Crimson King
King Crimson - it's the 21st century, it's enough to make you paranoid, not schizoid!
A new threat group called Crimson Kingsnake is impersonating real law companies and debt recovery services to intimidate businessess into paying bogus overdue invoices. The cybercrime gang's business email compromise (BEC) campaign is targeting marks in the US, Europe, Australia, and the Middle East using blind third-party …
I get quite a few invoices by email (commonly as PDF attachments) but always for services or goods I know I committed to. However:
"The emails look real and if the targets were to search Google for the lawyers' or law firms' names, they would seem legitimate"
If you solely rely on goooooooogle to verify the legitimacy of the source, you clearly don't understand verification. How about phoning the law firm to check whether they sent the (obviously unexpected) invoice?
A little bit of nouse goes quite a long way.
The hack I am seeing is to get a customer to redirect payments to them. The get an outlook rule on the vendors accounting pc and redirect all emails to them.
They then use the info to send directly to the customer an altered copy of a ligit email requesting payment redirect to an ACH account. The domain appears to be the vendors, until you look closely.
They also have been successful accessing bank accounts this way.
Admins, control your rules in your users outlook.
1. Look up firm allegedly sending invoices. If the firm doesn’t exist, invoice goes to File 13. If the firm exists, get an actual phone number. Compare to phone number on invoice. If can’t get actual phone number, File 13. If it’s real, they’ll attempt contact again… this time with a way to verify who they are.
2. Call the number that _you_ dug up. Contact the relevant department. If that department doesn’t exist, inform the company that someone is attempting scams using their name. If the department exists, read off the invoice number. If it exists, ask for more information. If they decline to provide information, File 13. They are the scammers.
Year before last I got an invoice from a law firm in Indiana. Allegedly I owed $319 to one of their clients. I had never heard of that client. I called the firm up… and got voicemail hell. I sent an email to the address that I had dug up, not the address on the email. They replied, stating that they were going to sue for what would total several thousand dollars if I didn’t pay immediately. I told them to go for it, pointing out that the invoice that they had sent identified me as living in Washington state; I was in Florida, not that I told them that, just that I was in a state on the other side of the US. This meant that they had sent me someone else’s PII, something I felt sure that the Attorney Generals in Indiana and Washington state and possibly even in Flori-duh might find interesting. And, who knows, possibly the Feds, too. They stopped emailing me. I copied the whole thing to the guy in Washington state (yes, they included his actual email in the stuff they sent, along with his street address, the last four of his credit card, and, incredibly, his complete SSN) and advised him to get a lawyer, they were sending enough information to steal his identity all over. He replied that he was seeking legal advice.
I got something from someone claiming to be a law firm. They sent a lot of ‘proof’ that I owed a ‘client’ of theirs $319, and they were going to sue me for a total of $3499, yes, really, if I didn’t pay up immediately, no more questions, pay now or else. I told them to go for it. I used their ‘proof’ to contact the actual person who owed the $319, because they, the ‘law firm’ sent me his name, email, street address, last four of his credit card, and full SSN, as part of the ‘proof’ that I owed them, or their ‘client’, $319. They did not explain how the $319 became $3499.
They were simply scammers, trying a thing. I suspect that the person they targeted didn’t owe the $319, either. I suspect that they were guilty of attempted interstate extortion and/or fraud. They have not contacted me since I told them to bring it on. Nor have any suits, for $3499 or anything else, been filed against me. It’s been over two years. Scam artists, plain and simple.