An employee at a Troy, Mich., investment firm was tricked via a spearphishing attack into transferring almost $500,000 to a Hong Kong bank.
The Troy police department confirmed that a Pomeroy Investment Corp. filed a report on April 18 stating a staffer had sent $495,000 overseas to China after receiving an email request purportedly from a company executive, according to The Detroit News. The error was noticed eight days after it took place
No other details on the attack were available and a call to Pomeroy Investment was not returned.
Pomeroy is just the latest in a very long line of companies, schools and medical facilities to be victimized in this fashion. Two types of spearphishing campaigns are currently dominating the news. The first tries try to snatch corporate information, primarily W-2 tax forms, from unknowing workers. With this information the cybercriminals can file false tax returns and harvest the vast amount of personally identifiable information (PII) found in these documents.
The other scam has the criminal go directly after the money by convincing an employee that he or she is the person's manager and telling the staffer to wire or transfer money to a bank. The payoff for this particular type of attack can be tremendous. One unnamed company was scammed out of almost $100 million, although in working with the U.S. government it was able to retrieve $75 million of the loss.
Industry watchers have seen a large spike in both types of attack.
A Mimecast study reported that since January there has been 67 percent increase in incidents designed to instigate fraudulent payments and a 43 percent uptick in those looking to obtain human resources or tax information.
“To be honest we're seeing both types of whaling on the rise. There is evidence to suggest the cyber criminals are using malware resident on the machine, such as Dridex, to give them enough intelligence on a target to help them decide what type of attack to carry out," Mimecast Cybersecurity Strategist Orlando Scott-Cowley told SCMagazine in an email. "So an HR user might be targeted with a W-2 style attack, whereas as a finance user would be stung with financial fraud. Then again domestic or low-value targets might just be sent a crypto malware instead, so as to extort a few hundred Bitcoin from them.”