Scammers are looking at every avenue, it now appears, to defraud businesses of their hard earned money, using a technique called “spear phishing” via company web forms. Normally spear phishing takes place when scammers send e-mails to potential victims “ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information” – this definition coming from Google, type in “spear phishing” in the search bar – but now, this practice appears to have been extended into the marketplace.
Earlier today, I received an e-mail from my contact form on my website making a request for pricing information on Cisco Smart switches. Being a value added reseller, I was happy to see the inquiry, so I picked up the phone and called the contact number in the e-mail. The number reportedly was a valid Florida number, but what caught my attention was the digital switching tones I heard, giving my the impression I was being transferred to someplace overseas.
A gentleman answered the phone, so I introduced myself, explained the reason for the call, and asked for the contact in my e-mail. He replied that he was the contact, so I thanked him for submitting his inquiry to my business, and asked whether I could get more information about the order he was requesting. His response only further aroused my suspicion. Having been in business for a number of years, I have come to expect that those who have an intention to buy something speak with authority about what they’re looking for, how many, etc, especially after they had provided the information in a form-based request. The gentleman could not give me details about the order, the quantity intended to be purchased, or even to respond with, “well, I can’t specify a quantity at this time, as we’re still evaluating, blah, blah, blah…” – normal business conversations regarding the product of interest.
In this particular experience, the scammers were pretending to be from a University. I suggested that since the order was coming from such an institution, it would make sense that he provide me with tax information so that I could get him the best pricing information possible. Again, his response didn’t line up. He seemed more interested in ending the conversation than providing information that would benefit his purchasing power. He asked that instead I send him an email detailing what information I would need to move forward with the order and then he’d get back to me. Now, on the surface as I’ve described it, seems harmless enough, but given all of the other facts preceding this, I had reached a level of concern that made me question everything about this transaction. I committed to sending him an email, thanked him for the inquiry, and hung up the phone.
The product in which the email inquired was a Cisco WS-C2960X-48TS-L managed switch, a product that normally retails for over $4,000.00; when someone says, “yeah, we want about ten or so”, you have to stop and ask yourself, is this a legitimate request. I opted to research the University, found the name associated with the inquiry to be legitimate, and called the department to confirm the request. When asked whether I could speak to the contact named in the e-mail, I was told that was was out sick today. I then asked whether she could confirm his phone number and e-mail address; she confirmed that the contact information was in fact fraudulent. I then explained to her what had happened and to alert the contact to ensure that he was aware that his information was being misused. She thanked me for the call and directed me to their website, which reported that the University’s information was being misused fraudulently.
I apologize if this post comes across as a “vent”. As business people, we’re working hard to be successful, and I’m sure we all recognize how frustrating such misdirections can be. We have more important things on which to focus to help our businesses succeed than to have to deal with events such as these. The most important point I wish to leave you with on this subject is to please be aware that scammers are using your contact forms to trick you into exposing your business to fraud. Due diligence makes good common sense, and I believe prospects will not find it offensive that you are reaching out to confirm their legitimacy prior to starting your purchasing and sales engine.
If you need help with your business’ information security needs, please contact us and we’ll be glad to help.