New wave of 'spear phishing' scams targets firms in Alaska and Canada

Alaska businesses should be on guard against an increase in email attacks targeting their bank accounts from scammers claiming to be employees, the Better Business Bureau said Tuesday.

According to a statement from the bureau, the scheme -- a type of "phishing" email attack known as "spear phishing" for its reliance on targeting specific people -- uses fraudulent emails which direct employees to subtly modified Web links to conduct apparently routine money transfers.

"The fraudulent emails ask the chief financial officer or controller to wire money for payment to a vendor," BBB officials wrote. "Attached to the email is an invoice with payment terms, wire transfer instructions and directions to notify the 'CEO' when the transfer is complete. Once the funds are received, the scammers empty the account."

Michelle Tabler, the BBB's Alaska regional manager, said the newest reports match the outline of an attack that cost the Afognak Native Corp. $3.8 million this spring.

The FBI reported a 270 percent increase in phishing attacks last year at a cost of almost $800 million to U.S. businesses since October 2013.

Matthew Caldwell, a consultant in the Anchorage office of Georgia-based cybersecurity consulting firm Borderhawk, said the company has amassed a list of about 37,000 companies that may be targeted for spear phishing attacks, including many in Anchorage and across the state.

"We have seen specific Alaska Native corporations in the list; we've seen quite a few local businesses in that potential list," Caldwell said. "We have seen oil and gas also targeted and also, strangely, Canadian companies -- it's like they're targeting Alaska and northern Canada."


During a more recent spear phishing attack, Tabler said one local company nearly lost more than $500,000 before they caught the scam and stopped the transfer.

"This guy showed me what this invoice looked like and it was stuff they would be invoicing; it was $600,000 of construction supplies," Tabler said. "They wanted 50 percent down to be paid -- it was to wire the money to a bank in China, which isn't necessarily unusual."

Caldwell said many of the spear phishing scams originate in West Africa.

"It's a new spin on the old Nigerian 419 ("advance fee") scam," Caldwell said. "They have whole organizations set up to process this stuff; they'll even use things like Chinese banks to try and launder this money across."

The scam's first step is to use a legitimate service like Vistaprint, which creates an online presence for new businesses, to establish a website with a domain name that very closely resembles the site operated by the target firm.

"You can set up a domain, but you have to enter a credit card," Caldwell said. "These guys just enter a prepaid card and they count on them billing them next month, so it's fairly anonymous."

Tabler, of the BBB, said that in many cases the difference between fake links and real ones can't be spotted at a glance.

"They set up websites as part of their services, but they're one letter off," Tabler said. "(I was shown) one for Kendall Toyota, but there (were) three L's instead of two."

Tabler said spear phishers often use other sites like LinkedIn and ZoomInfo to learn more about specific employees in the business as part of their attack. After that, Caldwell said, the attackers send emails posing as known lower-level employees or outside suppliers, with the fake links sending responders to sites that collect their account information.

"They'll probably get an email from their CEO from a similarly named fake domain, telling the controller to send a million dollars out of the company," Caldwell said.

Caldwell said that when BorderHawk began to examine the scam about a month ago, the firm constructed an algorithm to detect websites with domain names similar to those of legitimate companies.

"One of our clients got hit with one of these spear-phishing attempts," Caldwell said. "We went back and kind of reverse-engineered their attack methods -- what we found was a huge potential victim list."

Although BorderHawk has been trying to reach companies on its 37,000-company list and warn them of potential attacks, Caldwell said they have only successfully reached a few so far -- in part because the warnings themselves resemble spear phishing attacks.

"We've been trying to focus on the Alaska businesses," Caldwell said. "We've spoken to five or six and told them to contact law enforcement."

According to the BBB, businesses should consider these steps to protect themselves from spear phishing attacks:

• Ensure there are proper controls on financial transactions. Consider two-party procedures for larger payments.

• Develop security policies and protocols. Make sure all employees are trained to recognize possible phishing scams and to be vigilant when clicking on links or attachments to emails.


• Purchase domains with similar names to protect company branding.

• Beware of what you share. Scammers research social media sites to find information that they will use to gain access to protected data. They may also attempt to get company information by calling to conduct a survey or impersonating a company vendor.

Chris Klint

Chris Klint is a former ADN reporter who covered breaking news.