Fake Internal Email Alert – Impersonated Domain
Watch out for those emails pretending to come from your managing director.
I recently had a companies Finance Manager contact me about an email he had received. He had received this email from his boss, the Managing Director, asking him to pay a client nearly £10,000 for services they had provided. The Finance Manager responded with a question about bank accounts and got a reply within 15 minutes with account details.
He was suspicious as he had just spoken to the Managing Director and also the tone of the email was not quite in keeping with their usual exchanges (although very very realistic – no spelling mistakes, no poor grammar etc). He confirmed this payment with the Managing Director (via phone) and found he hadn’t sent it. (Apparently this company has a policy of double-checking either in person or over the phone anyway for an unscheduled payment, so hopefully, this would be caught anyway).
This is when I get contacted – to find out who had hacked into the Managing Directors email account.
I started a virus scan on the MD’s PC, just in case, and checked his sent items, but there was no trace of the email. I checked the Exchange server and found the email and realised it hadn’t come from the MD at all. It had come from another domain with an additional letter in the domain name.
Now this company had a long domain name (23 characters not including the .com). An additional “t” next to another one was quite hard to spot in the middle of the domain name. I’m going to call it an impersonated domain.
If your domain is
and then seeing an email from firstname.lastname@example.org you don’t notice the extra “t” do you? (That’s not the domain name by the way just an example).
Look it is there, in bold: email@example.com
Also, you don’t really examine the domain when an email comes from “a colleague.”
I checked the WHOIS of this domain and saw it was registered the day before. They had bothered to register a very similar domain just to attempt this scam. I guess at a hit rate of even 1 in 500, a domain name does not cost much compared to a £10,000 pay off (£5000 profit).
Now, this is quite a scary scenario. A couple of things worried me.
- The people sending the email obviously new the MD’s name (in the UK you can usually find this information online at Companies House). However, in this case, it’s a child company, and it’s the parent company’s MD who is listed. The actual MD is only listed once or twice in reports at Companies House (pdf’s that I needed to download and read) and using an initial not the first name. The email was sent from firstname @ false domain .com and signed with the first name.
- The Finance Managers name is not listed at Companies House, however, after a quick google, I found him on LinkedIn pretty easily with the job title. However, the MD is not in LinkedIn.
- I’m not sure if they got lucky or knew the email address format, (in this case as it’s a small (but high profile) company it’s just firstname@) but that was also correct.
The finance manager was not as concerned as I expected, because he explained they have processes in place that would catch this, but it certainly freaked me out.
Follow up action
I’ve obviously blocked this fake domain in the SPAM filter but I’m not sure what else we can really do. Block 100’s (1000’s?) of potentially close domain matches? Did I mention they have a long domain name?
Is it worth reporting to the ISP the false domain is registered with? I’m sure any details will be fake. Will they bother to register another similar domain to try again, knowing this has failed?
Have you dealt with this?
Please let me know in the comments below
I have seen this once before but that time it originated from a hacked company emailing my customer saying their bank details have changed.
Please, please, please, warn all of you clients/customers/your own accounts team etc to be vigilant, and do not act on an email alone.
My advice is always pick up the phone and speak to the person involved before taking action. If it involves a client/customer speak to someone you know there, if it’s internal, speak to the person involved.
I’m sure this had been around for a while but please remind everyone.