy of follow up questions that help establish a rapport. In true angling fashion the phishers do not attempt to set the hook until they are certain the target has been made complacent, Kuriakose noted.
“The scammer starts off with one-liner emails saying “are you at your desk?” or “please respond if you are available in office today,” and tells the victim about the wire transfer only after receiving a response. Depending on the response received, the scammer would then ask what information is required to make the transfer,” Kuriakose wrote.
The attacker then probes a bit deeper getting into how the money would be transferred and promising to send along an invoice after the transaction is made.
In the email string, Kuriakose showed, all of the notes are short and sweet with the intention of sounding like another bored executive trying to solve a simple problem, then the scammer starts pushing for account information and finally asks for a set amount of money, usually in the five figures range, to be transferred to a new account.
At that point the scam is complete.