Skip to Content

Lessons Learned from a True Story of How a Phishing Email and Look-Alike Domain Netted $160,000 for a Hacker

What if you got a call from your vendor asking you why you haven’t paid them yet – but you HAD already paid them, or you thought you had. That’s what happened recently to a company that became the victim of a cyber attack that siphoned off $160,000 to the hacker’s bank. Here’s how it happened.

This story actually starts not with the business that was trying to get paid, but with one of their customers. We’ll call them Company A. There was a stealth attack on Company A and the bad guys got access to their network. Unnoticed, they wormed around in the network for quite some time, gathering the information they needed to formulate step two in their attack.

The bad guys poked around in Company A’s email accounts and figured out who their customers were, and who they communicated with in Accounting. This is where Company B comes in (a vendor of Company A) and step two was initiated.

The cyber criminal bought a domain that was a close look-alike to Company B’s real domain. Then they created an email address to impersonate a real employee there and sent a message to Company A telling them that their remittance information has changed, and they provided them with information for a different bank account.

The person receiving this message at Company A complied and began sending payments to the new bank. Then one day they got a phone call from Company B asking about their late payments and that’s when they found out that they had fallen for what’s becoming a pretty common cyber heist.

This money was lost because of mistakes, gaps in security, and errors in judgement. Let’s look at the lessons we can learn from this and help others avoid becoming a victim.

Lesson 1: Own Your Domain Variations

The email that went from Company B to Company A looked legitimate, but it really wasn’t. The extension was different. Instead of it was We’re used to looking at the name on the left side of the @ and we notice the display name, but we usually skip over the extension.

The domain extension isn’t the only place where you can get tricked. The name of the domain can also be deceptive if the hacker uses look-alike letters. For example, using the number 1 for lower case L or putting r+n together to mimic a lower case M.

Related: Read Time to Control Your Domain Neighborhood on our blog

Lesson 2: Train Employees to Spot Phishing Emails

Everyone in your company has a responsibility for cybersecurity, but there are some roles that face bigger risks because they routinely handle money or confidential information. Employees in accounting and finance fit into this group, as do departments like HR that work with personally identifiable information.

Ongoing cybersecurity awareness training is the best way to teach employees how to spot phishing emails and to remain vigilant in their scrutiny of incoming messages. The process isn’t hard, but it takes some practice to make it routine. Employees should:

  • Check to see that the address is spelled correctly.
  • Verify any links in the email by hovering over them to see the URL.
  • Be suspicious if the email asks for passwords, personal information, or money.

Lesson 3: Have Business Processes in Place to Verify Requests

The incident that happened in our story could have been completely avoided if the person at Company A picked up the phone and called their Accounts Receivable contact at Company B. When employees know the process that they need to follow they can verify requests. Following a process also helps employees slow down when the phishing message they receive is trying to create a sense of urgency.

Processes and policies teach your people what to do in certain situations so they don’t have to make a judgement call in the heat of the moment.

Lesson 4: Enable External Email Filters

This isn’t exactly what happened in our story, but sometimes hackers will use domain look-alikes to try to send email that looks like it’s coming from someone inside your own company. One common scenario that we’ve seen is impersonating the CEO in messages going to staff in accounting to transfer money.

Microsoft 365 and spam filters like Mimecast have functions that will flag an external email. This will catch an email that you think is coming from your CEO or someone else in authority, but is really from a look-alike domain.

External email flag

Here’s what an external email flag looks like.

Lesson 5: Communicate Security Expectations to Customers and Vendors

The victim in this story was not the company that had their network breached. Company B became involved in this cyber attack because of gaps in security at Company A. If Company A had advanced security such as Threat Detection and Response (TDR) they would have been able to identify and lock down the intruder before any damage was done.

More and more companies are having cyber security conversations with the people they do business with. Some are using the NIST security standards as a basis for those conversations. This discussion is becoming more commonplace as stories like this one show that it’s necessary to push your cybersecurity expectations through your supply chain and vendor network.

Cybersecurity Expertise in the Baltimore, Washington D.C. Area

We can only imagine what the IT team at Company A is going through right now, knowing that their network was compromised and became the springboard for this big attack. The truth is, you need to have deep expertise in cybersecurity in order to have confidence in security.

At XPERTECHS, our cybersecurity expertise is third-party verified. We’re SOC 2 compliant, and that means that we’ve got cybersecurity credibility. Read more about our SOC 2 credential here.

If you want to be confident about security, the first step is to find out what’s going on with security right now. Contact us to schedule a security assessment.

Get a security assessment