First published: 17th June 2014
Online scams don't just target greedy fools, many are aimed at hard-working office staff. The Purchase Order scam has become particularly common in the last year. There are many variants, the one discussed here is just a single example, don't expect them all to be the same.
The scam starts with an email about a purchase order. Careful use of abbreviations like MOQ and FOB make it seem genuine. This is not aimed at the fools who believe "your email has won the lottery", but at any diligent office worker. If you are in sales, then POs are your whole existence, but everyone knows they are important. No-one wants to explain to their boss that the order was lost because they didn't act on the email.
This breaks down their defences for the next stage. How do you access the coveted PO? There is a link at the bottom to "Google Drive" (or "Dropbox, or any online filestore). Follow the link and there is (apparently) a Google Drive login page for the victim to enter their password on. Of course, the eager office worker who enters their password does not get a PO, but the scammers get access to their account, to misuse as they wish.
So how can you recognise and avoid these scams? This is not an exhaustive list:
- Familiarise yourself with your software's security features and normal operation. Anything that is out of the ordinary is suspicious. The examples below refer to the email client (Thunderbird) and browser (Firefox) that I use, the one you use may be different.
- Think about why you are receiving this PO. Even if you are in Sales, is this one of your customers? If not, whose is it? If it seems odd, then be a bit more cautious.
- The example does not mention what the product is. If there is nothing specific in the message, then it is more likely to be a generic scam.
- Watch out for other mis-matches. In the example, the message says there is an attachment, it says, "Attached file" at the bottom, but the file is not with the message. In Firefox, hovering over the link shows the address in the status bar (at the bottom), this is a very useful feature because it is easy to see that the link goes to 'vemicontabil.com.br' and not Google Drive, which is a major warning. If your email client doesn't show links like this, check whether you can change that setting, or change your email client.
- If you follow the link, does it end up where you expect? The example doesn't go to Google Drive, check the address bar.
- Check the site identity. Firefox uses a blue or green bar next to the address to indicate a verified connection, check what is normal for your browser.
- Know what is normal for the site you think you are visiting. The real Google Drive login looks like this. Note Firefox is showing a blue bar next to the address, the site has been verified.
- Only enter your password to the matching service. When you are asked for your Google password, make sure it is Google asking you.
- Don't use the same password on multiple services.
- Don't think you are not a target. Often, these are mass attacks against thousands of email addresses. If they can't get something valuable from your account, they can still misuse it, sending more scams indiscriminately, or targeting your contact lists (who are more likely to fall for the scam because they trust messages from you).
Scammers are constantly adjusting their tactics to catch the unwary. Beware.
