OxCERT have received an escalating number of reports of highly convincing financial fraud emails directed at University Finance Officers and others responsible for issuing large financial payments.
This threat goes beyond simple ‘phishing’ campaigns, this is clearly a direct and deliberate targeted criminal campaign against the University, with the goal of extracting large sums of money (on the order of thousands of pounds) from individual department ledgers. All Financial Officers and people with similar responsibilities should read this alert with care and apply this advice to their daily practice without fail, the risk of financial losses to this campaign is unusually great.
The fraud attempts have so far been exclusively received by email, and take the form of a very convincing and well-phrased email requesting the initiation of a transfer:
This looks like it came from the Head of Department or another highly-placed individual, and is intended to entice the Financial staff member to respond. Let us assume that the member of staff is fooled by the original email, and responds as they would to the real Head of Department;
The email will not go to the Head of Department, as these emails have a manipulated Reply-To header; instead, the email will go to an email account under the control of the criminals. These criminals are actively monitoring these email addresses for ‘hits’, Financial Officers of the University responding to their initial probe. If a response is received, further details will be requested:
As you can see, this is all quite legitimate-seeming and it is easy to forget to authenticate the request properly. We are not aware of any departments actually transferring funds to the fraudsters, but we are aware that members of staff have been initially taken-in and have replied to the initial probe emails.
The characteristic of these emails is a forged Reply-To field; the criminals cannot actually allow you to reply to the Head of Department they are impersonating, as that would give the game away immediately. Instead they add an extra email header to tell your client program to respond to a different address than the (forged) sender address. This is normally hidden by many email clients, so you need to re-enable the ability to see more email headers:
In this example Thunderbird is used and your mail client may differ, but the Return-path information will always let you confirm that the email is really going to the email address you think it’s going to. This does not protect you against another member of staff having their account compromised however, so you should still verify any out-of-the-ordinary transactions directly with the individual.
- Check all email headers for all emails requesting financial transfers
- Ensure the Reply-To or Return-path fields match the sender you expect
- Check with the individual that they did in fact request this transfer
- Report any suspicious emails to OxCERT immediately at firstname.lastname@example.org
Many departments have received these and more are certain to arrive. Please remain vigilant, and let’s not reward these fraudsters for their sophistication.