Phishing Scams Targeting Licensees

Monday, March 28, 2016

The Department wants to caution licensees about “social engineering” scams targeting licensees and their customers. Social engineering scams are when hackers use information about the target gathered from various social media sites or online avenues to gain access to sensitive facets of the victims' identities. Phishing is a type social engineering scam whereby the scammer attempts to acquire sensitive information, often for malicious reasons, by masquerading as a trustworthy entity that seems identical to a trusted sender. There are several different kinds of phishing scams, such as spear phishing or clone phishing.

Phishing attempts directed at specific individuals or companies have been termed “spear phishing.” Attackers may gather personal information about their target to increase their probability of success. For example, a licensee’s employee may receive what is believed to be an email from another employee requesting personal information. Such information could be used to file false income tax returns and to direct refunds to the scammer’s bank account in addition to other forms of identity theft.

“Clone phishing” is when a legitimate, and previously delivered, email has had its content and recipient address(es) taken and used to create an almost identical or cloned email. Often times the email will contain an attachment or link that will be replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. For example, a customer could receive an email that appears very similar to a licensee’s email (including a logo very similar to the licensee’s logo) that requests the client to wire funds to a bank. If the customer assumes the email is legitimate and wires funds to the bank indicated in the email instructions, the customer stands to lose their money.

The Department reminds its licensees to be aware of social engineering scams. Licensees may want to provide training to its employees or caution its clients about being wary of emails requesting personal information even if the email purports to be from a trusted source. Verifying in person with whomever is requesting the personally identifiable information may help ensure private information remains secure. In the case of transactions involving wire transfers, licensees may want to inform clients to request verbal confirmation of wire transfer details before proceeding. Also, if funds are going to a licensee’s trust account, the licensee may want to provide advance notice to the customer that wire transfers will only be made to the licensee’s trust account at a specific bank. Based on recent reports, these scams are becoming more sophisticated and convincing. We encourage our licensees to do their part to avoid falling victim to such scams and to do their part to prevent fraud to their customers.